privacy.resistFingerprinting doesn't adequately spoof UA with FF beta 59 on mac #377
Comments
|
I've added to this bug report. Hopefully Mozilla will do something about it. |
|
So the latest comment on the bug seems to suggest this is expected behaviour. Quoting from the latest comment on the linked bug report:
This seems to imply that spoofing will be different for different OSes because spoofing to a common denominator does not provide any security benefits: your OS can be inferred through other means. Would we like to overrule Mozilla on this and set a custom UA, @pyllyukko? |
Makes sense, as it reported Windows for me (even though I'm on Linux). Although this was not with FF beta 59, but FF 58.
That's kinda unsettled. See: I think that we're good with |
Your OS can be fingerprinted through other means, sure, but these other methods can be blocked or modified. Hiding the OS breaks things? Very generic and biased response IMHO.
Here Chrome by G00gle is better, as you can modify the UA String in an easy way.
No, with all the obstacles to obtain a minimal shadow of anonymity, being one-in-a-million with common values in the only option available! Proxies allow to change User Agent Strings: Fiddler by Telerik, Privoxy or this webext (untested). |
|
Huh. Speaking of privoxy, is it still under active development? I'm wondering if it's worth it replacing uBlock Origin with Privoxy on a remote server (so that I can block ads on my phone as effectively as I do on my laptop, while sharing the same settings). |
|
Privoxy Releases RSS feed has been updated on Tue, 3 Jan 2017 8:5:40 GMT For anything blacklisting, starting from the internet up to my browser, the connections
For your question, I definitely think it is worth. |
While this is true, the only way to circumvent this is to spin up a Virtual Windows machine and use it as a (transparent) proxy. Your OS can be detected just by pinging another server since networking logic is implemented differently across Windows, Linux and Mac and even different versions of these OS. Don't need any Javascript, CSS or HTML to do this. You can be certain that "big players" like Github and Google are abusing this since years. Seeing from this logic it is a very valid move to not spoof the OS since spoofing it will make you incredibly more unique. |
|
Yes, TTL Value can be used for OS Fingerprinting. |
|
So OS spoofing is of no use, there's no real way to hide. If your OS doesn't match the expected TTL value, then you're (more) unique anyway. Thus, we follow what Mozilla is doing with |
Its useless (almost1) when trying to lower entropy. If you're wanting to raise entropy (randomly and very very often, even per domain and/or time based), go for it. However, you will be in a very small minority, whereas RFP is the first opportunity outside TBB that users can buy into an enforced set Its a shame that OS is 1 I say almost because a lot of sites won't even do more than check a few variables for OS and you can get away with it (lowest hanging fruit and all that) .. but its too risky IMO PS: and of course the best defense is to limit the attack surface in the first place - eg my uMatrix default is 1st party css and images only, but sure, there are other methods such as some server side FP'ing or the TTL and TCP/IP leaks that you can't do much about within the app itself. |
|
p0f - for your OS fingerprinting needs. |
At this point I'm in the mood to just give up privacy as it is, at times. You can try to get as much as you are able, but it seems trying for privacy falls into a bimodal distribution. For most sites you need nothing more than uBlock Origin with a good filter list set. You're at more danger from phishing and other stuff. And then there's stuff like Google and Cloudflare and goodness knows what who can probably track you from here to eternity regardless of what you do, short of going through Tor. And maybe even then if you're dumb enough. |
|
|
They can't forge the network stacks of the OS, right? That might make you even more unique. |
|
Don't know that, sorry. Try asking there? |
It won't work either, see: https://bugzilla.mozilla.org/show_bug.cgi?id=1433676 |
|
@Atavic That repo is just a collection of scripts/config files. As far as I understand both privoxy and squid, they cannot fake the network stack: they operate after a packet has been processed by the network. Both those programs don't work at the packet or TCP level. They work with files delivered over HTTP. |
|
FYI, for Fingerprinting defense at the packet level you might simply use something like Arno Firewall (no scan replies = no remote fingerprinting), or OSChameleon (obfuscation for linux kernels). |
|
@bryce-lynch Both of those are aimed at Linux. No scan replies, while it can be configured through pf (the Mac and *BSD firewall), will break iOS integration like airdrop, I think. I'd rather not go that way. I'll definitely try it out, but I don't know if it'll work for my purposes. Thanks for the idea, nonetheless. Edit: Also, reading more about it, I don't think it'll help at all. After all, TTL detection doesn't need to scan you. They're not using |
|
So this was handled by Mozilla. Closing this now. |
I've been using this user.js (a modified version of the relaxed variant) for around 6 or so months now and have been pretty happy with it: everything worked as advertised. Recently, I've found that my UA now explicitly lists me as using a mac: something that did not happen with FF 58. It also releases that I'm using FF 59, which has the potential to make me very unique. I've tried setting
privacy.resistFingerprintingon a fresh profile as well, but to no avail. Is anyone else experiencing the same?Edit: I'm attaching the corresponding browserspy.dk test
The text was updated successfully, but these errors were encountered: