Yeah, I have an anti fingerprint extension installed in Firefox, and immediately no Google site will work anymore, all google sessions break with it while most other sites just continue to work.
I’m working to rid myself completely from Google, my target being that I will completely DNS block all google (and Microsoft and Facebook) domains within a year or so. Wish I could do it faster but I only have a few hours per weekend for this
Hi, here are the extensions I use in FireFox/Librewolf (all will work in Chromium too, but I don’t recommend Chromium browsers):
Privacy and Security-focused
uBlock Origin: A lightweight and efficient wide-spectrum content blocker.
Decentraleyes: Protects you from tracking through free, centralized content delivery. (not recommended alongside uBlock Origin; see the reply below)
CanvasBlocker: Protects your privacy by preventing websites from fingerprinting you using the Canvas API.
Ghostery Tracker & Ad Blocker - Privacy AdBlock: Blocks trackers and ads to protect your privacy and speed up browsing. Also has a handy feature that automatically rejects cookies for you. (not recommended alongside uBlock Origin; see the reply below. You can disable the ad blocking functionality and keep the cookie rejection function).
KeePassXC-Browser: Integrates KeePassXC password manager with your browser.
NoScript: Blocks JavaScript, Flash, and other executable content to protect against XSS and other web-based attacks (note: you will be required to manually activate javascript on each web page that you visit, but this is a good practice that you should get used to).
Privacy Badger: Automatically learns to block trackers based on their behavior. (not recommended alongside uBlock Origin; see the reply below)
User-Agent Switcher and Manager: Allows you to spoof your browser’s user-agent string (avoid creating a unique configuration; opt for something common, such as Chrome on Windows 10).
Violentmonkey: A user script manager for running custom scripts on websites (allows you to execute your own JavaScript code, usually to modify how a website behaves or block behavior that you don’t like. VERY useful. Check out greasyfork for UserScripts).
Other useful extensions (non-privacy/security)
Firefox Translations: Provides on-demand translation of web pages directly within Firefox.
Flagfox: Displays a flag depicting the location of the current website’s server.
xBrowserSync: Syncs your browser data (bookmarks, passwords, etc.) across devices with end-to-end encryption.
Plasma Integration: Integrates Firefox with the KDE Plasma desktop environment (for linux users).
Thanks for the list! Although most of the time it’s advised to not use multiple adblocker in tandem, because they might conflict with each other and get detected by the website. For example, uBlock origin has, in its settings, an option to disable JavaScript and in the filter list, an option to block cookie banners “Cookie notices”. But if all of these work for you that’s great!
How do these extensions work with ubo?
On a different note. Your name used to be my nickname lol thanks for that memory.
This article actually shares what changed, as opposed to just asserting that there was a change.
So I guess for Firefox users it’s time to enable the resist fingerprinting option ? https://support.mozilla.org/en-US/kb/resist-fingerprinting
You can also use canvas blocker add-on.
Use their containers (firefox multi-account container add-on) feature and make a google container so that all google domains go to that container.
If you want to get crazy, in either set in about:config or make yourself a user.is file in your Firefox profile directory and eliminate all communication with google. And some other privacy tweaks below.
google shit and some extra privacy/security settings
Google domains and services:
user_pref(“browser.safebrowsing.allowOverride”, false);
user_pref(“browser.safebrowsing.blockedURIs.enabled”, false);
user_pref(“browser.safebrowsing.downloads.enabled”, false);
user_pref(“browser.safebrowsing.downloads.remote.block_dangerous”, false);
user_pref(“browser.safebrowsing.downloads.remote.block_dangerous_host”, false);
user_pref(“browser.safebrowsing.downloads.remote.block_potentially_unwanted”, false):
user_pref(“browser.safebrowsing.downloads.remote.block_uncommon”, false);
user_pref(“browser.safebrowsing.downloads.remote.enabled”, false);
user_pref(“browser.safebrowsing.downloads.remote.url”, “”);
user_pref(“browser.safebrowsing.malware.enabled”, false);
user_pref(“browser.safebrowsing.phishing.enabled”, false);
user_pref(“browser.safebrowsing.provider.google.advisoryName”, “”);
user_pref(“browser.safebrowsing.provider.google.advisoryURL”, “”);
user_pref(“browser.safebrowsing.provider.google.gethashURL”, “”);
user_pref(“browser.safebrowsing.provider.google.lists”, “”);
user_pref(“browser.safebrowsing.provider.google.reportURL”, “”);
user_pref(“browser.safebrowsing.provider.google.updateURL”, “”);
user_pref(“browser.safebrowsing.provider.google4.advisoryName”, “”);
user_pref(“browser.safebrowsing.provider.google4.advisoryURL”, “”);
user_pref(“browser.safebrowsing.provider.google4.dataSharingURL”, “”);
user_pref(“browser.safebrowsing.provider.google4.gethashURL”, “”);
user_pref(“browser.safebrowsing.provider.google4.lists”, “”);
user_pref(“browser.safebrowsing.provider.google4.pver”, “”);
user_pref(“browser.safebrowsing.provider.google4.reportURL”, “”);
user_pref(“browser.safebrowsing.provider.google4.updateURL”, “”);
Privacy and security stuff:
user_pref(“dom.push.enabled”, false);
user_pref(“dom.push.connection.enabled”, false);
user_pref(“layout.css.visited_links_enabled”, false);
user_pref(“media.navigator.enabled”, false);
user_pref(“network.proxy.allow_bypass”, false);
user_pref(“network.proxy.failover_direct”, false);
user_pref(“network.http.referer.spoofSource”, true);
user_pref(“security.ssl.disable_session_identifiers”, true);
user_pref(“security.ssl.enable_false_start”, false);
user_pref(“security.ssl.treat_unsafe_negotiation_as_broken”, true);
user_pref(“security.tls.enable_0rtt_data”, false);
user_pref(“privacy.partition.network_state.connection_with_proxy”, true);
user_pref(“privacy.resistFingerprinting”, true);
user_pref(“privacy.resistFingerprinting.block_mozAddonManager”, true);
user_pref(“privacy.resistFingerprinting.letterboxing”, true);
user_pref(“privacy.resistFingerprinting.randomization.daily_reset.enabled”, true);
user_pref(“privacy.resistFingerprinting.randomization.enabled”, true);
user_pref(“screenshots.browser.component.enabled”, false);
user_pref(“privacy.spoof_english”, 2);
user_pref(“webgl.enable-debug-renderer-info”, false); user_pref(“webgl.enable-renderer-query”, false);
This is why I like Lemmy, never knew canvas blocker was a thing. Thank you.
Or you just switch to LibreWolf where all these settings are already set. It even comes with uBlock preinstalled.
I’m still trying to wrap my head around fingerprinting, so excuse my ignorance. Doesn’t an installed plugin such as Canvas Blocker make you more uniquely identifiable? My reasoning is that very few people have this plugin relatively speaking.
Iirc, Websites can’t query addons unless those addons manipulate the DOM in a way that exposes themselves.
They can query extensions.
Addons are things installed inside the browser. Like uBlock, HTTPS Everywhere, Firefox Containerr, etc.
Extensions are installed outside the browser. Such as Flashplayer, the Gnome extensions installer, etc.
I use (and love) Firefox containers, and I keep all Google domains in one container. However, I never know what to do about other websites that use Google sign in.
If I’m signing into XYZ website and it uses my Google account to sign in, should I put that website in the Google container? That’s what I’ve been doing, but I don’t know the right answer.
Yes, that’s right. Also seriously consider ditching Single StalkSign On entirely.
Why does it do this?
- Math operations in JavaScript may report slightly different values than regular.
PS grateful for this option!
Some math functions have slightly different results depending on architecture and OS, so they fuzz the results a little. Here’s a tor issue discussing the problem: https://gitlab.torproject.org/legacy/trac/-/issues/13018
But one question I’ve been asking myself is : then, wouldn’t I be fingerprinted as one of the few nerds who activated the resist fingerprinting option?
I’ve used this. The only annoyance is that all the on-screen timestamps remain in UTC because JS has no idea what timesone you’re in.
I get that TZ provides a piece of the fingerprint puzzle, but damn it feels excessive.
And automatic darkmode isn’t respected, and a lot of other little annoyances. That’s why this is so difficult. These are all incredibly useful features we would have to sacrifice for privacy.
Dark mode can be recreated using extensions, although the colors most likely won’t be as legible as “native support”.
I don’t see why a similar extrnsion couldn’t change the timezones of clocks.
Additionally, I don’t see why the server should bother with either (pragmatically) - Dark mode is just a CSS switch and timezones could be flagged to be “localized” by the browser. No need for extra bandwidth or computing power on the server end, and the overhead would be very low (a few more lines of CSS sent).
Of course, I know why they bother - Ad networks do a lot more than “just” show ads, and most websites also like to gobble any data they can.
I mean it doesn’t hurt but as far as I can tell, it doesn’t actually block fingerprinting, it blocks domains known to collect and track your activity. The entire web is run on Google domains so that would be nearly impossible to block.
The crazy part about fingerprinting is that if you block the fingerprint data, they use that block to fingerprint you. That’s why the main strategy is to “blend in”.
The crazy part about fingerprinting is that if you block the fingerprint data, they use that block to fingerprint you. That’s why the main strategy is to “blend in”.
So, essentially the best way to actually resist fingerprinting would be to spoof the results to look more common - for example when I checked amiunique.org one of the most unique elements was my font list. But for 99% of sites you could spoof a font list that has the most common fonts (which you have) and no others and that would make you “blend in” without harming functionality. Barring a handful of specific sites that rely on having a special font, that might need to be set as exceptions.
No, the best way is to randomly vary fingerprinting data, which is exactly what some browsers do.
Font list is just one of a hundred different identifying data points so just changing that alone won’t do much.
It’s a nice feature for those that actively enable it and know that it’s enabled, but not for the average user. Most people never change the default settings. Firefox breaking stuff by default would only decrease their market share even further. And this breaks so much stuff. Weird stuff. The average user wants a browser that “just works” and would simply just switch back to Chrome if their favourite website didn’t work as expected after installing Firefox. Chrome can be used by people who don’t even know what a browser is.
So, manifest v3 was all about preventing Google’s competitors from tracking you so that Google could forge ahead.
It was never about privacy, it was supposedly about security, which there is some evidence for. There were a lot of malicious extensions. The sensible thing to do would be to crack down on malicious extensions but I guess that costs too much money and this method also conveniently partially breaks adblockers.
This has been the case for years. I develop fingerprinting services so AMA but it’s basically a long lost battle and browser are beyond the point of saving without a major resolution taking place.
The only way to resist effective fingerprint is to disable Javascript in its entirity and use a shared connection pool like wireguard VPN or TOR. Period. Nothing else works.
Disabling JavaScript entirely is another data point for fingerprinting. Only a tiny fraction of users do it.
Besides, without JavaScript most websites are not functional anymore. Those that are are likely not tracking you much in the first place.
I disable JS with noscript.net and it really is an enormous pain. It has some security advantages, like I don’t get ambushed so easily by an unfamiliar site and pop ups. I often will just skip a site if it seems too needy
Wouldn’t selective disabling of JavaScript make fingerprinting easier? Your block and white list are likely to be unique.
This is what I’ve been saying for months in the reddit privacy sub and to people IRL. Some people seem perfectly happy to just block ads so they don’t see the tracking. Literal ignorance is bliss. Most simply don’t have time or wherewithal to do the minimal work it takes to enjoy relative “privacy” online.
FWIW, any VPN where you can switch locations should do the job since the exit node IPs ought to get re-used. My practice is to give BigG a vanilla treat because my spouse hasn’t DeGoogled, and leave anything attached to our real names with location A. Then a whole second non-IRL-name set of accounts usually with location B with NoScript and Chameleon. Then anything else locations C, D, E, etc.
Ugh… This all sucks.
So… how effective is it? The fingerprinting. I’m guessing there are studies? Also don’t know whether there’s been legal precedent, ie whether fingerprinting has been recognized as valid means of user identification in a court case.
It’s super effective but there are very few real use cases for it outside of security and ad tracking. For example you can’t replace cookies with it because while good fingerprint is unique it can still be fragile (browser update etc.) which would cause data loss and require reauth.
Usually fingerprint plays a supporting role for example when you do those “click here” captchas that’s actually just giving the browser time to fingerprint you and evaluate your trust to decide whether to give you a full captcha or let you through. So fingerprint is always there in tbe background these days tho mostly for security and ad tracking.
As for court cases and things like GDPR - the officials are still sleeping on this and obviously nobody wants to talk about it because it’s super complex and really effective and effects soo many systems that are not ad tech.
Usually fingerprint plays a supporting role for example when you do those “click here” captchas that’s actually just giving the browser time to fingerprint you and evaluate your trust to decide whether to give you a full captcha or let you through. So fingerprint is always there in tbe background these days tho mostly for security and ad tracking.
I’ve been wondering about those “click here” captchas and their purpose 🤔
