Comment by drnick1

Comment by drnick1 9 hours ago

33 replies

View on Hacker News

Firefox w/ the Arkenfox user.js is probably as good as it gets in terms of privacy. By default, this config burns cookies on exit, standardizes the time zone to UTC, spoofs the canvas fingerprint, and does other helpful things. Basically, it makes Firefox expose the same information as the Tor browser.

In addition, I block most known advertizing/tracking domains at the DNS level (I run my own server, and use Hagezi's blacklists).

Finally, another suggestion would be to block all third party content by default using uBlock Origin and/or uMatrix. This will break a lot of websites, but automatically rules out most forms of tracking through things such as fonts hosted by Google, Adobe and others. I manually whitelist required third party domains (CDNs) for websites I frequently visit.

samtheprogram 5 hours ago

There's no point unless a critical mass of people use these tools. You will be the only one on your IP address using this configuration of masked fingerprinting, which is itself a fingerprint.

That's also why it's indeed useful when using Tor, because you're not identified by your base IP.

Unless we make this part of the culture, you have basically 0 recourse to browser fingerprinting except using Tor. Which can itself still be a useful fingerprint depending on the context.

EDIT: I'll add that using these tools outside of normal browsing use can be useful for obfuscating who's doing specific browsing, but it should be emphasized that using fingerprinting masking in isolation all the time is nearly as useful as not using them at all.

Reply View 2 replies
  • cortesoft 4 hours ago

    Basically the XKCD license plate comic: https://xkcd.com/1105/

    Reply View 1 reply
    • nativeit 2 hours ago

      Has anyone wrote software that automatically surfaces the relevant XKCD comic for every article this happens under?

      I’d like a feature in my HN reader that sticks a red button at the bottom anytime XKCD has already made the points I’m reading.

      Reply View 0 replies
mmooss 36 minutes ago

> Basically, it makes Firefox expose the same information as the Tor browser.

Is it based on the Tor browser?

Some solutions, like Tor browser or GrapheneOS, are engineered for the purpose.

Some free online tools are an aggregation of ideas from social media and someone's personal understanding. These solutions can have limited benefits or be worse than the problem. Many settings don't work as expected, there are unintended consequences (such as making the browser more unique and easier to fingerprint), unusual combinations of settings can have unintended consequences or break things (Mozilla can't test every combination of about:config settings).

Reply View 0 replies
codedokode 9 hours ago

Does it hide GPU name that is exposed via WebGL/WebGPU? Does it hide internal IP address, available via WebRTC?

> block all third party content

It's not going to work, because the fingerprinting script can be (and is often served) from first-party domain.

Also imagine if browser didn't provide drawing API for canvas (if you would have to ship your own wasm rendering library). Canvas would become useless for fingerprinting and its usage would drop manyfold. And the browser would have less code and smaller attack surface.

Reply View 9 replies
  • drnick1 9 hours ago

    > Does it hide GPU name that is exposed via WebGL/WebGPU? Does it hide internal IP address, available via WebRTC?

    My GPU is reported as simply "Mozilla" by https://abrahamjuliot.github.io/creepjs/.

    The number of cores is also set to 4 for everyone using this config and/or Tor.

    > It's not going to work, because the fingerprinting script can be (and is often served) from first-party domain.

    This may be true, but allowed third party content makes it trivially easy for Google and others to follow people around the Internet through fonts delivery systems among others.

    Reply View 3 replies
    • tempest_ 6 hours ago

      I had forgotten I was running Ublock origin / Privacy Badger / Ghostry so I was a bit confused with the results from that site.

      I think it is Ghostry that is faking the responses but I still have a pretty unique fingerprint according to https://coveryourtracks.eff.org/kcarter?aat=1

      Reply View 2 replies
      • ifh-hn 3 hours ago

        Isn't ghostry compromised? Having been bought out by an ad company?

        Reply View 1 reply
        • nativeit 2 hours ago

          As near as I can tell, it’s always been owned by Cliqz, who produced some privacy-focused browsers (named Dawn or Lumen) and a search engine (Tailcat) that was ultimately purchased by Brave. The whole thing is majority owned by a German media group, Hubert Burda Media, and while its missions towards increased privacy seem to be sincere, I don’t know if I’d trust them implicitly.

          All that said, the main project looks to be open sourced under a GPL3 license, so distrust and verify: https://github.com/ghostery

          Reply View 0 replies
  • dminuoso 9 hours ago

    If I infiltrate someone else’s computer, secretly run code in order to to exfiltrate data I risk prison time because objectively it seems to satisfy criminal laws over where I live.

    How do prosecutors in any modern country/state not charge this behavior when done by a website owner?

    Reply View 4 replies
    • gruez 8 hours ago

      The difference is that there's implied consent to run arbitrary (albeit sandboxed) code when you visit a website. Moreover it's not the website causing the code to be executed, it's your browser. Otherwise if the bar is "code is being run but the user doesn't know about it", it would lead to either any type of web pages with javascript being illegal (or maybe without javascript, given that CSS turing complete), or a cookie banner type situation where site asks for consent and everyone just blindly accepts.

      Reply View 3 replies
      • mh- 7 hours ago

        > if the bar is "code is being run but the user doesn't know about it",

        .. would lead to all modern electronics being illegal, not just web pages with javascript.

        Reply View 1 reply
        • nativeit 2 hours ago

          I guess it’s fortunate that this quote only includes a portion of the assertion they’re making. What happens when you include the rest?

          Reply View 0 replies
      • bandrami 5 hours ago

        > any type of web pages with javascript being illegal

        Inshallah

        Reply View 0 replies
kachapopopow 8 hours ago

All javascript based anti-fingerprinting is detectable and is also a major source of uniqueness!

Reply View 2 replies
  • vorticalbox 7 hours ago

    Sure but if you are always unique for every website then you can’t be tracked overtime.

    Reply View 1 reply
    • HumanOstrich 5 hours ago

      They meant a signal of uniqueness for your setup that could still assist with tracking, not being unique for every site.

      Reply View 0 replies
alcide 9 hours ago

Orion Browser (Kagi Product) prevents fingerprinters from running by default.

https://help.kagi.com/orion/privacy-and-security/preventing-...

Reply View 8 replies
  • mmooss 33 minutes ago

    To ask the obvious question: Doesn't blocking fingerprinters itself fingerprint the browser.

    (Also, what is a 'fingerprinter'? Isn't it something that runs server-side, out of reach of the browser, based on data collected?)

    Reply View 0 replies
  • ashman5 7 hours ago

    Orion browser is also capable of running uBlock Origin (not Lite) on iOS.

    Reply View 0 replies
  • codedokode 9 hours ago

    How do they reliably detect fingerprinting? Did they solve the Halting Problem? Sounds fishy.

    Reply View 5 replies
    • gruez 9 hours ago

      >The only efficient protection against fingerprinting is what Orion is doing — preventing any fingerprinter from running in the first place. Orion is the only browser on the market that comes with full first-party and third-party ad and tracking script blocking, built-in by default, making sure invasive fingerprinters never run on the page.

      sounds like they block "known" fingerprinting scripts and call it a day.

      Reply View 4 replies
      • nativeit 2 hours ago

        This is also covered in the article. I appreciated the analogy they used: You can put on a ski mask when you go to the mall, and it will conceal your identity, but you will also be instantly suspicious to everyone around you, and will likely be asked to leave most of the stores you try to visit.

        Reply View 0 replies
      • 0xy 7 hours ago

        This makes you inherently trackable, ironically. No trace is a massive trackable attribute, since almost nobody is untraceable.

        Reply View 1 reply
      • jorvi 6 hours ago

        > Orion is the only browser on the market that comes with full first-party and third-party ad and tracking script blocking

        I love Kagi, but that is a laughable statement. Brave has been offering ad and fingerprint blocking for years now. The reason why they don't have full first party blocking ("aggressive" mode blocking) on by default is because it tends to break things.

        Reply View 0 replies
capitainenemo 6 hours ago

unfamiliar with the Arkenfox user.js but are any of these things that are beyond what firefox enables out of the box if you turn on privacy.resistFingerprinting ? Because what you describe seems to be all stuff it does just by flipping flag.

Reply View 0 replies
0xy 7 hours ago

As someone who utilizes these tools for anti-fraud purposes, Firefox is just as trackable if not more trackable than Chrome (especially because you stand out by using a niche browser in the first place).

Firefox exposes a massive amount of identifiable information via canvas, audio device and feature detection methods. There's also active methods to detect private windows, use of the developer console and more.

Reply View 1 reply
  • vpShane 7 hours ago

    Of course. There's data where there isn't data.

    -make client load something

    -client doesn't load it

    -add.fingerprint.point(client,'doesnltloadthings',1)

    -detect if client does something only a certain browser does

    -client does it

    -add.fingerprint.point(client,'doesthisbrowsderthing',1)

    -window was resized/moved, send a websocket snitch to the backend

    - keep a consistent web socket open, or fetch a backend-api call for updates on X events - more calls are made, means user is probably scrolling, inject more things/different things.

    I see some js obfuscators out there where I look at the js file and it's all mumbo jumbo.

    It is indeed a privacy nightmare, where whatever we do feeds the algorithms to aide in making other people do things.

    But it's also used in network security, organizations etc. Staff/employees will use the system a certain way, if something enters it without the behaviors, it's detectable. I assume that's what you mean in anti-fraud.

    Sad part is we don't know what the data is ever used for, and it's often bought and sold and the cycle repeats.

    Reply View 0 replies
hilbert42 6 hours ago

"This will break a lot of websites, but automatically rules out most forms of tracking…"

Whether one breaks a lot of websites or not depends on the type of user one is. People who regularly use the Google ecosystem, Amazon and Social Media etc. cannot afford to break sites for obvious reasons, they too are those that websites are most interested in tracking and fingerprinting.

Those who use the web in the way advertisers and Big Tech intend users to use it are the most vulnerable, they're the ones who most need protection.

I break websites regularly but it doesn't worry me, I browse with the premise that there are more websites on the internet than I'll ever be able to visit and if I break sites or are blocked by paywalls then there are usually alternatives and workarounds.

But then I'm not a typical user, I block ads, I usually browse with JS off, kill cookies, use block lists, use multiple browsers (there are six on this deGoogled, rooted phone), browse from multiple machines—Windows, Linux and use multiple ISPs. Also, I've no Social media or Google accounts and rarely ever purchase stuff online. Internet access is via dynamic IP addresses and routers are rebooted often. There's more but you get the picture.

I assume browsing sans JS makes me a first-class target for fingerprinting and that websites know about me but it doesn't matter. Whatever I'm doing seems to work, over the years I've had very little trouble doing everything on the web that I want to do. Clearly I'm of little interest to advertisers and I never see ads let alone targeted ones. I used to use uBlock Origin but I don't bother now as browsing sans JS is just so effective at blocking ads.

I'm lucky in the fact that I use no service that would benefit from fingerprinting me. Whilst my web browsing is atypical of most users I reckon many could benefit by being more proactive—using multiple machines, browsers, ISPs etc.—to disrupt the outflow of personal data. For example, this is being written on a rooted Android using Privacy Browser from F-Droid sans JS and with block lists. If I really need to go to a site where JS is required, I can simply hit a toggle and turn on JS or alternatively use another browser.

Reply View 0 replies
DeathArrow 5 hours ago

There is also server side fingerprinting like JA4+ and others. Also, if you somehow evade fingeprinting, you have to prepare yourself to solve some very slow Google and Cloudflare captchas.

Reply View 1 reply
maks198 8 hours ago

>Firefox w/ the Arkenfox user.js is probably as good as it gets in terms of privacy.

No. It's LARP. You either don't care or go with Tor Browser and/or commercial antidetect browsers.

But you shouldn't care, this issue of fingerprinting is overblown. (really reminds me of AI)

Reply View 0 replies