
Protections Against Fingerprinting and Crypto Mining in Firefox Nightly and Beta - sohkamyung
https://blog.mozilla.org/futurereleases/2019/04/09/protections-against-fingerprinting-and-cryptocurrency-mining-available-in-firefox-nightly-and-beta/
======
charlesdaniels
I agree with the general sentiment in the comments that this is good --
fingerprinting in particular is something browser vendors should be trying to
combat.

I am concerned about the approach however; a simple blacklist of
fingerprinting scripts may be insufficient, in that non-blocked scripts can
still access the data that is used to accomplish fingerprinting.

Personally, I would like to see more security around the data that is used for
fingerprinting, such as user agent, screen size, window size, loaded plugins,
and so on. If this type of information was either protected with permissions,
or if bogus values were provided to non-user-whitelisted sites, then it would
be far harder to fingerprint users, as there would be less identifiable
information to go off of.

A less aggressive approach might be to have some kind of notification to the
user if a website is accessing many API calls that are commonly associated
with fingerprinting. Maybe a site that just wants to know window size is fine,
since it might want to render something or select a certain layout, but if a
site wants to know a wide variety of different information all at once, that
would be a red flag that could be signaled to the user in some way.

~~~
jacekm
> like to see more security around the data that is used for fingerprinting,
> such as user agent

I think this is already available, just not enabled by default. In
about:config one need to set privacy.resistFingerprinting to true. (be aware
however that this setting causes problems with google captcha - the number of
challenges that you will need to solve will drastically increase)

~~~
proxygeek
> this setting causes problems with google captcha - the number of challenges
> that you will need to solve will drastically increase

No kidding. I'm talking about ~30-40 clicks (1 click per task in the captcha
grid)

~~~
gcb0
not to mention when google puts you in captcha-hell-ban.

often, after a few difficult ones, I realize I get stuck into the same 20
challenges. over and over. no matter if I get them rigth or not. We do run all
browser in the office with figerprint protection on and run non-exit-tor-nodes
in all offices. But those are hardly excuses.

The hell bans happens more often on firefox for android, but I guess that is
what you can expect when you go against goliath.

It's literally google censoring me from talking (and sometimes reading) random
sites on the web

~~~
sneak
No, it’s the site owner choosing to outsource their decisions about
gatekeeping a private site to Google. Google isn’t censoring you via CAPTCHA,
the site owner is.

~~~
l0b0
That is only true as far as the site owner knows of and understands the
consequences of their actions. I would be extremely surprised if more than 10%
of their users understand this. Whether they care is a whole other matter, but
this is very likely ignorance rather than malice on the part of site owners.

~~~
close04
I can understand why site owners resort to such services. They need a a strong
CAPTCHA system. The problem is really Google for abusing it.

------
GeekyBear
I appreciate it when my browser takes the position that it acts as the user's
agent, and not the advertising network's agent.

~~~
bloopernova
This attitude from the Mozilla crew has convinced me to try switching from
Chrome for a week. (I understand that these latest features aren't yet
available in the normal releases)

~~~
CedarMills
I switched completely to Firefox on my work computer. Don't miss Chrome at
all.

~~~
Daniel_sk
Me too. I am absolutely happy with Firefox after switching about 6 months ago.
I don’t miss anything.

------
jefftk
_> In the coming months, we will start testing these protections with small
groups of users and will continue to work with Disconnect to improve and
expand the set of domains blocked by Firefox. We plan to enable these
protections by default for all Firefox users in a future release._

While lots of people here already have uMatrix or other blockers running,
blocking fingerprinting and cryptomining domains by default would be a big
step!

(Disclosure: I work on ads at Google.)

~~~
wurst_case
Since you work on ads, may I ask why you support this? Won't this make most of
your features ineffective?

~~~
tialaramex
In principle advertising is fine. Telling people that a product exists is
useful. "Do you need a hat shaped exactly like a golf ball? At Dave's Golf
Ball Hats we sell six sizes!". Targeting this advert to most likely be seen by
people who actually had been thinking of buying a hat shaped like sporting
equipment is still a good idea too.

But an advert that steals from you, or harms you is neither of those things.
Google Ads doesn't need those to be profitable. It would suit them if those
went away.

~~~
JohnFen
> Targeting this advert to most likely be seen by people who actually had been
> thinking of buying a hat shaped like sporting equipment is still a good idea
> too.

Not if that targeting is done using data gathered about me without my consent
-- as it almost universally is.

Targeting based on context (what sort of website the ad is on, for instance),
is fine.

~~~
manigandham
Data about you is not your data. Anyone can stand outside and watch what
people do and take notes. That doesn't need your consent. It's the same thing
here.

~~~
Yizahi
Metadata = Surveillance

[https://www.schneier.com/blog/archives/2014/03/metadata_surv...](https://www.schneier.com/blog/archives/2014/03/metadata_survei.html)

Quote:

"An easy thought experiment demonstrates this. Imagine that you hired a
private detective to eavesdrop on a subject. That detective would plant a bug
in that subject's home, office, and car. He would eavesdrop on his computer.
He would listen in on that subject's conversations, both face to face and
remotely, and you would get a report on what was said in those conversations.
Now imagine that you asked that same private detective to put a subject under
constant surveillance. You would get a different report, one that included
things like where he went, what he did, who he spoke to -- and for how long --
who he wrote to, what he read, and what he purchased. This is all metadata,
data we know the NSA is collecting. So when the president says that it's only
metadata, what you should really hear is that we're all under constant and
ubiquitous surveillance."

~~~
manigandham
I'm not sure of your point.

 _My_ point is that surveillance is not illegal and does not require any
consent to accrue information through public observation.

~~~
JohnFen
I think whether or not it's legal is irrelevant. Things can be wrong -- even
unconscionable -- and still be legal.

------
mikro2nd
I don't much like the notion of farming out my "cryptomining blocker" to some
unknown-to-me third party. There are a (small) number of sites that do
cryptomining _after asking for an opt-in permission_ (e.g. bit.tube). It seems
to me that this is an interesting exploration of new, alternate funding models
than serving ads, and I, for one, like to (sometimes) support these. I'd hate
to see them land up in a blocklist I don't have _some_ degree of control over.

~~~
mcsmash
This. The internet desperately needs to progress beyond an advertisement
driven business model. Disallowing these scripts seems a little heavy handed.
Perhaps the addition of a "requestComputeResources" method to the browser's
api would give a way to throttle them instead of outright banning them.

~~~
endorphone
They make it optional.

To be real, though, somewhere close to 0% (rounded to the third decimal place)
of users would agree to grossly inefficient cryptomining in the browser. As a
web funding model it is terrible and is almost always akin to malware. It
certainly costs the user much more in electricity costs than it will ever
benefit web publishers.

~~~
bodyloss
And as a global ecological cost, it's pretty huge.

------
mzo123231
I love all the new features that Firefox has been coming out with. They
understand their users perspective.

------
gbrindisi
I do appreciate the feature!

But how feasible would be to limit the amount of info retrievable from the JS
layer instead than relying on a black list of domains serving fingerprinters?

~~~
capnrefsmmat
Mozilla devs seem to take this into account whenever adding new JS features,
at least on their mailing lists.

For example, this discussion of a new API for gamepads immediately turned to a
discussion of its fingerprinting risks and how they can be mitigated:
[https://groups.google.com/d/msg/mozilla.dev.platform/75GrJSP...](https://groups.google.com/d/msg/mozilla.dev.platform/75GrJSPHAu0/V3DZcKyxBQAJ)

~~~
andrepd
The www has an API for gamepads. I need a moment.

~~~
mrspeaker
Off topic, but besides being a really cool API for playing games - and heaps
of games support it - I used this in a talk to control my "slides" via an xbox
controller:
[https://mrspeaker.github.io/emacs_talk/](https://mrspeaker.github.io/emacs_talk/)
\- moving around topics, triggering slides forward/back, starting/stopping
videos, and changing slide opacity using the d-pad, analog sticks, and
triggers. I'll never use an apple remote again ;)

~~~
sitkack
This is the nerdiest thing I have seen a long time. It is lovely! Keep it up.

------
empath75
Seems like they're just using a blacklist? Those seem to be able to be gamed
pretty trivially.

~~~
rubbingalcohol
Agreed. Setting up blacklists is just whack-a-mole. I'd be more interested in
detection of actual fingerprinting techniques, such as system font enumeration
using canvas, or WebGL GPU fingerprinting. It would be technically possible to
detect the creation of WebGL or canvas contexts that aren't actually rendered
in the layout and prevent data gathered from those contexts from being sent in
any XHR payload. I'm sure that's a lot of work.

Maybe it would be better to find the worst offending JS APIs and demand a user
consent step similar to webcam or notifications in order for the scripts to
run at all.

~~~
drewmol
I couldn't help but read the headline and think to myself: This is great! I
should probably jump right in to this .001 % bucket of Firefox nightly users.
Combined this with my >1% OS, custom profile of barebones unsupported,
blocked, not installed client technologies and then they'll really never get
_my_ fingerprints!

~~~
discreditable
If you enable resistFingerprinting, Firefox reports a "standard" user agent.
Without that, your Nightly user agent probably makes you trivial to track.

------
founderling

        In collaboration with Disconnect, we have compiled
        lists of domains that serve fingerprinting and
        cryptomining scripts. Now in the latest Firefox
        Nightly and Beta versions, we give users the option
        to block both kinds of scripts
    

Isn't this something that content blockers like umatrix already excel at? Why
put it into the core of Firefox?

I would prefer to see Firefox giving more power to extensions. For example, it
is still impossible to make an extension that makes a typed in url use https
per default. Because it is not possible for an extension to know if a network
request stems from the user typing it, using a bookmark or one of the other
many ways a browser can be triggered to do a network request. So typing urls
in Firefox keeps being dangerous because it will load the url per http by
default.

~~~
meruru
I prefer to have features like this in core so I don't have to give a ton of
permissions to a third party. I hope it becomes powerful enough to replace
uMatrix.

~~~
founderling
Extensions are analyzed by the Firefox team:

[https://developer.mozilla.org/en-US/docs/Mozilla/Add-
ons/AMO...](https://developer.mozilla.org/en-US/docs/Mozilla/Add-
ons/AMO/Policy/Reviews#Submission_Guidelines)

If the review process is still insecure (That is how I understand you reply) I
would prefer them to put their energy into this. Analyzing popular extensions
in depth (and giving them some 'in depth analyzed' badge) so you do not have
to trust a third party.

~~~
meruru
I don't know how much I can trust the review process. I believe they have
relaxed it a bit recently: [https://blog.mozilla.org/addons/2017/09/21/review-
wait-times...](https://blog.mozilla.org/addons/2017/09/21/review-wait-times-
get-shorter/)

>Add-ons built on the WebExtensions API will now be automatically reviewed.
This means we will publish add-ons shortly after uploading. Human reviewers
will look at these pre-approved add-ons, prioritized on various risk factors
that are calculated from the add-on’s codebase and other metadata.

------
huhtenberg
Do I read it correctly that fingerprinting is blocked purely with a
script/domain blacklist?

~~~
VWWHFSfQ
how else would they block it

~~~
IshKebab
Present a uniform environment to scripts. For example fingerprinting doesn't
work very well on iPhones because they are all so similar. Firefox could
pretend to be some sort of "standard" machine.

That's definitely not easy but it beats blacklists which are trivial to work
around.

~~~
iforgotpassword
They already do this in some areas, like returning a fixed list of installed
fonts, but fixing every possibility of fingerprinting is extraordinary hard
since there are so many ways to pull in some data. At some point it light
actually hurt the user experience.

------
Eli_P
Right decision to make a step towards a user and protect their market.
Preventing fingerprinting is interesting and non-trivial by itself. It's
impossible to implement with just a plugin.

One day I found that _navigator.getGamepads()_ did rat out my gamepad in
Chrome while using private mode, I twitted Google, they didn't answer. Who
knows what else is exposed.

I didn't know Firefox had
_privacy.resistFingerprinting.reduceTimerPrecision.jitter_ option, that's
cool, but what about _requestAnimationFrame()_? Games wouldn't work without
it. Not to mention spawning workers and passing values between them; delays
while using things like shaders and gpu.js; decoding various formats like
audio and measuring time, etc. Anyone tried to block videos on news sites?
They are unstoppable, I can watch vids like with everything red in uBlock
Origin.

I think Mozilla could make a contest for breaking their fingerprint
resistance, before they are ready to merge their privacy features from Nightly
to master branch.

------
syoc
I really welcome Mozilla's effort in fighting the uphill battle against
browser fingerprinting. I am however very interested in the terms of Mozilla's
partnership with Disconnect. Are obsoleting their add-on for Firefox out of
the good of their hearts?

~~~
groovybits
If I'm not mistaken, Firefox's currently built-in Tracking Protection also
borrows from the base Disconnect blocking lists. So this would not be the
first time they've used them.

------
manigandham
This endless war could be solved with a single meeting with the 3 major adtech
companies.

All browsers have to do is share a single advertiser ID and have it reset by
the user whenever they want. No more cookies, pixel syncs, or fingerprinting
and all the related countermeasures.

This is the _exact_ mechanism used by mobile apps right now so it's already
well-tested and proven to work.

~~~
AgentME
"Solving" fingerprinting by fingerprinting ourselves seems like it might miss
the point for a lot of people.

~~~
manigandham
Missing the point is the cause of all this mess.

~~~
AgentME
If you care about fingerprinting because you care about privacy and limiting
companies' ability to profile you, then adopting an advertiser id is giving up
completely.

------
sologoub
The fingerprinting list includes Stripe, why?

[https://github.com/mozilla-services/shavar-prod-
lists/blob/7...](https://github.com/mozilla-services/shavar-prod-
lists/blob/7eaadac98bc9dcc95ce917eff7bbb21cb71484ec/disconnect-
blacklist.json#L9516)

------
jlrubin
Feels anti-competitive to have defaults to block mining while not having
default enabled advert blocking.

I'm much happier for a site to mine on their tab while I'm watching a video
than to show me 2 minutes of advertisements every 10 minutes. On mobile in
particular, where video ads end up eating a large chunk of my data costs.

~~~
jakubp
You are happier to have your resources stolen and not be aware of it (it's
invisible, you can't see what's happening and react - right?) than to be shown
an annoying thing which is very much in your awareness? I don't know, I'd
rather know someone is harming me silently and have the means to stop it by
default. The things that are shown in front of me, I can handle them...

~~~
jlrubin
Firefox already has tools to throttle tabs which are abusive CPU-load wise,
which seems sufficient in this case.

And it's unclear such resources are being 'stolen' if it's stated in the site
ToS.

Cryptocurrency mining is a lot less deleterious than ads. Mining doesn't need
to track your behavior, it doesn't generate misleading native content, and it
doesn't distract you from what you're trying to do.

Sign me up!

disclaimer: I was one of the founders of Tidbit,
[https://www.eff.org/cases/rubin-v-new-jersey-
tidbit](https://www.eff.org/cases/rubin-v-new-jersey-tidbit), the first(?)
crypto mining ad replacer.

~~~
kevingrahl
> And it’s unclear such resources are being ‘stolen’ if it’s stated in the
> sites ToS.

Unless I, as a user, explicitly consented to crypto mining, no such thing
should be allowed to take place. Same thing goes for auto playing videos.

------
SECProto
Great! I look forward to these protections being included by default in the
future, as they allude to.

------
muxator
I recently enabled privacy.resistFingerprinting in about:config (which
basically is the configuration switch toggled by the UI described in this blog
post).

Everything went fine, until I noticed WhatsApp web becomes unusable, because
it does not generate the initial QR code for establishing the session (to be
fair, it flickers, which seems worse, as it smells of an active countermeasure
on WhatsApp/Facebook part).

While I did I not have yet the time do dig deep into the specific technical
reason WhatsApp may have to expose such a maddening behavior, I am inclined to
think that this is more a policy choice.

If so, it's troublesome. We collectively as users arrived to the point of
willingly give up the keys of our online communication to a few megacompanies.
It's their infrastructure and their product, so they are in power of steering
it in whatever direction it wants.

I see this as something that will increasingly become a political problem. As
tech versed person, I see the responsibility for not doing enough about it.

------
gradstudent
I've never understood why the user-agent string gives out so much system-
specific information. Why not return less information, such as only the
browser make and version?

~~~
feedbeef
I agree that User-Agent is suspiciously leaky, but it's microscopic compared
to JavaScript. [1]

It's unfortunate that browsers are privacy-insane by default. Luckily, with a
bit of effort, most browsers [2] allow you to mitigate this with plugins (e.g.
User-Agent switcher, Cookie/Referrer controller, and JS/Adblocker). Pi-Hole
[3] can help too.

Mozilla should be commended for trying to improve the situation.

1\. [https://panopticlick.eff.org/](https://panopticlick.eff.org/)

2\. Chrome's days are numbered:
[https://news.ycombinator.com/item?id=18973477](https://news.ycombinator.com/item?id=18973477)

3\. [https://pi-hole.net/](https://pi-hole.net/)

------
anthony_doan
Nice.

I've been using add-ons that protect from canvas finger printing but those are
super laggy and slow firefox down.

------
bl4ckneon
Any way to get the list of these domains to put into something network wide
like pihole?

------
arisAlexis
I very much prefer to mine a bit with my browser than watch ads

------
daveFNbuck
This is very exciting, but it seems it's just building in partial uMatrix
functionality. It's really becoming a pain to have so many overlapping tools
doing the same thing.

~~~
jefftk
_> In the coming months, we will start testing these protections with small
groups of users and will continue to work with Disconnect to improve and
expand the set of domains blocked by Firefox. We plan to enable these
protections by default for all Firefox users in a future release._

Default settings can move the industry in a way that opt-in things like
uMatrix generally don't.

(Disclosure: I work on ads at Google)

~~~
daveFNbuck
That's why I said this is exciting. For normal users it's a big win, and that
has much more potential to move the industry.

------
bluedino
Kind of a shame that I can't browse that site using a VPS on a tier-2 VPS
provider (Vultr)

~~~
notyourwork
Can you elaborate on why you cannot browse that site? From your comment it is
not clear to me what the problem is but it reads as if you are trying to blame
mozilla.

~~~
bluedino
Most often I get a 403 forbidden

------
Smithalicious
I don't like this reaction to crypto mining scripts. I won't argue that a lot
of crypto mining scripts out there are blatantly abusive but I think that as a
concept it's a great business model. I wouldn't have a problem using sites
that eschewed ads and used crypto mining scripts instead and I would have no
reason at all to block them (unlike ads) as long as they're well behaved.

I think blocking mining scripts is a step backwards, hindering the adoption of
something that could finally be an unobtrusive and ethical replacement for the
failing advertisement model.

~~~
Rychard
> I think blocking mining scripts is a step backwards, hindering the adoption
> of something that could finally be an unobtrusive and ethical replacement
> for the failing advertisement model.

If the content on a website is just a vehicle for delivering advertisements, I
would consider such a business model to be fundamentally flawed.

Swapping "delivering advertisements" with "hijacking my processor cycles to
mine cryptocurrencies" doesn't exactly offer anything that would convince me
to change my mind.

I'm more than happy to pay for quality content, but I'd prefer companies to be
forthcoming about the cost involved in providing it, rather than turning me or
my data into a product that can be sold to the highest bidder.

~~~
Smithalicious
That's a fair position to hold but it doesn't scale. It's extremely hard to
actually convince people to buy something regardless of how much they like it,
doubly so if it's something nonphysical like online content.

I would also love to live in a world where I could just deposit some
reasonable amount of money every month and have it fairly distributed to pay
for all the things I love, but I can see that that's not viable in the real
world. Having websites silently use my unused computer resources is a
perfectly viable alternative to me in a way that forcing me to stare at things
I don't care about is not.

~~~
Rychard
Sure, but tapping the unused power of my high-end desktop PC seems to be far
more valuable than doing the same thing to a mobile device with a constrained
power profile.

How can I be sure I'm not being taken advantage of?

~~~
Smithalicious
You can't really be sure that you're not being taken advantage of, but neither
can you with ads. I still run into ads that hijack my back button on my phone
all the time.

~~~
Rychard
It sounds like there's no advantage then; if we allow this, companies would be
incentivized to harvest our data _and_ run our CPUs at 100%. We'd just be
giving them another revenue model.

~~~
Smithalicious
This shouldn't need to be said but companies do need _some_ revenue model. In
the end they need to make that money some way, be it your data, your CPU
cycles, your attention, or your actual money (or some combination of the
aforementioned). Out of those I think "your CPU cycles" is the least intrusive
out of the ones that can actually be feasibly implemented in all cases.

Of course companies will always be incentivized to squeeze as much value out
of you as possible, but they'll be simultaneously incentivized not to screw
people over too much. Just like how abuse ads have led to widespride use of
adblock, abusive use of mining scripts will just lead to people blocking them
(be it on a case-by-case basis or universlaly). But while I think ads are
always going to bother me no matter what they are or how many of them there
are, there's a level of CPU utilization that I wouldn't mind or even notice at
all.

~~~
Rychard
I see your point, but there would be nothing stopping them from double-dipping
under the guise of "we need both revenue streams to pay the bills".

They'll still show us advertisements, though they'll probably optimize them to
use fewer CPU cycles since those would directly affect their bottom line.

I sincerely doubt the vast majority of the general population are using ad-
blocking software today; at least, not to the extent that companies would dial
back their advertisements in an attempt to prevent the size of this
demographic from increasing further.

------
muckrakerz
Doesn't Brave, Brandon Eich's project, already do this? Its nicer to use to.

~~~
alexkavon
Oh you're right. Silly Mozilla adding protections to their browser for their
user-base.

That's it everyone. Shut down Mozilla and have all the users switch over to
Brave. Brandon Eich's got everything covered.

------
2_listerine_pls
I am not trying to diminishing this post, just want to point out that a great
way to increase adoption would be to make a better and simpler-looking UI. A
great deal of users prefer Chrome for this reason.

~~~
luckylion
> The average user doesn't even know about fingerprinting

Yet. Give it one or two scandals, maybe involving a heavyweight like Reddit,
and users will be aware of what fingerprinting is and why it's not in their
interest to have their digital fingerprints taken, analyzed and stored every
time they enter the internet equivalent of a grocery store. Give them
analogies they can understand and they will feel like they're in a dystopian
surveillance state movie, because that's what we're in on the internet.

~~~
2_listerine_pls
I care about security, fingerprinting, etc... but most people don't and they
don't want to learn about it. They like pretty looking things, pretty looking
apps, pretty looking browsers... Apple designs have proven this, there are
cheaper products with the similar features yet people want Apple. You would
think everybody knows this but Windows still looks like shit. Google has
improved their design system a great deal. Logitech realized this and improved
its designs a few years ago, now ask them about their sales. Better usability,
simplicity and design will increase adoption. It's not an opinion, it's an
overlooked fact.

~~~
luckylion
> I care about security, fingerprinting, etc... but most people don't and they
> don't want to learn about it.

Imho they would care if they knew. They don't know so they don't even know why
& what they should learn about it. That's why it needs scandals and good
analogies to tell them about it. They won't read "weird" tech blogs, they need
the evening news to tell them about it, and to explain it in simple terms.
Kind of what Al Gore did back then with global warming: "the planet has a
fever". Everybody can understand that. It's not technically correct, but it
gets the point across. People don't know what other products are better than
Apple's, so they rely on social proof: everybody is buying Apple, so it must
be good, so they buy Apple.

People are starting to shift away from Facebook because there's a narrative
"Russia stole the election by using Facebook". It's wrong, but it gets the
point across that Facebook's algorithms aren't transparent, FB has too much
data on the users and whoever controls FB wields a powerful weapon. That got
people's attention, that's what you need to for any technical issue that the
general public should be informed about.

