
Unique fingerprint due to 3-year-old bug in Firefox - ck2
https://www.reddit.com/r/firefox/comments/4nq56v/you_have_a_unique_fingerprint_due_to_3_year/
======
Twirrim
This is utterly nonsense. The settings there are the defaults. It even says so
on the website. "Default Preferences"

Just a quick trivial check of my local preferences and those "exposed" on the
site show stuff either missing or not as per my tweaks.

In other words, this is exposing what the version of firefox you're running
is.

------
zbjornson
From the Reddit comments: apparently this is false, the "leak" is just showing
FF's defaults.

~~~
appleflaxen
Maybe, but panopticlick is still able to fingerprint me to the point where I'm
unique.... over 17 bits of identity in my browser (means you can identify me
in a pool of up to 2^17th people).

Try it yourself.

[https://panopticlick.eff.org/](https://panopticlick.eff.org/)

(click "Test me" then "show full results"

~~~
gsnedders
There's a few means of fingerprinting which are pretty much impossible to
protect against, most obviously what fonts you have installed, which in
combination with user agent and screen-size actually gets you a heckuva long
way with fingerprinting.

Hopefully we can try and vastly reduce the leakage from navigator.plugins, but
that might be hard to do without breaking the web, sadly.

~~~
r721
I wish they would show the rarest fonts, so that I could contemplate their
removal.

------
ck2
Extension which attempts to fix the problem

[https://addons.mozilla.org/en-US/firefox/addon/no-
resource-u...](https://addons.mozilla.org/en-US/firefox/addon/no-resource-uri-
leak/)

Bugzilla report
[https://bugzilla.mozilla.org/show_bug.cgi?id=863246](https://bugzilla.mozilla.org/show_bug.cgi?id=863246)

------
appleflaxen
So this information is in a reply, but it deserves a top level reminder: most
browsers leak your identity.

panopticlick is still able to fingerprint me to the point where I'm unique....
over 17 bits of identity in my browser (means you can identify me in a pool of
up to 2^17th people).

Try it yourself.

[https://panopticlick.eff.org/](https://panopticlick.eff.org/)

(click "Test me" then "show full results")

~~~
wlesieutre
They _really_ overstate their statistics by pretending each variable is
independent.

6 bits from my screen resolution. Another 2 from browser plugin details. 5
from my Http_accept headers. 5 from system fonts. It's an iPad. Every single
iPad is going to match on every one of those variables. You don't get to just
add them up and say "Yep, 100 bits of info, I can uniquely identify this
device!"

Similarly, the 10 bits of WebGL fingerprint and 7 of canvas fingerprint might
narrow it down to a single model of iPad, but I doubt the "extra bits" of the
canvas fingerprint tell you anything that the WebGL fingerprint didn't
already.

------
kkirsche
Honestly why do we care? Yes Tor and stuff should have fixed this but honestly
for 90% of users things like user agents give away versions anyway

------
jdeibele
The sample size is <very> small. I was the only person to use Safari
Technology Preview beta 6 so I was "1 in 133,647".

Having said that, I tested it with Firefox and found some unused plugins that
I either removed (Google Talk) or set to never activate (Picasa - couldn't
find how to remove it from Googling, Firefox or the Picasa app).

------
0xcde4c3db
This report is apparently invalid, but it is true that Firefox has a pretty
huge number of old bugs, some of which probably have unexamined security
implications. Some will be old enough to vote in a few years. Most are
"obviously" minor, but I worry about interactions. Is there something like
Metcalfe's law for defects?

------
haddr
Not sure about it, I've tried with my FF Beta and it seems it can't
fingerprint my browser in such details.

------
baliex
Does this affect TorBrowser?

~~~
hartator
Yes

> Information from resource:// is leaked, including the fact that I'm using
> Firefox, the platform, the browser's language (not just the content of the
> Accept-Language header), and whether or not I was using Tor Browser Bundle.

~~~
pfg
The fact that you're using Tor is obvious based on your IP address. I believe
TBB uses the same set of defaults for the other parameters across all
platforms (i.e. Linux, OS X and Windows users all appear to be using Windows
7), so that fingerprint would be the same for all TBB users (meaning it's not
really much of a fingerprint).

~~~
makomk
TBB tries to conceal the actual OS you're using. Apparently this breaks that
protection and makes it possible for website to detect the actual platform and
that it's TBB. See
[https://trac.torproject.org/projects/tor/ticket/8725](https://trac.torproject.org/projects/tor/ticket/8725)

~~~
pfg
Okay, that's pretty bad if it leaks the actual platform. My assumption was
that that the way they spoof the platform (and related values) in
windows.navigator and the user agent would apply here as well. If that's not
the case, that fingerprint protection is pretty much useless.

------
tomglynch
Has this just flown under the radar for three years? Why wasn't it noticed and
fixed?

------
cmdrfred
is this the secret behind the FBI's apparent tor fingerprinting ability they
have been parallel constructing around lately?

------
hartator
I think that's not a news anymore, that Mozilla is too busy with IoT now.

