
Firefox can now stop Instagram and Facebook from tracking you online - john58
https://www.thestar.com.my/tech/tech-news/2018/05/15/firefox-can-now-stop-instagram-and-facebook-from-tracking-you-online/
======
mickael-kerjean
Mozilla, if you ever read this:

\- when will you stop twitter from knowing all about youporn's user ? yes HN
user, open your developer console and look out for the cookie coming from
syndication.twitter.com. If you ever try to visit
[http://syndication.twitter.com](http://syndication.twitter.com), you end up
on "Sorry, that page doesn’t exist!".

\- when will you ask for user permission before revealing hardware related
information (via the screen object and navigator object)? I can't think of any
use case to reveal how many core my computer has when js only use 1. Same for
the screen object as we already have the window object.

\- when will you create a feature to dynamically update the user agent ?

\- when will you create a feature to trick browser fingerprinting ?

\- when will you enforce a no third party cookie by default? Especially for
website that don't comply with the do not track header. Unfortunatly, our
entire industry don't seem to care about the do not track header (funnily
google is the rare good student in this area)

I guess there's a lot more "industry standard" I'm not aware.

~~~
bzbarsky
> when js only use 1.

That's not true with web workers. And "How many workers should I spin up?" is
a common question people actually using them want to answer...

I'm highly sympathetic to reducing fingerprinting attack area, by the way; we
should just be clear that providing sites less information does mean they
can't do various performance optimizations, and in some cases can't even
provide correct functionality. That tension is at the heart of all the anti-
fingerprinting efforts browsers are involved in...

Asking users for permission isn't really a solution either, unfortunately: all
the bad actors will just spam permission prompts continuously. I've browsed
before in a "prompt for attempts to set cookies" mode, back when Firefox had
this feature. It wasn't pretty, even in the mid-2000s.

> when will you enforce a no third party cookie by default?

When it can be done without breaking too many users' day-to-day browsing.

> Especially for website that don't comply with the do not track header

How does one go about determining that? This is an honest question; I'm not
aware of any database of sites that classifies them along this dimension.

Dicslosure: I work on Firefox and various people including myself have been
pushing for various anti-tracking bits for a while now. Some of them have
shipped; others are in the works.

~~~
tokyodude
I'm actually curious how useful fingerprinting is. One the one hand maybe your
average enthusiast has a unique fingerprint. On the other every model of
iPad/iPhone on the same OS version should have the same fingerprint as every
other of the same model/OS.

Also

>> when will you enforce a no third party cookie by default? > > When it can
be done without breaking too many users' day-to-day browsing.

Doesn't Safari do this already? Isn't that proof that millions of users (every
iPhone, iPad, and greater than 30% of all mac users) are having no real issues
using the web with that in place?

~~~
Whitestrake
Are you asking how useful fingerprinting is, or are you asking how effective
it is?

For the former, any amount of fingerprinting lets ad companies make the case
that their ads are better or worth more money. For the latter, the EFF
Panopticlick research project seems to be pretty good at giving you an idea:

[https://panopticlick.eff.org/](https://panopticlick.eff.org/)

I don't have an iPad/iPhone etc. to test Safari with; seems like they'd be
amongst the most homogeneous of devices. Perhaps someone with one of those
devices could tell us if the EFF can uniquely identify their device. It was
able to uniquely identify all of my devices.

~~~
tokyodude
The panopticlick site is hyperbole (or in other words poorly implemented).
Since no one visits it it will tell you an iPhoneX in Los Angeles is 1 in a
million. Their site doesn't take IP into account it's only the taking what it
can get from the phone. Timezone for example and then all the normal
fingerprints. And yet every iPhoneX is exactly the same. Calculate the
penetration of iPhoneX and it should be more like 1 in 100 or 1 in 33 or even
one in 20 not 1 in a million. It expires data which make sense but any site
wanting to actually track you would need to be on popular sites. As such it
would need a unique fingerprint. It won't get one for an iPhoneX which I'm
just using as an example. you can choose any popular device.

------
283894
Say you click a link that sends you to facebook content (whether that be a
video, or a group or other public content), does that then change you over to
your logged in Facebook container tab? Isn't this kind of counter intuitive?

I've been using the Containers plugin and its predecessors for years to
isolate facebook, but I've always liked it because when someone links to
facebook content I can then read it logged out in my normal tab. Obviously on
top of this I am using ublock/umatrix anyway.

~~~
gingericha
I'm a bit uninformed on Firefox Containers. Can you help me understand how
this is different from using things like ublock/adblock plus/ghostery and why
you might want to use both those, and a Facebook container?

~~~
fpgaminer
uBlock, etc are for blocking ads and trackers. That means the trackers don't
even load.

Firefox Containers don't block ads, trackers, or anything. Instead, they
isolate websites into their own "containers". Think of it like private
browsing mode. Except each container is its own, separate private browser, and
they persist.

They're different approaches with pros and cons, but they can certainly be
used together since they're orthogonal.

Personally I use both. uBlock blocks ads/trackers/etc for me, while I use
Containers as additional protection for not just social media sites but also
to isolate my banking activity, work accounts, etc. It's useful for when you
have multiple logins to the same site, and for mitigating some attacks (e.g.
CSRF). [NOTE: I'm using the full featured Multi-Accounts Containers add-on,
not the Facebook Container add-on mentioned in the article]

~~~
mickael-kerjean
> uBlock, etc are for blocking ads and trackers. That means the trackers don't
> even load.

That's what they advertise, but it's not even remotly true. I've made a bit of
an exercice to see how they are working. Basically they all (adblocker and
tracker removal) have a database of bad guys and avoid the known bad guys to
load. The problem is all the unknown bad guy. We would need something that is
behavior based, not database based, doing my research I couldn't find one that
was working as one would expect.

Just as 1 example of the bad guys: Cloudflare that send cookies when the owner
of the site is using their CDN regardless if you have setup a do not track
header. Do any of those track blocker managed to block Cloudflare? Nope

It makes me sad that our community for some reason I ignore don't even respect
the do not track header. It literally is just decoration

~~~
yorwba
> Do any of those track blocker managed to block Cloudflare? Nope

False. I just visited cloudflare.com and uMatrix blocked 2 Cloudflare cookies,
8 Cloudflare scripts, one tracking pixel each from Bing and Google Ads (who
are on the "bad guys" list), a script from Optimizely and an embedded frame
from Google Tag Manager. That's with a whitelist that only allows CSS and
images (the default, I think), and only from first-party sources.

Surprisingly, the site wasn't even broken.

~~~
mickael-kerjean
I made my tests with: DuckDuckGo Privacy Essentials, Ghostery, Privacy Badger,
Stealth mode. Never tried uMatrix and you're right, it's blocking cloudflare
:)

------
lucideer
This article title is false and extremely misleading.

The Facebook Container and Multi-account Containers addons are _great_ , and I
would highly recommend their use. I've been using Multi-account Containers
since they were first released. However they do not "stop Instagram and
Facebook from tracking you online". They significantly reduce the extent to
which they can track you, but are a long long way from complete prevention.

------
amelius
Why do they call it "Facebook Container", and not just "Container"?

I mean, the container concept can be universally applied to any website.

~~~
unethical_ban
It is a preconfigured generic container that has a few extra settings to
further isolate Facebook specifically, as it is so insidious in its reach
around the web.

The user 283894 makes a point that sometimes, it's nice to have your logged in
Facebook container separate from other Facebook content.

------
Santosh83
So, do I still need this even when I'm using uBlock with nearly all the
social/annoyances lists activated (fanboy, easylist etc.)?

------
908087
They should be doing this for Google as well, but something tells me we won't
be seeing that any time soon.

~~~
daveFNbuck
You can do it yourself using the standard containers extension. If you really
need a special extension just to create Google containers,
[https://addons.mozilla.org/en-US/firefox/addon/google-
contai...](https://addons.mozilla.org/en-US/firefox/addon/google-container/)

------
AdmiralAsshat
For anyone using Firefox, as soon as Containers became available outside of
Nightly, I created one just for Facebook. Is the "Facebook Container" any
different than what I already made?

~~~
zie
Not really, the only difference I've found is the Facebook container plugin
won't let any other non-facebook owned URL use that container.

~~~
daveFNbuck
I didn't notice it did that! That's actually very nice and I wish it were
something I could do for other containers too.

~~~
zie
see [https://github.com/mozilla/contain-
facebook](https://github.com/mozilla/contain-facebook) and
[https://github.com/containers-everywhere/contain-
google](https://github.com/containers-everywhere/contain-google)

------
dandare
How is this different (better) from let's say uBlock or Privacy Badger?

~~~
HugoDaniel
Take a look at the cookies your browser keeps

------
yarrel
Now how do I remove Pocket?

No, I said "remove".

------
hellofunk
After I read this I immediately installed Firefox for the first time in 15
years. I used to use it exclusively then moved to Chrome and others when the
app was getting bloated long time ago. I thought, after reading this, now is
the time to switch!

I installed it and even on a 1-year-old Macbook Pro, holy cow it's acting like
I'm doing machine learning training -- the computer fan goes into overdrive
with every little thing I do in this browser!

This is on a raw install with no browser extensions other than this FB
container mentioned in the article (which comes with the installation).

It appears this is a many-months-long known issue about the new Firefox.
Disappointing.

Back to Chrome....

~~~
bhhaskin
Strange, I run Firefox developer edition on a 2015 dual core MBP and have no
issues what so ever. I think it is more responsive than chrome and uses less
memory.

~~~
hellofunk
Appears to be a common problem with FF on MBP:

[https://www.reddit.com/r/firefox/comments/7g6k9n/firefox_qua...](https://www.reddit.com/r/firefox/comments/7g6k9n/firefox_quantum_is_eating_your_cpu_help_us_debug/)

I guess you got lucky.

