Hacker News new | comments | show | ask | jobs | submit login
Firefox can now stop Instagram and Facebook from tracking you online (thestar.com.my)
153 points by john58 68 days ago | hide | past | web | favorite | 74 comments



Mozilla, if you ever read this:

- when will you stop twitter from knowing all about youporn's user ? yes HN user, open your developer console and look out for the cookie coming from syndication.twitter.com. If you ever try to visit http://syndication.twitter.com, you end up on "Sorry, that page doesn’t exist!".

- when will you ask for user permission before revealing hardware related information (via the screen object and navigator object)? I can't think of any use case to reveal how many core my computer has when js only use 1. Same for the screen object as we already have the window object.

- when will you create a feature to dynamically update the user agent ?

- when will you create a feature to trick browser fingerprinting ?

- when will you enforce a no third party cookie by default? Especially for website that don't comply with the do not track header. Unfortunatly, our entire industry don't seem to care about the do not track header (funnily google is the rare good student in this area)

I guess there's a lot more "industry standard" I'm not aware.


> when js only use 1.

That's not true with web workers. And "How many workers should I spin up?" is a common question people actually using them want to answer...

I'm highly sympathetic to reducing fingerprinting attack area, by the way; we should just be clear that providing sites less information does mean they can't do various performance optimizations, and in some cases can't even provide correct functionality. That tension is at the heart of all the anti-fingerprinting efforts browsers are involved in...

Asking users for permission isn't really a solution either, unfortunately: all the bad actors will just spam permission prompts continuously. I've browsed before in a "prompt for attempts to set cookies" mode, back when Firefox had this feature. It wasn't pretty, even in the mid-2000s.

> when will you enforce a no third party cookie by default?

When it can be done without breaking too many users' day-to-day browsing.

> Especially for website that don't comply with the do not track header

How does one go about determining that? This is an honest question; I'm not aware of any database of sites that classifies them along this dimension.

Dicslosure: I work on Firefox and various people including myself have been pushing for various anti-tracking bits for a while now. Some of them have shipped; others are in the works.


I'm actually curious how useful fingerprinting is. One the one hand maybe your average enthusiast has a unique fingerprint. On the other every model of iPad/iPhone on the same OS version should have the same fingerprint as every other of the same model/OS.

Also

>> when will you enforce a no third party cookie by default? > > When it can be done without breaking too many users' day-to-day browsing.

Doesn't Safari do this already? Isn't that proof that millions of users (every iPhone, iPad, and greater than 30% of all mac users) are having no real issues using the web with that in place?


> On the other every model of iPad/iPhone on the same OS version should have the same fingerprint

Not quite. For example, they might be on different networks, have different zoom levels set, etc.

> Doesn't Safari do this already?

Last I checked, Safari "blocks" (not quite; it's double-keying, not actually blocking) some third-party cookies, but not all. In particular, it doesn't block third-party cookies from sites you have visited in a first-party context. So for example it doesn't block Facebook or Google trackers.

The Firefox "no third party cookies" mode, which actually blocks all third-party cookies, is quite different from the Safari behavior...


Are you asking how useful fingerprinting is, or are you asking how effective it is?

For the former, any amount of fingerprinting lets ad companies make the case that their ads are better or worth more money. For the latter, the EFF Panopticlick research project seems to be pretty good at giving you an idea:

https://panopticlick.eff.org/

I don't have an iPad/iPhone etc. to test Safari with; seems like they'd be amongst the most homogeneous of devices. Perhaps someone with one of those devices could tell us if the EFF can uniquely identify their device. It was able to uniquely identify all of my devices.


The panopticlick site is hyperbole (or in other words poorly implemented). Since no one visits it it will tell you an iPhoneX in Los Angeles is 1 in a million. Their site doesn't take IP into account it's only the taking what it can get from the phone. Timezone for example and then all the normal fingerprints. And yet every iPhoneX is exactly the same. Calculate the penetration of iPhoneX and it should be more like 1 in 100 or 1 in 33 or even one in 20 not 1 in a million. It expires data which make sense but any site wanting to actually track you would need to be on popular sites. As such it would need a unique fingerprint. It won't get one for an iPhoneX which I'm just using as an example. you can choose any popular device.


> When it can be done without breaking too many users' day-to-day browsing.

I've had 3rd party cookies disabled for years. I can count the number of times this has caused trouble on one hand.


I have too, and I can too. Though one of those was a bank that turned out to be a showstopper; I have to flip the pref, then flip it back every time I interact with them. Not some thing I can ask "normal" users to do.

It also turns out that this varies a _lot_ based on browsing patterns. For example, I never use the "log in with Facebook/Google/etc" things. People who do report a lot more problems from blanket third-party cookie blocking.


I find it's best to use uBlock Origin Matrix though, as it gives you more control when things do break.


I reread my initial message and I'm sorry if the tone felt a bit rude, It's not an attack against Firefox but against all those "industry best practises" that are so unfair to everyone. Firefox is pretty much the only hope when it comes to enforce better practises across our entire industry that are more privacy friendly. Be sure, I have a lot of respect for what you are doing. I'm just a random dude that feel very sad everytime I try to dig what all those website are actually made of, pushing for behaviors that are against everything I stands for:

- even the W3C get trap (https://pbs.twimg.com/media/DWtqPzFUQAExO2h.jpg) probably without their knowledge but still that's the W3C ...

- twitter tracking youporn's user considering their track record when it comes to database leak. The damage that can be done here from a political perspective would be absolutly terrible.

- ..... many other examples as you probably know a lot more

> That's not true with web workers. And "How many workers should I spin up?" is a common question people actually using them want to answer...

It would be common when it comes to create real world complex apps which isn't what most of the web is about (I know 1 person isn't very representative). Those questions are legit but feel to me as an edge case, not the general rule considering the market share of wordpress and co. I would love to have a popup when it comes to reveal information that should be considered as edge case. If a newspaper need access to this information, there's small chance it benefits my experience but more the complex network of advertising and even sometimes some real time bidding system that have performance imperative for which web workers are a great fit

> Asking users for permission isn't really a solution either, unfortunately: all the bad actors will just spam permission prompts continuously.

As I see, It doesn't mean the solution itself is wrong but rather a correct compromise hasn't been fount yet. There's a world between a website creating a cookie for legit purposes and a dependencies of this website that rely on another one that rely on another one.

> How does one go about determining that? This is an honest question; I'm not aware of any database of sites that classifies them along this dimension.

Considering some actors like Cloudflare that track a big part of internet, a database approach is broken by design. As I see it, the only approach that can work is behavior based: if a third party website is forcing a cookie despite having a do not track header, it's shady and thus shouldn't be acceptable (eg: twitter, facebook and a lot more as the "industry standard" is to ignore the DNT). What about you'd do like Chrome did by forcing HTTPS enverywhere, by bringing a message "this site has unfair trackers" instead of "this site isn't secure"

> reducing fingerprinting attack area, by the way; we should just be clear that providing sites less information does mean they can't do various performance optimizations,

Not all the time, I can think of a few things that shouldn't have such an impact if implemented well:

- I've read a bit around fingerprinting using canvas and webgl. Why not adding some sort of randomness that are pretty much invisible to the eyes of a human but put those type of algorithm innefective?

- don't make the navigator object global across all pages and make a few tinny changes everytime. For example Firefox provides the buildID as part of the navigator object. Mine is on this machine: "20180327223059". Will it really break the world if some existing website receives "20180327223434" while another receive "20180327224387"? If somebody is making such optimisation as to know the exact time the build was created, it sounds shady and creepy at best.

I understand some optimisations aren't possible without braking a lot of website for which your users will mostly wonder why they can't navigate it properly but why not creating a different mode, let's say a safe mode that expressly say some website might appear weird but that's only because you're taking active measure to block any sort of trackers? As of today, the private navigation isn't really effective at protecting against fingerprinting


    privacy.firstparty.isolate = true
    privacy.resistFingerprinting = true
Throw in content blockers if you don't want the 3rd-party requests to happen at all instead of just compartmentalizing the tracking.

> when will you create a feature to dynamically update the user agent ?

Extensions can do that. Not everything needs to be in the core browser, does it?


`privacy.resistFingerprinting = true` breaks just about every site that relies on timezone (gmail etc); I am patiently hoping for a whitelist. Unless you actually reside in UTC...


Wasn't aware about those options, thanks!

I think those features should be build by browser vendor. Why? Because pretty much all the existing extensions claiming to "protect privacy" are doing a poor job at it. They all rely on an internal database of "bad guys" as if it's technically possible to even build such a database.

For example, Cloudflare already control a large amount of website through their CDN. They are sending cookies regardless of the do not track headers. I haven't seen 1 of those extensions blocking website using Cloudflare. The do not track header is also a funny joke that even the W3C doesn't respect (https://pbs.twimg.com/media/DWtqPzFUQAExO2h.jpg)


> They all rely on an internal database of "bad guys"

Not all do. uMatrix comes with a whitelist-based approach, so all 3rd party requests (modulo images and CSS if you so choose) are blocked and need to be whitelisted to unbreak sites.


I had quite a bit of those popular "privacy extensions" in the test bench: DuckDuckGo Privacy Essentials, Ghostery, Privacy Badger, Stealth mode and none of them were blocking things as I'd have expected.

Thank you for proposing uMatrix it just pass the cookie test none of the above succeed, I might have found my new internet condom.


You can also try "Inox Browser"[1] based on Chromium but with security/privacy patches. With extensions like "uBlock0 (Origin)"[2], "uMatrix"[3].

[1] https://github.com/gcarq/inox-patchset [2] https://github.com/gorhill/uBlock [3] https://github.com/gorhill/uMatrix

Optionally, unrelated to security you can try "Dark Reader" extension, which makes all sites darker ^_^ Especially useful with darker themes.


> - when will you enforce a no third party cookie by default?

In another comment you say:

> on Chromium and Chrome there's a nice feature to block third party cookies. For obvious reason, it's not enabled by default but it's there and doesn't affect the performances.

Why is this a problem when we are talking about Firefox but it's "obvious reason" with Chrome?

Or am I misreading you?


Third party cookies is probably the most usefull technical foundation for creating trackers making mass surveillance a reality that's supposed to benefit the advertising industry. As opposed to Chrome, This industry isn't Mozilla business


Probably when they have large enough marketshare that they can afford to piss off webpage owners without those being able to stop supporting them.


If they stopped trying to be like Chrome maybe the old users would return. Abruptly ending NPAPI support rubbed a lot of people the wrong way.


Have you filed bugs for these? Are you aware of open bugs?


No, no. When I did my research, I simply investigate on those "privacy extensions" but wasn't happy with any of those once you put them in the bench. I ended up in my garage for a week end making my own extension that was never publish as it makes my laptop running high in temperature everytime I end up on a streaming platform


Check out the newly released Privacy Possum. It is a "fork" of Privacy Badger and the author was also part of the Privacy Badger development. He makes a good case of why his form is different here: https://github.com/cowlicks/privacypossum . I've been testing it out for few days now and it is doing something, though can't vouch for how much.

I've also had good effect with Canvas Blocker. Decentraleyes is another good concept privacy add-on to look into as well.


Say you click a link that sends you to facebook content (whether that be a video, or a group or other public content), does that then change you over to your logged in Facebook container tab? Isn't this kind of counter intuitive?

I've been using the Containers plugin and its predecessors for years to isolate facebook, but I've always liked it because when someone links to facebook content I can then read it logged out in my normal tab. Obviously on top of this I am using ublock/umatrix anyway.


The purpose of this extension is to isolate Facebook. So yes, when you click a link to Facebook, it will open it in a dedicated Facebook container.

It would be counter intuitive if this is how the standard Containers extension worked, but for this specific extension, you are installing it to isolate Facebook, so I think this is how people would expect it to work. If the extension did not open Facebook links in a dedicated Facebook container, then I think the extension would not be doing its job correctly.


I think you would like the Temporary Containers extension even more if you've been using Containers to keep logged in Facebook out.

To automatically open Facebook links in a logged-in, dedicated-to-FB container is the entire point of this extension. After all, it was built for regular, non-tech-savvy people. To such people, it'd be a bad experience if suddenly they could no longer open FB links sent to them by their friends (because links to FB posts can have non-public visibility).


> but I've always liked it because when someone links to facebook content I can then read it logged out in my normal tab.

Personally I've trained the habit of opening most random links in private browsing mode. Besides achieving what you mention it seems like good, additional mitigation against tracking/security/etc. The only downside is lack of browsing history but I've never had much use for browsing history (mostly because I've found the search functionality in browsers to be useless).


A few weeks ago I posted here [1] how I think that Containers should really work.

I think your observation is a good one, and a rule for it should be added (or actually the third rule should be modified).

[1] https://news.ycombinator.com/item?id=16866086


Right - normal Containers are useful if you don't want sites you visit to track you by associating your browser with a FB account. Facebook Container is for when you don't want FB itself to track what websites you visit. (Normal containers also help if you just want to log into multiple FB accounts at once.)


I'm a bit uninformed on Firefox Containers. Can you help me understand how this is different from using things like ublock/adblock plus/ghostery and why you might want to use both those, and a Facebook container?


uBlock and Adblock Plus are ad blockers. They block advertisements from appearing on the web pages you browse. I am not familiar with Ghostery.

Firefox Multi-Account Containers is an extension [0] that allows you to compartmentalise cookies and other data into different containers. It's possibly best explained by thinking about how you might use it:

Suppose you have two Twitter accounts: a personal account and a business account. Twitter usually only allows you to be logged into a single account at a time. This means that if you're currently logged into your personal account, you need to log out first before you can use your business account.

With Containers, you can simply create a Business container and log into your business Twitter account in there. That way, you can be logged into two Twitter accounts at the same time.

Containers do not act as ad blockers and perform a very different function.

For more information on Containers, I would suggest reading the extension's description [0] and/or the support page [1].

This article is talking about a special version of Firefox Multi-Account Containers called Facebook Container [2]. This works similarly to Firefox Multi-Account Containers, but it isolates Facebook to its own dedicated container.

[0] https://addons.mozilla.org/firefox/addon/multi-account-conta...

[1] https://support.mozilla.org/kb/containers

[2] https://www.mozilla.org/firefox/facebookcontainer/


uBlock, etc are for blocking ads and trackers. That means the trackers don't even load.

Firefox Containers don't block ads, trackers, or anything. Instead, they isolate websites into their own "containers". Think of it like private browsing mode. Except each container is its own, separate private browser, and they persist.

They're different approaches with pros and cons, but they can certainly be used together since they're orthogonal.

Personally I use both. uBlock blocks ads/trackers/etc for me, while I use Containers as additional protection for not just social media sites but also to isolate my banking activity, work accounts, etc. It's useful for when you have multiple logins to the same site, and for mitigating some attacks (e.g. CSRF). [NOTE: I'm using the full featured Multi-Accounts Containers add-on, not the Facebook Container add-on mentioned in the article]


> uBlock, etc are for blocking ads and trackers. That means the trackers don't even load.

That's what they advertise, but it's not even remotly true. I've made a bit of an exercice to see how they are working. Basically they all (adblocker and tracker removal) have a database of bad guys and avoid the known bad guys to load. The problem is all the unknown bad guy. We would need something that is behavior based, not database based, doing my research I couldn't find one that was working as one would expect.

Just as 1 example of the bad guys: Cloudflare that send cookies when the owner of the site is using their CDN regardless if you have setup a do not track header. Do any of those track blocker managed to block Cloudflare? Nope

It makes me sad that our community for some reason I ignore don't even respect the do not track header. It literally is just decoration


It sounds like you're looking for Privacy Badger: it uses heuristics to block requests and cookies from third-party sites based on their behaviour in your browser.

https://www.eff.org/privacybadger

The basic rule is that if more than one first-party site tries to connect to the same third-party, that third-party could be tracking you and will be blocked. But it's a little cleverer than that, and has etra rules to just block cookies from common CDNs.


> Do any of those track blocker managed to block Cloudflare? Nope

False. I just visited cloudflare.com and uMatrix blocked 2 Cloudflare cookies, 8 Cloudflare scripts, one tracking pixel each from Bing and Google Ads (who are on the "bad guys" list), a script from Optimizely and an embedded frame from Google Tag Manager. That's with a whitelist that only allows CSS and images (the default, I think), and only from first-party sources.

Surprisingly, the site wasn't even broken.


I made my tests with: DuckDuckGo Privacy Essentials, Ghostery, Privacy Badger, Stealth mode. Never tried uMatrix and you're right, it's blocking cloudflare :)


This article title is false and extremely misleading.

The Facebook Container and Multi-account Containers addons are great, and I would highly recommend their use. I've been using Multi-account Containers since they were first released. However they do not "stop Instagram and Facebook from tracking you online". They significantly reduce the extent to which they can track you, but are a long long way from complete prevention.


Why do they call it "Facebook Container", and not just "Container"?

I mean, the container concept can be universally applied to any website.


It is a preconfigured generic container that has a few extra settings to further isolate Facebook specifically, as it is so insidious in its reach around the web.

The user 283894 makes a point that sometimes, it's nice to have your logged in Facebook container separate from other Facebook content.


Firefox has Containers generically, this extension just applies Containers specifically to Facebook


If you use the normal Containers addon, you can be logged in to a different FB account in each Container. With the Facebook Container, all traffic to FB is blocked outside of the Facebook Container, and any attempt to navigate to Facebook will be hijacked into the Facebook Container.

There is also a special Google Container which works similarly.


"Facebook Container" is just a simplified version of https://addons.mozilla.org/en-US/firefox/addon/multi-account... (both are made by Mozilla).


Mozilla made an extension specifically for Facebook.


A nuclear waste bin is a specialized kind of waste bin


So, do I still need this even when I'm using uBlock with nearly all the social/annoyances lists activated (fanboy, easylist etc.)?


They should be doing this for Google as well, but something tells me we won't be seeing that any time soon.


You can do it yourself using the standard containers extension. If you really need a special extension just to create Google containers, https://addons.mozilla.org/en-US/firefox/addon/google-contai...


For anyone using Firefox, as soon as Containers became available outside of Nightly, I created one just for Facebook. Is the "Facebook Container" any different than what I already made?


It sets up the Facebook container so you'll automatically switch to it whenever you go to Facebook. If you checked "Always open in Facebook" in the containers dropdown while on facebook.com, then checked "Remember my decision for this site" before clicking "Open in Facebook container" when opening facebook in a different container, it's the same.

The extension also cleans up Facebook cookies from your other containers. This extension is what got me using containers, but I deleted it after I realized it doesn't do anything after the initial installation.

Edit: Apparently this extension also prevents you from opening other sites in the Facebook container.


Not really, the only difference I've found is the Facebook container plugin won't let any other non-facebook owned URL use that container.


I didn't notice it did that! That's actually very nice and I wish it were something I could do for other containers too.



Mozilla has an extension so you can do this without Nightly. https://addons.mozilla.org/en-US/firefox/addon/multi-account...

I mostly use it to manage the 3 google accounts i use daily


How is this different (better) from let's say uBlock or Privacy Badger?


Take a look at the cookies your browser keeps


Now how do I remove Pocket?

No, I said "remove".


After I read this I immediately installed Firefox for the first time in 15 years. I used to use it exclusively then moved to Chrome and others when the app was getting bloated long time ago. I thought, after reading this, now is the time to switch!

I installed it and even on a 1-year-old Macbook Pro, holy cow it's acting like I'm doing machine learning training -- the computer fan goes into overdrive with every little thing I do in this browser!

This is on a raw install with no browser extensions other than this FB container mentioned in the article (which comes with the installation).

It appears this is a many-months-long known issue about the new Firefox. Disappointing.

Back to Chrome....


on Chromium and Chrome there's a nice feature to block third party cookies. For obvious reason, it's not enabled by default but it's there and doesn't affect the performances.

At the end of the day whatever we do, a browser is still a browser, beeing safe from trackers would mean:

1. trick the browser fingerprinting techniques to generate different crap on every run

2. lobby browser vendors (including Firefox) not to reveal information about your laptop (cpu, screen resolution, ...). I'm trying to find a legit use case to know about how many core you have available when js can only use 1 or information on your screen when the only thing that matter is already inside the window object.

3. dynamically update your user agent (if you purelly get rid of it, services like google map won't work)

4. hiding your ip behind a VPN/proxy or rotating your ip

and probably a lot of other things I have no idea about. I don't want to be the devil lawyer but as for now, Firefox isn't doing a good job at what they claim doing. Just proposing a tinny thing they haven't done: ask for user permission when a website try to access hardware related information


> on Chromium and Chrome there's a nice feature to block third party cookies. For obvious reason, it's not enabled by default but it's there and doesn't affect the performances.

In my Firefox I have an option in Preferences :

Accept third-party cookies and site data: Always/From visited/Never

Is this the one you are talking about in Chrome? Because in that case it very much exists in Firefox as well.


Strange, I run Firefox developer edition on a 2015 dual core MBP and have no issues what so ever. I think it is more responsive than chrome and uses less memory.


Appears to be a common problem with FF on MBP:

https://www.reddit.com/r/firefox/comments/7g6k9n/firefox_qua...

I guess you got lucky.


> I think it is more responsive than chrome and uses less memory.

You can compare them with numbers. Open something like youtube vid, or twitch stream, for example, whatch your cpu


I've used FF every day for the last year or so on my MBP since they started making all of the usability improvements. Works as good as if not better than Chrome with tons of add-ons installed. uBlock Origin, Privacy Badger, etc. Switched my default search engine to DDG. Really nice to see these companies like Apple, Firefox, and DDG care about their consumers.


>Works as good as if not better than Chrome with tons of add-ons installed

Still fails to play twitch streams or youtube without eating the hell out of your CPU and embeded youtube videos still lag in many cases (when you hover over the player's control panel for example). Nothing critical, but those things are still there and in their bug reports.


Did you try changing your screen resolution? Firefox apparently has issues with certain resolutions on MacBook Pro.


No I didn't try that, nor would I. If I have to change how I use my computer for all apps just so I can use one app, then I shouldn't use that one app.


Reasonable. Come back in a year I guess, see if it's better. Firefox on Linux is night and day from the last time I used it


Odd. I’ve used Firefox exclusively for the past 4 years and am a tab hoarder (150+) and my laptop is as quiet as the night with Firefox using very little memory when compared to Chrome


Appears to be a common problem with FF on MBP:

https://www.reddit.com/r/firefox/comments/7g6k9n/firefox_qua...


This is a problem that happens only on mac. Firefox on linux and windows is very fast and quiet. But it's a total pain on mac.


I tried Google Maps in FFX on Linux the other day and it was horrendously slow. Bummer :-(


Idk if it's still the case, but Google used to have a user agent detection to make Firefox way slower. If you spoof a Google Chrome User-Agent, Google maps became way faster. I don't know if it's still the case.

Officially it was because of compatibility problems but I've never faced problem when spoofing Chrome UA on Google Maps so Idk what to think about this excuse.


Sadly, in general this is a case of "we made a Chrome-specific site/app years ago because it was the easiest thing to do, and despite other browsers and some of our employees working hard since then to standardize the Chrome-specific bullshit, it doesn't benefit us enough to bother fixing anything on our end. So we'll just keep maintaining our subpar now-redundant versions for non-Chrome browsers instead."

But luckily this attitude might be poised to change, because the employees at Google who still care about these things have been pushing hard, and it's now threatening to become a PR issue that Google is needlessly serving inferior versions of big apps to other browsers. When other browsers are a UA spoof away from showing that you're artificially screwing with them on your base Search engine, it becomes harder to push those browsers to adopt the web standards you're trying to push to make YouTube "better".


You might check whether you have GPU acceleration enabled in Firefox. I think it is disabled by default on Linux because of buggy GPU drivers.

https://askubuntu.com/questions/491750/force-enable-hardware...




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: