Hacker News new | past | comments | ask | show | jobs | submit login
Protections Against Fingerprinting and Crypto Mining in Firefox Nightly and Beta (blog.mozilla.org)
630 points by sohkamyung 15 days ago | hide | past | web | favorite | 238 comments

I agree with the general sentiment in the comments that this is good -- fingerprinting in particular is something browser vendors should be trying to combat.

I am concerned about the approach however; a simple blacklist of fingerprinting scripts may be insufficient, in that non-blocked scripts can still access the data that is used to accomplish fingerprinting.

Personally, I would like to see more security around the data that is used for fingerprinting, such as user agent, screen size, window size, loaded plugins, and so on. If this type of information was either protected with permissions, or if bogus values were provided to non-user-whitelisted sites, then it would be far harder to fingerprint users, as there would be less identifiable information to go off of.

A less aggressive approach might be to have some kind of notification to the user if a website is accessing many API calls that are commonly associated with fingerprinting. Maybe a site that just wants to know window size is fine, since it might want to render something or select a certain layout, but if a site wants to know a wide variety of different information all at once, that would be a red flag that could be signaled to the user in some way.

> like to see more security around the data that is used for fingerprinting, such as user agent

I think this is already available, just not enabled by default. In about:config one need to set privacy.resistFingerprinting to true. (be aware however that this setting causes problems with google captcha - the number of challenges that you will need to solve will drastically increase)

> this setting causes problems with google captcha - the number of challenges that you will need to solve will drastically increase

No kidding. I'm talking about ~30-40 clicks (1 click per task in the captcha grid)

not to mention when google puts you in captcha-hell-ban.

often, after a few difficult ones, I realize I get stuck into the same 20 challenges. over and over. no matter if I get them rigth or not. We do run all browser in the office with figerprint protection on and run non-exit-tor-nodes in all offices. But those are hardly excuses.

The hell bans happens more often on firefox for android, but I guess that is what you can expect when you go against goliath.

It's literally google censoring me from talking (and sometimes reading) random sites on the web

And it's going to get worse if this whole "privacy" thing catches on. Google is an advertising company which does adtech, and adtech is inherently about tracking and profiling people. Anyone who messes with that is actively costing Google money, and Google will... you know... stop them from doing that, whether subtly or overtly. There's nothing else they can really do, and "congressional hearings" and "calls for reform" won't change that fundamental fact.

I've had this happen frequently because my configuration really aggressively blocks this stuff. It's bad enough that I have a separate browser (Gnome Web aka Epiphany) just for logging into and using sites that have Captcha, like Pocket and Bandcamp, and I do everything else in Firefox. Captcha is horrible. I understand why sites use it, but putting a Google-wall in front of your content is a very bad idea.

The problem is not the wall itself, but that Google uses it’s de-facto monopoly position to enforce tracking.

Plus creating image recognition training data for them. I am not interested in working for Google. Not paid, let alone for free.

Never thought about it from that perspective before

I have fingerprinting off too in firefox, and a lot times I now just ignore sites using captcha.

No, it’s the site owner choosing to outsource their decisions about gatekeeping a private site to Google. Google isn’t censoring you via CAPTCHA, the site owner is.

That is only true as far as the site owner knows of and understands the consequences of their actions. I would be extremely surprised if more than 10% of their users understand this. Whether they care is a whole other matter, but this is very likely ignorance rather than malice on the part of site owners.

I can understand why site owners resort to such services. They need a a strong CAPTCHA system. The problem is really Google for abusing it.

Lol sure, and “guns don’t kill people; people kill people”

Why can't they just allow the user to whitelist recaptcha?

The people who're trying to avoid being fingerprinted are probably thinking of Google when they decided to go down this path.

I'm willing to go through extensive captcha cycles if that's the cost of retaining some anonymity.

I installed uMatrix a while back to recover some anonymity and it worked at first, my Captcha load spiked significantly which was a great indication that I'd succeeded but it has dropped over time. I guess I'm gradually being fingerprinted again.

Google's captcha tests are my litmus paper test that what I'm doing is effective.

At this point can I just pay for a certificate or something?

Like for $1 give me a certificate that I can use to say "I'm not a spammer" and I can anonymously buy as many certificates as I want.

And then if a certificate is used by a spammer it becomes invalid. Seems like it's expensive enough to be worth using for existing spammers but let normal people pay a $1 every year or two to not have to deal with captchas.

Fingerprinting is designed to generate a unique identifier to track you.

Certificates would be an even more accurate unique ID over what fingerprinting could provide

> and I can anonymously buy as many certificates as I want

Do you really think that statistically noticeable numbers of people would do that and have perfect opsec preventing those perfect unique identifiers from being linked? I mean, even software developers tend to whine about paying $5 for an app which has far more immediate rewards.

Even just proof that 5c worth of crypto or something was burned would would a good alternative. Let the site/app designer work out how often it needs to happen (maybe just the first few times if they're new) to stop spam and not cost honest users much

This seems like a very cheap way to make spam look legitimate at least for a while. It now costs me $1 more to spam until I get caught and banned. But until that point I don't have to worry about any kind of filter, I'm a legitimate user.

It would be more interesting, to me, to see Google support something like CloudFlare's Privacy Pass. https://support.cloudflare.com/hc/en-us/articles/11500199265... Though it seems unlikely they would want to?

(Though I don't know a lot about and would be interested to hear criticisms of it.)

They would have probably supported it when CAPTCHAs were still about digitizing books. Now that they've turned everyone into unwilling trainers for their visual machine learning they'll never do it.

Yeah I use multiple browsers. One that is completely locked down and one for CAPTCHA. The internet is hostile to anonymity.

This is why I immediately close any page with google's captcha.

Even without resistFingerprinting Firefox takes some steps, like reducing the precision on event timestamps. But the most effective measures won't become standard anytime soon because of recaptcha.

0: https://developer.mozilla.org/en-US/docs/Web/API/Event/timeS...

I would have thought that had more to do with Meltdown

Not to mention that it renders websites that display dates and times inaccurate due to reporting your time zone as UTC. Chat programs, web mail, web calendars all become unusable for me.

If it becomes the default Google can’t get away with bullying people using recaptcha.

I'm also concerned with the general blacklists that are showing up. Some of the analytics companies in the list they are using from github don't use any particular fingerprinting technologies outside of setting a cookie. Given that there are a wide array of more aggressive and seemingly more malicious ways to fingerprint, bundling up cookie usage with that seems like a recipe for throwing the baby out with the bathwater. This is happening throughout the browser world right now though. There's no way for a "good" analytics company that sells a service to a website owner, with no intent to share, sell, or aggregate that data with third parties to differentiate itself from a malicious ad network that is intent on cross-device fingerprinting, persisting your identity, and knowing who you are everywhere you go on the web.

Until there is some kind of official agreed upon terms/privacy policy that can be adhered to/audited, this will keep happening. It will lead the already advanced bad actors to further their game of whack-a-mole, and push the "good" companies to do more and more questionable things to avoid going out of business as moves like this cripple them.

To be clear, I'm not saying that the analytics industry hasn't been complicit in its own punishment, it's just come to a head in a way that I feel warrants more cooperative action than blacklists based on... what criteria?

That would suggest that there is such a thing as a "good" analytics company.

From my perspective as and end user, why would it be desirable for me to facilitate the "analytics companies" business model?

Sure, far-reaching blacklists are probably bad for analytics companies across the board, regardless of their intent. But as an end user, why should I care?

As an end user it shouldn’t be a concern you have as long as the data isn’t used for things you would find surprising.

Right now there’s no way for any analytics company to convince you they don’t do anything surprising.

I want my customers to run successful businesses and to use the data we collect on their behalf to help them do that.

Why should you care? Mostly hypotheticals, but as said above, it shouldn’t matter to you.

If analytics works, we can drive down costs, and improve how companies spend money on marketing and product development. This should mean more affordable and or higher quality products and services.

Agree. It's almost like google made their captcha to ensure browsers continued to allow fingerprinting rather than to tell bots from humans.

As you say perhaps sites can get a kind of "entropy budget". If they ask for my screen size that's X bits of entropy. If they want to render things to a canvas and read back the result that's Y bits of entropy (Y >> X). Once sites reach a certain budget that users can set themselves, they get fake or invalid data. Worst case if I set the entropy budget too low is I get a captcha or an incorrect layout somewhere.

This is the approach that Safari is using, they call it "simplified system configuration."

This is the very proposal that my thesis made, which I defended just this week. We even did research in this area, and showed that people find being notified about their risks as helpful and made them more confident in making trust decisions.

> more security around the data that is used for fingerprinting, such as [...] screen size, window size

Available in Nightly under a hidden boolean preference `privacy.resistFingerprinting.letterboxing`.

The more websites use Google's "captcha", the more pointless it is to resist fingerprinting. And since that "captcha" is built into Cloudflare's "spam protection", it blocks you from half of the internet already.

Why the scare quotes? Because the purpose of recaptcha isn't to tell humans from bots, it's to punish users who do not wish to be tracked by giving them an endless stream of challenges to solve no matter if they keep getting them right or wrong. It is especially obvious when they intentionally delay the loading of subsequent images if you have too many privacy features enabled, because it does nothing to prevent bots from solving them. It's grouped into several tiers, depending on the amount of frustration they want to generate:

1. Invisible captcha - you have Chrome, you're logged into a Google account, your advertising ID has a profile full of useful data. You go in with no hassle.

2. 1 click - maybe you're on a new IP or a new device, but you're logged into a Google account and use Chrome. Click the checkbox and that's it.

3. Regular captcha - You're not logged in but you don't use any privacy enhancements, so through a combination of fingerprinting, cookies, and other tracking techniques you're uniquely identified anyway. You get 9 images, select 2 or 3 of them and you're good to go.

4. Annoying captcha - you're blocking third party cookies, you're not on Chrome, looks like you're not being a good cog in the machine. You get a captcha with 9 squares that load more images, or you have to "select squares containing X", and you get 2-5 of these in a row.

5. Infuriating captcha - you're blocking third party trackers, cookies, all other storage methods, you block or mitigate canvas fingerprinting, you're behind a VPN, your fingerprint is not recognized, there's no data in your profile. Google won't squeeze a cent out of you, so you don't get to use the internet. You're getting an endless stream of slowly loading squares, or 5-7 objects to recognize. Even if you do all of them correctly, it won't let you in. Maybe after 4-8 cycles, but that will still waste ~10 minutes per try. You're barred from any website that links to reCaptcha.

These days websites using it are for all purposes dead to me. I can't visit them and I won't waste my time clicking their images or selecting squares or whatever.

I appreciate it when my browser takes the position that it acts as the user's agent, and not the advertising network's agent.

This attitude from the Mozilla crew has convinced me to try switching from Chrome for a week. (I understand that these latest features aren't yet available in the normal releases)

I switched completely to Firefox on my work computer. Don't miss Chrome at all.

Me too. I am absolutely happy with Firefox after switching about 6 months ago. I don’t miss anything.

I think current Firefox has audio/video autoplay controls, and in my experience they're wonderful compared to Chrome's. A one-time popup that lets you easily control it per-site. Already enough to make me prefer it.

I recently switched from chrome being my daily browser to firefox...and the only thing that firefox is not great at is "save to pdf" (I would add some other minor printing aspects, but honestly i don't print much of anything anymore from a browser - so no impact for me). Besides "save to pdf"/printing, i have no use/need for going back to chrome. I encourage you to try out firefox and see if you have an equally positive experience.

Thoughts on Brave browser?

Brave's good but since it's a wrapper around Chromium, you're still supporting Google control over the Web.

This sort of reasoning is fallacious. Use of Chrome’s renderer is not specifically advantageous to Google until/unless they attempt to leverage it to break web standards, which is not their general policy (Widevine concessions to content creators notwithstanding), just as use of WebKit is not specifically advantageous to Apple, nor is Node’s use of v8, et c.

Fact is, Brave is, as I understand it, a system that intends to pay a user to see ads (via replacement) - although they may have pivoted (again?) away from that. It’s not an anti-tracking or anti-advertising effort.

Except Google already ships bugs in their products to non-Chromium browsers (see YouTube, Google Docs, etc.) By using a Chromium-based browser you facilitate this anticompetitive behavior.

Imagine how powerful a paid browser could become on this front. As people slowly become more privacy-aware this might be feasible.

You already can donate to Mozilla: https://donate.mozilla.org

I'd rather buy a browser as a company's primary product, not donate to Mozilla which makes a browser and does many other things, many of which I disagree with and would rather not fund.

I'm confused here. Seems to me that if you want these kind of features in a browser you want exactly what funds. Also, even if you paid for software with these features, it's likely a good portion of the money you pay will also go towards things you disagree with as well.

Could you give some examples of things they do that you disagree with? I can't really think of any controversial non-firefox things they've done.

Controversial != useless. I don't like they wasted money on Firefox OS or Persona; I don't want to donate to them if my money goes there instead of to Firefox. In fact, why not let us decide where exactly our money will go if we donate?

Mozilla invested into Firefox OS, because they were hoping to disentangle their #1 revenue stream from ad-tech companies.

It also led to the sharp decline in memory usage as that became super obvious when they went 100% mobile.

Just to be clear: other than the Mr Robot promo your main criticism is that their politics don't align with yours?

Because I think when people ask about Mozilla controversies they're thinking about situations in which Mozilla has "broken character" by e.g. risking users' privacy, not activism that is absolutely in line with Mozilla's stated goals (whether you personally agree with them and their interpretation thereof or not).

Censorship isn't really a personal preference. Or is it?

But Firefox is Mozilla's primary product. It just so happens that Mozilla is big enough to also have some side products.

I have a hard time believing a paid browser would ever get big. People just do not care enough.

Opera started as a paid browser and nearly went bankrupt. They even had ads on the free version. Barely anyone paid for it and the ads killed adoption.

Heck, even Netscape Navigator started out as shareware. It was "personal use only" but most commercial users never bought a license. It was eventually defeated by Microsoft Internet Explorer, which was free for commercial use even before it shipped with the OS.

If there is any chance someone will attempt a paid browser again, it will most definitely be based on Chromium (or maybe Firefox) rather than written from scratch and no website will make any effort to test on it (just like barely anyone ever tested on Opera).

If Jetbrains were to build a browser on top of firefox with a similar level of features to their IDE’s, I would absolutely pay for that.

Developer tools is already invaluable, but there’s no reason it cannot be better.

Very few people pay/donate, and very few did for Firebug back in the day.

I care and would pay. Same with websites. especially if the experience was easy, scalable, and protected my privacy and anonymity.

> In the coming months, we will start testing these protections with small groups of users and will continue to work with Disconnect to improve and expand the set of domains blocked by Firefox. We plan to enable these protections by default for all Firefox users in a future release.

While lots of people here already have uMatrix or other blockers running, blocking fingerprinting and cryptomining domains by default would be a big step!

(Disclosure: I work on ads at Google.)

Since you work on ads, may I ask why you support this? Won't this make most of your features ineffective?

In principle advertising is fine. Telling people that a product exists is useful. "Do you need a hat shaped exactly like a golf ball? At Dave's Golf Ball Hats we sell six sizes!". Targeting this advert to most likely be seen by people who actually had been thinking of buying a hat shaped like sporting equipment is still a good idea too.

But an advert that steals from you, or harms you is neither of those things. Google Ads doesn't need those to be profitable. It would suit them if those went away.

> Targeting this advert to most likely be seen by people who actually had been thinking of buying a hat shaped like sporting equipment is still a good idea too.

Not if that targeting is done using data gathered about me without my consent -- as it almost universally is.

Targeting based on context (what sort of website the ad is on, for instance), is fine.

Google’s primary revenue source is AdWords, meaning ads served on their own properties, the bulk of it being in Google Search and most if that is contextual, most ads being served based on the search you’re making.

Google doesn’t actually have a problem in serving contextual ads on their own properties, since they have plenty of context. The problem is with AdSense since there advertisers need some sort of user profile, plus in the EU bidding exchanges are in jeopardy due to the GDPR.

> Targeting based on context (what sort of website the ad is on, for instance), is fine.

Why? I didn't consent for that.

Do you object when sports TV channels show ads related to sports or people who enjoy sports?

Because that sort of target is based on the context the ad is appearing in, not on any data gathered about you specifically.

I don't understand this new position (that GDPR follows) that consent is required for information to be gathered on someone. If someone sees me wearing a blue shirt and writes in their notebook that I wore a blue shirt then I don't feel like I have some inherent right to coerce them to erase it or prevent them from selling that information to Blue Shirt Emporium.

If they wrote 'person wearing blue shirt', fine. But if they followed you home, took note of the address, cross referenced that to find your name and other personal info, then stored all that data to a company that decides who gets loans based on shirt color - not fine. Etc.

sometimes it is right to treat scenarios that are fundamentally similar as different beasts in practice when those scenarios are actually happening at very different scales.

i (and many others) believe that surveillance is like this. the effort that it takes to do what your describing does not scale, and cannot be used to implement dragnet surveillance and data collection (unless it's a police state and you have a lot of notetakers). lots of people (myself and many others) think dragnet surveillance (whether by private entities or governments) is a thing to be avoided (because it creates really bad power asymmetries, which i think are inherently a bad thing).

also, i don't think that large companies should be granted the same rights as individuals. just because a person can do a thing on their own doesn't mean that a large entity should be able to do something similar in spirit at thousands or millions of times the scale.

Many laws and societal norms don’t require universal acceptance. So it’s totally reasonable for you to not care, while society in general feels the opposite. Or vice versa.

And in your case of the note taker, a better example would be somebody that frequently follows you, and takes notes about what you wear. In many places, that could be grounds for harassment claim. In other words, it’s not the act that matters to most people, but the frequency and scale at which the act takes place.

Data about you is not your data. Anyone can stand outside and watch what people do and take notes. That doesn't need your consent. It's the same thing here.

>Data about you is not your data.

Stop thinking about data ownership. Ownership is irrelevant.

It's illegal to process any data about an identified or identifiable person unless you have a lawful basis to do so, and there are only a half dozen of those. "Because I own the data" is not one of them.

Following someone around all day taking notes would be considered stalking.

I think the fundamental problem here is that people in the EU will choose privacy over the ability of companies to make money. Its a different outlook on life. When its my interests versus the interests of business I choose me.

Metadata = Surveillance



"An easy thought experiment demonstrates this. Imagine that you hired a private detective to eavesdrop on a subject. That detective would plant a bug in that subject's home, office, and car. He would eavesdrop on his computer. He would listen in on that subject's conversations, both face to face and remotely, and you would get a report on what was said in those conversations. Now imagine that you asked that same private detective to put a subject under constant surveillance. You would get a different report, one that included things like where he went, what he did, who he spoke to -- and for how long -- who he wrote to, what he read, and what he purchased. This is all metadata, data we know the NSA is collecting. So when the president says that it's only metadata, what you should really hear is that we're all under constant and ubiquitous surveillance."

I'm not sure of your point.

My point is that surveillance is not illegal and does not require any consent to accrue information through public observation.

I think whether or not it's legal is irrelevant. Things can be wrong -- even unconscionable -- and still be legal.

> It's the same thing here.

I disagree completely.


In this case the clue is the word fingerprinting. If someone outside your door was taking fingerprint impressions, your name, and then writing down your license plate and selling that info to anyone with money - would you just let that continue? Unlikely.

In the real world they can't physically touch you so let's replace that with passive facial recognition. In that case, yes they can do that all today. Someone can follow you all day from the moment you step out into public.

We might not like it but it is legal and they own their observations.

Wut. Stalking is literally a criminal offense.

You should look up the legal definition of stalking. Making public observations isn't it.

Stalking: https://www.cps.gov.uk/legal-guidance/stalking-and-harassmen...

> Whilst there is no strict legal definition of 'stalking', section 2A (3) of the PHA 1997 sets out examples of acts or omissions which, in particular circumstances, are ones associated with stalking. For example, following a person, watching or spying on them or forcing contact with the victim through any means, including social media.

--begin here--

Definition of stalking

Stalking is not legally defined but section 2A (3) of the PHA 1997 lists a number of examples of behaviours associated with stalking. The list is not an exhaustive one but gives an indication of the types of behaviour that may be displayed in a stalking offence. The listed behaviours are:

    (a) following a person,
    (b) contacting, or attempting to contact, a person by any means,
    (c) publishing any statement or other material relating or purporting to relate to a person, or purporting to originate from a person,
    (d) monitoring the use by a person of the internet, email or any other form of electronic communication,
    (e) loitering in any place (whether public or private),
    (f) interfering with any property in the possession of a person,
    (g) watching or spying on a person.

--end here--

I mean, that's pretty clear.

For two reasons.

First, most of this sort of spying involves using my own equipment as a weapon against me -- and actively subvert my defenses in order to do it. This is, in my view, not much different than them breaking into my home and installing surveillance equipment.

Second, the data gathered about me (even if it doesn't involve subverting my own equipment) is not kept in isolation. It is combined with a lot of other data about me and then mined for further insights. Every little data gathering act may be insignificant in isolation, but the end result is a degree of surveillance that is deeply immoral if done without my consent.

It is by Berne convention. Gathering doesn't need my consent, but I can disallow it. In an ideal world DoNotTrack request would be honored, but since nobody did it, denial had to become the default.

Berne convention is about copyright which has nothing to do with this topic.

Copyright is ownership of data.

An ad for a golf ball hat is a pretty benign use case but that exact same approach could be used in much more distasteful ways.

For example, suppose depressed people are more likely to buy expensive impulse item X. Person A is depressed. Lets show them ads for item X!

That would be a nicely profitable strategy that could emerge organically out of a sophisticated ML ad targeting model, something like... AdWords.

Untargeted advertising is very often more egregious than merely telling people a product exists. Traditional pre-digital advertising runs the gamete from "Come to me and I'll fix your car" to "You are ugly and unpopular, but you can fix that by drinking our caramel colored sugar water." Advertising that tries to induce then exploit self esteem issues is a plague.

This little bit of misdirection Google and Facebook have propagated about how much better the advertising you get with tracking is the slimiest piece of bait-and-switch in history. Seeing people repeat it like it's fact is testament to just how insidious it is.

Targeted advertising is not designed to serve the viewer, it's designed to serve the advertiser. So advertisements you get are even sleazier than non-targeted advertising because they have by definition more information about the reader. So instead of generically exploiting people's self esteem, it exploits people's self esteem armed with much more information about the users.

Targeting and tracking is a plague and should be discouraged and blocked to oblivion.

> "So advertisements you get are even sleazier than non-targeted advertising"

On average yes. Just as there is a gradient in non-targeted advertising of 'basically benign' to 'scum of the earth', I think there is a gradient in targeted advertising too.

On the basically benign end of the gradient you have the "You recently bought book X from author Y, perhaps you'd be interested in Book Z from author Y." (I don't like that stuff, I still block it, but it doesn't quite get me incensed if you know what I mean.) But the potential for harm from targetted ads can be truly extreme.

Yes, fully agree. Not all advertisers are bad. Not all advertising is bad. But the idea that targeted advertising is inherently better is bullshit and potentially far worse. I know you are not suggesting that either, just clarifying my above comment.

Targeted advertising is not designed to serve the viewer, it's designed to serve the advertiser.

Advertising doesn't help the advertiser unless it helps you. Showing you an ad for something you don't want, can't use, and would never buy, benefits nobody.

Advertising helps the advertiser if it results in a sale - it doesn't matter if the sale helps the viewer.

If the ad results in the viewer getting an eating disorder, for example, that's fine for the advertiser if it also results in a sale.

Advertising helps the advertiser if it results in a sale - it doesn't matter if the sale helps the viewer.

Exactly this.

Often it doesn't even require a sale. A lot of Facebook & Google advertising is for bullshit sites which push increasingly sketchy content backed by even sketchier advertising. Sometimes the goal isn't even profit, the Russians paid for advertising to influence politics.

That's fair, and I should have been more specific in saying that I'm not referring to cases of outright fraud. What I mean is this:

If I an a potential buyer of, say, a book... and my interests include AI, multi-agent systems, and operating systems, then an ad for Barnes & Noble offering the new title OS Development for AI and Multi-Agent Systems is probably going to be mutually beneficial, because it will help me find a book I would want, and it helps B&N sell said book. OTOH, an ad for the new title Necrophilia And Cemetery Porn Of The Deep South is not beneficial to either party (if it's displayed to me) because it's not something I'd ever be remotely interested in. Frankly, I'd much prefer the (accurately) targeted ad.

Advertising helps the advertiser if it results in a sale - it doesn't matter if the sale helps the viewer.

If it resulted in a sale, then that means by definition it helped me find a product or service I wanted. If I made a bad decision in making that purchase, that's an orthogonal issue.

People buy crap they don't need all the time. The whole point of advertising is to sell. I believe the OPs are saying that they leverage information about you to bully you in to thinking that something is actually helpful and you should buy it, hence the talk about exploiting self esteem on a much more personal level. While I can't be sure if Google or Facebook actively do this kind of thing or sellers just use these platforms to do this, there's very little question that social media and consumer internet has gone rogue. Unless you've been living under a rock, you just have come across at least a few of those.

I, personally, have no issues with these platforms collecting my data and making money off it in exchange for their services that I use. But when they do the same even when Im not using their services or explicility expressing my disagreement, I'm not cool with that.

> "Advertising doesn't help the advertiser unless it helps you. "

That's incredibly naive. You've failed to consider the wide class of products which are tempting but harmful.

Advertising doesn't help the advertiser unless it helps you.

This is nonsense. History is littered with cases of advertising abuse and misuse. Everything from literal snake oil salesmen to modern day shysters profiting from selling conspiracy theories and anti-tax bullshit is enabled and propagated by advertising.

OK, fair enough, I should have specified that I meant outside of the case of obvious fraud (eg, snake-oil).

Also, FYI, I'm not the one who down-voted you. In fact, have an upvote to counter-balance that.

I get your point about the potential benefits of targeted advertising, and in an ideal world it's true. Of course in that same ideal world we wouldn't have sleazy non-targeted advertising either. I just see so much abuse of tracking and targeting that the damage far outweighs the benefits.

and... targeted advertising doesn't use these attack vectors? really?

Of course it does. I never suggested otherwise.

> "Do you need a hat shaped exactly like a golf ball? At Dave's Golf Ball Hats we sell six sizes!"

The implicit message here is buy buy buy. "There's cool hats shaped like golf balls. Everyone's getting one! I need one too!"

Do I really need a hat shaped like a gold ball? Do I need any of the crap our materialistic society says I need?

Ads like this are trying to shape my expectations about myself, the meaning and purpose of my life, and what I need to feel fulfilled; and all for someone else's benefit, not my own. I have made it a personal goal to reject consumerism, and instead live a simple, sustainable, and efficient life. Rejecting ads (electronically blocking where possible, mentally blocking everywhere) is part of how I'm trying to achieve that goal.

Any company trying to sell me something that I didn't seek out myself is my enemy.

You can imagine a company that has come up with a product that helps people live more sustainably, and they want to figure out how to tell people about it. You didn't seek them out though; are they your enemy?

Yes. So they are trying to tell me how to be more sustainable, and make a profit on the side? Which objective is more important to them?

Edit: I believe that analyzing the biases and incentives underlying the choices and abstractions presented to us is an important part of what it means to be an intelligent human being. Ads are not reliable sources of information, as the company is incentivized not to inform you, but to sell to you. There are many better sources of good ideas than ads.

The purpose of advertising is to manipulate you into buying things you don't need, not to inform you about a product that is useful. Turn on the TV, or the radio, or any website, and show me one advert that is purely informative.

Google ads has the engineering to work around this, competitors might not and would therefore loose market share to Google ads. Of course he is supportive, his stock options just improved.

Google and Facebook have 1st-party direct connections to users that are signed in. They can already set cookies freely. They already know who you are. This only hurts their competitors.

Optimistic answer: working on ads doesn't mean you agree with the level of privacy violations analytics involve these days, making those invasions of privacy technically impossible or illegal means you can avoid them without having to defend your stance against business interests (e.g. "but our competitors are already doing this and not doing it puts us at a disadvantage").

Pessimistic answer: technical countermeasures don't prevent these invasions of privacy but they make them significantly harder, putting companies with less technical skills at a disadvantage. Anti-fingerprinting protections hurt the bottom feeders while larger companies like Google can likely work around them.

Pragmatic answer: this wasn't really about the fingerprinting but the crypto miners. Ad networks don't like crypto miners either but blocking them is difficult so browser vendors are really just solving the ad networks' problem for them.

The two main ways ads have of tracking users are:

* Cookies: ads ask the browser to store something, later they can ask what the stored value is.

* Fingerprinting: ads collect enough information about the browser that they can distinguish it from other users' browsers.

While cookies aren't ideal, I think an ad industry that uses them is a lot better than one that uses fingerprinting. The key differences are user control and visibility. If you clear your browsing history, or close an incognito tab, your cookies are gone but your fingerprint is unchanged. Similarly, you can see who's setting cookies but you have no idea who is trying to fingerprint you.

Why the disclosure? Are you saying this in a personal capacity or is this the stance of Google Ads team?

Like, hey we love and embrace any technology that fights our team's fingerprinting efforts...

> Why the disclosure? Are you saying this in a personal capacity or is this the stance of Google Ads team?

I'm commenting as myself, and not for the company. But my perception is likely colored by working for an ads company and it seems fair to let people know that.

> Like, hey we love and embrace any technology that fights our team's fingerprinting efforts...

While I don't know for certain, I don't believe Google Ads uses fingerprinting. Firefox/Disconnect doesn't seem to think so either, since Google ad domains are on the "Google" list but not the "Fingerprinting" list: https://github.com/mozilla-services/shavar-prod-lists/blob/7...

Cryptomining seems like a fine alternative to ads to me. Or just the general idea of making the client do some computation work for you.

I like my battery to last a whole day, pretty please. Whenever on mobile and AMP is not an option, I'll try Firefox Focus. If that doesn't work, I'm as likely to move on as to revert to letting the site's affiliates run Javascript on my phone.

I too do not like spending a $1 so somebody can earn $0.0002.

I think you'd optimally be able to choose between ads, mining, or paying some kind of token, maybe linked to your (Firefox/Google/etc) account so it could be mined on your desktop and used on mobile, or the tokens are just bought.

Anecdotally my phone is about 4 years old maybe and the battery still does fine browsing with JS on in Firefox mobile. That is with ublock though.

>(Disclosure: I work on ads at Google.)

Is that relevant?

I'd rather that people disclose when tangentially related than not at all. I'd say it's a good thing.

How do you know whether someone works at Google?

Don’t worry, they’ll tell you.

Didn't see your comment but I said the same thing. Just goes to show arrogance of Google right now they are sisaying in many fields. Because they probably think only they will have the capacity to effectively fingerprint if browsers fought back, because you know, its Google. Most weaker plays will drop out.

Tracking is one of Google's services and it's widely used

I don't much like the notion of farming out my "cryptomining blocker" to some unknown-to-me third party. There are a (small) number of sites that do cryptomining after asking for an opt-in permission (e.g. bit.tube). It seems to me that this is an interesting exploration of new, alternate funding models than serving ads, and I, for one, like to (sometimes) support these. I'd hate to see them land up in a blocklist I don't have some degree of control over.

I agree it sounds harsh, but I think for NOW it's the correct choice. Like any browser API that can be abused, the small number of valid sites are so overwhelmingly dwarfed by the dodgy ones. When I first heard about the "notifications" API I thought it was a great idea - so many valid use case! Now I want it to burn in a fire. Something with so few use cases as cryptomining should not be something that users blindly click yes to.

Could we make Javascript optional as well while we're at it?

"This site tries to run Javascript. Normal news sites shouldn't need this.

[Allow this session] [Allow 5 seconds] [Deny]"

I'd be particularily interested in the second option since it would allow us to use sites that depend on JS for content while they roll back the craziness that is depending on scripting to show static content.

While I'm at it:

I want badges!

- Certified Javascript free page (Platinum)

- Certified progressive site, no dependence on Javascript, no long running background scripts (Gold)

- etc

Obviously I'm exaggerating the implementations here but I'm serious about the idea.

(And yes, I earn good money on frontend work, I just think it often makes solutions worse.)

Ha ha, "certification" is a cool idea, but it would be hard to get anyone to care about it. "Allow 5 seconds" is a feature I really want now - I might dig into the Firefox code (or No-Script) and see if I can figure it out!

I have no-script on by default, and these days I need be convinced there's a REALLY good reason to temporarily whitelist a site.

Sure, a lot of the web is now either a blank page (or "you need to enable js to run this app") but on the positive side, I'm a lot more productive as I just close those sites and move on!

I've wanted the "allow 5 seconds" thing for a long time too.

You can manually pause and resume js by opening up the debugger and hitting pause. The code exists it just needs to be exposed to the UI.

How would this interact with onclick handlers on buttons and the like?

Would it be that after 5s the user couldn't interact with elements on the page like that (e.g. if they open an image, and wait a few seconds, they then couldn't close it because the 'x' onclick handler wouldn't run), or would each handler run by a user action (like an onclick) have 5 seconds to run?

Either, you could even have both as options.

The simplest way to do it would just be to pause js 5 (or maybe 15) seconds after page load, and have a button beside the url to resume/repause js.

The devtools keep working with js paused though, so it should be possible to do something like have a onclick handler that resumes and starts a timer to repause the js.

Ideally I think I'd like click's to resume js for a few seconds unless they are clicking on a link (with a href that leads to another page). I'm not certain that would be technically easy but it seems likely it would be.

This. The internet desperately needs to progress beyond an advertisement driven business model. Disallowing these scripts seems a little heavy handed. Perhaps the addition of a "requestComputeResources" method to the browser's api would give a way to throttle them instead of outright banning them.

They make it optional.

To be real, though, somewhere close to 0% (rounded to the third decimal place) of users would agree to grossly inefficient cryptomining in the browser. As a web funding model it is terrible and is almost always akin to malware. It certainly costs the user much more in electricity costs than it will ever benefit web publishers.

And as a global ecological cost, it's pretty huge.

>They make it optional.

Mozilla? Optional protection? Don't trigger my memories.

They also made it optional to block unsigned extensions, which you could turn off if you wanted to tweak one to fix a bug because it wasn't being maintained fast enough.

Like, if you believed in the whole Open Source/tinkering philosophy, or something, which Mozilla may or may not care about.

Then, they started disallowing it in 2016.

And they turned off key remapping too.

I wholeheartedly agree that we need to progress beyond the ad-driven business model but is in-browser mining really a plausible replacement?

For one thing it's probably not a good idea on battery-powered devices, so it's only useful for monetizing desktop browsing. It also means that the money you make out of it depends on the average power your "customer" has available to mine.

Beyond that since mining is a zero-sum game it means that the more people opt for this model, the less money they individually make. Maybe today you make on average 0.001cent per minute and per user and a year from now you make a tenth of that. You have absolutely zero control on it since it's merely a factor of the total hashrate and the cryptocurrency's value.

I have a hard time imagining how this could become mainstream. Tipping using cryptocurrency microtransaction seems more promising but even that is far from a solved problem. I'd rather directly send $.002 to the website rather than waste $.01 of electricity for the website to make $.001 out of it.

The thing is that with ad networks you're at their mercy, if they don't want to sell ads on your site, you have no other option. While it would be nice to have a micropayment system built into browsers themselves, cryptomining is kind-of the best option.

Nobody would use that API if they can just do it anyway without the users consent

There's not really a way to detect that someone is cryptomining, they can just do it with regular JS or webgl (which has a compute focused API in the works). I don't think either of those features could ever be opt-in. Detecting mining in WebAssembly would be even harder.

I love all the new features that Firefox has been coming out with. They understand their users perspective.

I do appreciate the feature!

But how feasible would be to limit the amount of info retrievable from the JS layer instead than relying on a black list of domains serving fingerprinters?

Mozilla devs seem to take this into account whenever adding new JS features, at least on their mailing lists.

For example, this discussion of a new API for gamepads immediately turned to a discussion of its fingerprinting risks and how they can be mitigated: https://groups.google.com/d/msg/mozilla.dev.platform/75GrJSP...

The www has an API for gamepads. I need a moment.

It seems entirely appropriate for browsers to support input from devices other than keyboard, mouse, and touch screen.

Off topic, but besides being a really cool API for playing games - and heaps of games support it - I used this in a talk to control my "slides" via an xbox controller: https://mrspeaker.github.io/emacs_talk/ - moving around topics, triggering slides forward/back, starting/stopping videos, and changing slide opacity using the d-pad, analog sticks, and triggers. I'll never use an apple remote again ;)

This is the nerdiest thing I have seen a long time. It is lovely! Keep it up.

You remember how HTML5 was sold as the replacement for Flash; as a platform perfect for browser games? This is the logical extension of that.

Yeah, that sort of thing is one of the reasons why I dislike HTML5 so much.

I already had that moment when I heard about the "Web Bluetooth API"

https://wicg.github.io/webusb/ and https://www.w3.org/TR/webmidi/

And I welcome them, it would be awesome to program an arduino from a web based dev env.

Browsers run on TVs...

Depends what sites you’re ok with breaking. Users will blame the browser if it works in chrome but not firefox

You can experience different levels of fingerprinting protection by (for an extreme option) using the Tor browser, or (for a less severe option) turning on privacy.resistfingerprinting in Firefox.

Unfortunately such privacy measures come with a bunch of inconveniences. For both, Recaptca will become more obstructionist. Your window won't start maximised any more. Zoom levels will be forgotten when you open a link in a new tab. And if you use Tor Browser, by design there's also no saving passwords, no saving cookies, no saving tabs between sessions, and no browser/address bar history.

thats what privacy.resistfingerprinting is for

Seems like they're just using a blacklist? Those seem to be able to be gamed pretty trivially.

Agreed. Setting up blacklists is just whack-a-mole. I'd be more interested in detection of actual fingerprinting techniques, such as system font enumeration using canvas, or WebGL GPU fingerprinting. It would be technically possible to detect the creation of WebGL or canvas contexts that aren't actually rendered in the layout and prevent data gathered from those contexts from being sent in any XHR payload. I'm sure that's a lot of work.

Maybe it would be better to find the worst offending JS APIs and demand a user consent step similar to webcam or notifications in order for the scripts to run at all.

I couldn't help but read the headline and think to myself: This is great! I should probably jump right in to this .001 % bucket of Firefox nightly users. Combined this with my >1% OS, custom profile of barebones unsupported, blocked, not installed client technologies and then they'll really never get my fingerprints!

If you enable resistFingerprinting, Firefox reports a "standard" user agent. Without that, your Nightly user agent probably makes you trivial to track.

Some sites are using these APIs as a way of providing positive data that the users environment is not a bot. I think if you ban this kind of thing you are going to break some important web apps.

That's effectively how ad-blockers function and they seem to work pretty well.

Buying a new domain to bypass the list is pretty easy but adding one line in the blocklist is even easier (and easily crowdsourced).

This is a good insight.

Because Firefox is open-source, everything can be gamed. If they went for some more "intelligent" method, the kind that instinctively appeals to people like you and I and anyone posting on HN, the fingerprinters could see exactly what they were being tested on, and it would be faster to iterate their counter-measures (keep this particular activity just below threshold X on metric Y) than it would be to make new Firefox releases. And the counter-measures to these more smart kind of measures happen _in secret_, whereas counter-measures to the "bash the problem to death with simple rules" approach are public, are (if their fingerprinting is to have any point) widely distributed, and thus much more immediately picked up and remedied by the many wonderful people who work on the lists used by privacy tools like ad blockers.

While we all like a cool and innovative solution, sometimes bashing the problem to death with dumb rules really is the best approach :)

(edited for a clarification)

Yeah this is a disappointing approach. At least for crypto mining it should be fairly easy to detect heavy computation and ask the user's permission to continue.

One would think that the past 25 years of experience with SMTP RBLs would teach people that using predefined DNS based blacklists (or IP space range blacklists) is indeed a game of whack-a-mole.

The issue with emails is worse because spam is unsolicited and can be sent from anywhere. That means that basically anything can be used to send spam, from botnets to miss-configured SMTP servers.

On the other hand your fingerprinting/mining JS has to be served by a website that people willingly browse. That's a much higher barrier of entry and means that you can't just change your server's domain every hour lest you manage to convince your partner websites to update their code as frequently (which in turn might end up blacklisting them instead).

malicious advertising networks and advertising/JS botnet things have used fast flux DNS for a long time now. It's fairly standard practice for hostnames and IPs of things serving malicious content to have extremely low DNS TTLs, the malicious actors have scripted/automated their changes.


Right, but you still have to convince the target to load that code willingly (directly or indirectly) so it's still harder than email. I except these shady networks to be mostly used on shady websites, so you can block them "at the source" so to speak.

    In collaboration with Disconnect, we have compiled
    lists of domains that serve fingerprinting and
    cryptomining scripts. Now in the latest Firefox
    Nightly and Beta versions, we give users the option
    to block both kinds of scripts
Isn't this something that content blockers like umatrix already excel at? Why put it into the core of Firefox?

I would prefer to see Firefox giving more power to extensions. For example, it is still impossible to make an extension that makes a typed in url use https per default. Because it is not possible for an extension to know if a network request stems from the user typing it, using a bookmark or one of the other many ways a browser can be triggered to do a network request. So typing urls in Firefox keeps being dangerous because it will load the url per http by default.

Extensions are the primary source of malware I find on PCs, and they're fantastically cross-platform. I just degunked a MacBook Pro the other day that looked like the worst of Windows XP, all done via Chrome extensions shipped from the Chrome Web Store directly.

Firefox does a better job at vetting extensions, but the reality is extensions have incredibly deep access to sensitive data, and they bypass every other security measure on your PC. HTTPS? Pointless if you've got a list of extensions installed on your browser.

The EFF's Privacy Badger has been my sole extension for a while, but as Firefox Tracking Protection has expanded, I've found Privacy Badger catching less and less, since Tracking Protection blocks them first. I will probably retire my use of Privacy Badger pretty soon, because it's just becoming superfluous.

I prefer to have features like this in core so I don't have to give a ton of permissions to a third party. I hope it becomes powerful enough to replace uMatrix.

Extensions are analyzed by the Firefox team:


If the review process is still insecure (That is how I understand you reply) I would prefer them to put their energy into this. Analyzing popular extensions in depth (and giving them some 'in depth analyzed' badge) so you do not have to trust a third party.

I don't know how much I can trust the review process. I believe they have relaxed it a bit recently: https://blog.mozilla.org/addons/2017/09/21/review-wait-times...

>Add-ons built on the WebExtensions API will now be automatically reviewed. This means we will publish add-ons shortly after uploading. Human reviewers will look at these pre-approved add-ons, prioritized on various risk factors that are calculated from the add-on’s codebase and other metadata.

Users who are prohibited from installing addons (or otherwise unable/unwilling) would benefit greatly from not needing to install an addon to be protected.

Because the vast majority of users have no idea that that's something they can or should be using.

Power users like you and I can disable this if we like, using about:config.

Do I read it correctly that fingerprinting is blocked purely with a script/domain blacklist?

how else would they block it

Present a uniform environment to scripts. For example fingerprinting doesn't work very well on iPhones because they are all so similar. Firefox could pretend to be some sort of "standard" machine.

That's definitely not easy but it beats blacklists which are trivial to work around.

They already do this in some areas, like returning a fixed list of installed fonts, but fixing every possibility of fingerprinting is extraordinary hard since there are so many ways to pull in some data. At some point it light actually hurt the user experience.

Right decision to make a step towards a user and protect their market. Preventing fingerprinting is interesting and non-trivial by itself. It's impossible to implement with just a plugin.

One day I found that navigator.getGamepads() did rat out my gamepad in Chrome while using private mode, I twitted Google, they didn't answer. Who knows what else is exposed.

I didn't know Firefox had privacy.resistFingerprinting.reduceTimerPrecision.jitter option, that's cool, but what about requestAnimationFrame()? Games wouldn't work without it. Not to mention spawning workers and passing values between them; delays while using things like shaders and gpu.js; decoding various formats like audio and measuring time, etc. Anyone tried to block videos on news sites? They are unstoppable, I can watch vids like with everything red in uBlock Origin.

I think Mozilla could make a contest for breaking their fingerprint resistance, before they are ready to merge their privacy features from Nightly to master branch.

I really welcome Mozilla's effort in fighting the uphill battle against browser fingerprinting. I am however very interested in the terms of Mozilla's partnership with Disconnect. Are obsoleting their add-on for Firefox out of the good of their hearts?

If I'm not mistaken, Firefox's currently built-in Tracking Protection also borrows from the base Disconnect blocking lists. So this would not be the first time they've used them.

This endless war could be solved with a single meeting with the 3 major adtech companies.

All browsers have to do is share a single advertiser ID and have it reset by the user whenever they want. No more cookies, pixel syncs, or fingerprinting and all the related countermeasures.

This is the exact mechanism used by mobile apps right now so it's already well-tested and proven to work.

"Solving" fingerprinting by fingerprinting ourselves seems like it might miss the point for a lot of people.

Missing the point is the cause of all this mess.

If you care about fingerprinting because you care about privacy and limiting companies' ability to profile you, then adopting an advertiser id is giving up completely.

Why would advertisers stop using the existing, better methods?

An Advertiser ID is the best method, especially because it can be looked up by multiple companies and is user controlled.

Unlike what people seem to think, adtech has been designed from the start for anonymity. The persistent ID is needed primarily for ad frequency and conversion tracking. Eventually identity is revealed when someone fills out a form or buys something but that's not necessary at the top of the funnel.

Currently: Advertisers can track you and estimate whether you are likely to buy the product.

This is good for advertisers.

If a user-controlled resettable ID prevents advertisers from doing this, what incentive do they have to not use their existing methods (in addition to the advertiser-ID)? Further, why would they not use tracking to say "Well, they reset their ID, but I know they're the same because of this other data, so I'm gonna link it back up behind the scenes."

The fingerprinting list includes Stripe, why?


Feels anti-competitive to have defaults to block mining while not having default enabled advert blocking.

I'm much happier for a site to mine on their tab while I'm watching a video than to show me 2 minutes of advertisements every 10 minutes. On mobile in particular, where video ads end up eating a large chunk of my data costs.

You are happier to have your resources stolen and not be aware of it (it's invisible, you can't see what's happening and react - right?) than to be shown an annoying thing which is very much in your awareness? I don't know, I'd rather know someone is harming me silently and have the means to stop it by default. The things that are shown in front of me, I can handle them...

My computer is at maybe 20% resource utilization while I'm browsing the internet. Resource utilization only becomes a problem once you run out of resources; there is zero difference to me between 20% and 40% resource utilization other than very minor factors like a negligible increase in power draw and my fans spinning a little harder.

Of course people could (and do) build malicious mining scripts that try to use way too many resources, just like people could (and do) make malicious ads that spam you with INCREASE YOUR DICK SIZE BY 20 INCHES IN 5 MINUTES popups, but that's not an inherent problem with the model itself.

For devices that are directly connected to the grid, I can somewhat see your point.

However, a large portion of devices on the internet run on batteries, and don't have huge quantities of reserve power.

Back to things such as desktop computers, though: am I supposed to close my browser before doing anything CPU intensive?

Someday, will I need to close StackOverflow to avoid negatively impacting the time it takes to compile my code? That's a trade-off I'm not willing to make.

I think that these scripts should A) not run endlessly in the background while you're not using the website and B) be mindful of how many resources you actually have available.

I think the battery concern is valid enough and it's something that I didn't really consider since it doesn't affect me personally much[0]. I still think the tradeoff of not having ads is worth it though. Perhaps let users choose whether they want ads or mining?

[0] My portable devices are a ThinkPad with a slice battery that lasts me 9 hours of continuous normal use and a phone with a 20kmAh battery bank so I often forget battery life is a problem for some people

Firefox already has tools to throttle tabs which are abusive CPU-load wise, which seems sufficient in this case.

And it's unclear such resources are being 'stolen' if it's stated in the site ToS.

Cryptocurrency mining is a lot less deleterious than ads. Mining doesn't need to track your behavior, it doesn't generate misleading native content, and it doesn't distract you from what you're trying to do.

Sign me up!

disclaimer: I was one of the founders of Tidbit, https://www.eff.org/cases/rubin-v-new-jersey-tidbit, the first(?) crypto mining ad replacer.

> And it’s unclear such resources are being ‘stolen’ if it’s stated in the sites ToS.

Unless I, as a user, explicitly consented to crypto mining, no such thing should be allowed to take place. Same thing goes for auto playing videos.

Just because you put it in the ToS doesn't make it legally or ethically acceptable. In addition, very few people will read the ToS of random websites they visit that begin cryptomining, resulting in non-consentual mining.

Great! I look forward to these protections being included by default in the future, as they allude to.

I recently enabled privacy.resistFingerprinting in about:config (which basically is the configuration switch toggled by the UI described in this blog post).

Everything went fine, until I noticed WhatsApp web becomes unusable, because it does not generate the initial QR code for establishing the session (to be fair, it flickers, which seems worse, as it smells of an active countermeasure on WhatsApp/Facebook part).

While I did I not have yet the time do dig deep into the specific technical reason WhatsApp may have to expose such a maddening behavior, I am inclined to think that this is more a policy choice.

If so, it's troublesome. We collectively as users arrived to the point of willingly give up the keys of our online communication to a few megacompanies. It's their infrastructure and their product, so they are in power of steering it in whatever direction it wants.

I see this as something that will increasingly become a political problem. As tech versed person, I see the responsibility for not doing enough about it.

I've never understood why the user-agent string gives out so much system-specific information. Why not return less information, such as only the browser make and version?

I agree that User-Agent is suspiciously leaky, but it's microscopic compared to JavaScript. [1]

It's unfortunate that browsers are privacy-insane by default. Luckily, with a bit of effort, most browsers [2] allow you to mitigate this with plugins (e.g. User-Agent switcher, Cookie/Referrer controller, and JS/Adblocker). Pi-Hole [3] can help too.

Mozilla should be commended for trying to improve the situation.

1. https://panopticlick.eff.org/

2. Chrome's days are numbered: https://news.ycombinator.com/item?id=18973477

3. https://pi-hole.net/


I've been using add-ons that protect from canvas finger printing but those are super laggy and slow firefox down.

Any way to get the list of these domains to put into something network wide like pihole?

I very much prefer to mine a bit with my browser than watch ads

This is very exciting, but it seems it's just building in partial uMatrix functionality. It's really becoming a pain to have so many overlapping tools doing the same thing.

> In the coming months, we will start testing these protections with small groups of users and will continue to work with Disconnect to improve and expand the set of domains blocked by Firefox. We plan to enable these protections by default for all Firefox users in a future release.

Default settings can move the industry in a way that opt-in things like uMatrix generally don't.

(Disclosure: I work on ads at Google)

That's why I said this is exciting. For normal users it's a big win, and that has much more potential to move the industry.

I'd like to challenge your attitude on this. Does it not make sense to have your browser handle this out of the box? Personally I'd rather have overlapping functionality for a bit while we work toward a sane browser by default than the alternative which is maintaining some number of extensions each with their own configs etc...

I agree with you. I'd be very happy if they announced that all uMatrix functionality was being added to the browser. I'd be happy to have overlapping functionality for now if that's the future.

My biggest disappointment is that this doesn't do anything new. My secondary disappointment is that this will make my life a little harder when I can't get a website to work. I hope you're right that this means I eventually won't need to install a plugin for uMatrix functionality.

Kind of a shame that I can't browse that site using a VPS on a tier-2 VPS provider (Vultr)

Can you elaborate on why you cannot browse that site? From your comment it is not clear to me what the problem is but it reads as if you are trying to blame mozilla.

Most often I get a 403 forbidden

Works fine from my VPS. Perhaps set a custom forward/reverse DNS name for your node.

I can access it from Tor.

I don't like this reaction to crypto mining scripts. I won't argue that a lot of crypto mining scripts out there are blatantly abusive but I think that as a concept it's a great business model. I wouldn't have a problem using sites that eschewed ads and used crypto mining scripts instead and I would have no reason at all to block them (unlike ads) as long as they're well behaved.

I think blocking mining scripts is a step backwards, hindering the adoption of something that could finally be an unobtrusive and ethical replacement for the failing advertisement model.

> I think blocking mining scripts is a step backwards, hindering the adoption of something that could finally be an unobtrusive and ethical replacement for the failing advertisement model.

If the content on a website is just a vehicle for delivering advertisements, I would consider such a business model to be fundamentally flawed.

Swapping "delivering advertisements" with "hijacking my processor cycles to mine cryptocurrencies" doesn't exactly offer anything that would convince me to change my mind.

I'm more than happy to pay for quality content, but I'd prefer companies to be forthcoming about the cost involved in providing it, rather than turning me or my data into a product that can be sold to the highest bidder.

That's a fair position to hold but it doesn't scale. It's extremely hard to actually convince people to buy something regardless of how much they like it, doubly so if it's something nonphysical like online content.

I would also love to live in a world where I could just deposit some reasonable amount of money every month and have it fairly distributed to pay for all the things I love, but I can see that that's not viable in the real world. Having websites silently use my unused computer resources is a perfectly viable alternative to me in a way that forcing me to stare at things I don't care about is not.

Sure, but tapping the unused power of my high-end desktop PC seems to be far more valuable than doing the same thing to a mobile device with a constrained power profile.

How can I be sure I'm not being taken advantage of?

You can't really be sure that you're not being taken advantage of, but neither can you with ads. I still run into ads that hijack my back button on my phone all the time.

It sounds like there's no advantage then; if we allow this, companies would be incentivized to harvest our data and run our CPUs at 100%. We'd just be giving them another revenue model.

This shouldn't need to be said but companies do need some revenue model. In the end they need to make that money some way, be it your data, your CPU cycles, your attention, or your actual money (or some combination of the aforementioned). Out of those I think "your CPU cycles" is the least intrusive out of the ones that can actually be feasibly implemented in all cases.

Of course companies will always be incentivized to squeeze as much value out of you as possible, but they'll be simultaneously incentivized not to screw people over too much. Just like how abuse ads have led to widespride use of adblock, abusive use of mining scripts will just lead to people blocking them (be it on a case-by-case basis or universlaly). But while I think ads are always going to bother me no matter what they are or how many of them there are, there's a level of CPU utilization that I wouldn't mind or even notice at all.

I see your point, but there would be nothing stopping them from double-dipping under the guise of "we need both revenue streams to pay the bills".

They'll still show us advertisements, though they'll probably optimize them to use fewer CPU cycles since those would directly affect their bottom line.

I sincerely doubt the vast majority of the general population are using ad-blocking software today; at least, not to the extent that companies would dial back their advertisements in an attempt to prevent the size of this demographic from increasing further.

If it could be made 1) openly 2) efficiently 3) for a good cause (i.e. something where companies pay for computing power, but likely not crypto mining) then I'd be all for it. It's at least a workable micro-transaction.

"You aren't a subscriber. Do you want to see the article while running a cpu intensive script, or pay $0.50, or pay $10 for a yearly subscription?"

I'm not too optimistic this would work however. Bandwidth issues, and the short stay would make it very tricky to do something efficiently.

Doesn't Brave, Brandon Eich's project, already do this? Its nicer to use to.

Oh you're right. Silly Mozilla adding protections to their browser for their user-base.

That's it everyone. Shut down Mozilla and have all the users switch over to Brave. Brandon Eich's got everything covered.

No one said you couldn't use Mozilla. But this is being treated as news when it has already been done elsewhere. I strongly support your right to use whatever browser you want.

I have had mixed results with brave on my phone. Sometimes it blocks adverts sometimes it doesn't.

I am not trying to diminishing this post, just want to point out that a great way to increase adoption would be to make a better and simpler-looking UI. A great deal of users prefer Chrome for this reason.

> The average user doesn't even know about fingerprinting

Yet. Give it one or two scandals, maybe involving a heavyweight like Reddit, and users will be aware of what fingerprinting is and why it's not in their interest to have their digital fingerprints taken, analyzed and stored every time they enter the internet equivalent of a grocery store. Give them analogies they can understand and they will feel like they're in a dystopian surveillance state movie, because that's what we're in on the internet.

I care about security, fingerprinting, etc... but most people don't and they don't want to learn about it. They like pretty looking things, pretty looking apps, pretty looking browsers... Apple designs have proven this, there are cheaper products with the similar features yet people want Apple. You would think everybody knows this but Windows still looks like shit. Google has improved their design system a great deal. Logitech realized this and improved its designs a few years ago, now ask them about their sales. Better usability, simplicity and design will increase adoption. It's not an opinion, it's an overlooked fact.

> I care about security, fingerprinting, etc... but most people don't and they don't want to learn about it.

Imho they would care if they knew. They don't know so they don't even know why & what they should learn about it. That's why it needs scandals and good analogies to tell them about it. They won't read "weird" tech blogs, they need the evening news to tell them about it, and to explain it in simple terms. Kind of what Al Gore did back then with global warming: "the planet has a fever". Everybody can understand that. It's not technically correct, but it gets the point across. People don't know what other products are better than Apple's, so they rely on social proof: everybody is buying Apple, so it must be good, so they buy Apple.

People are starting to shift away from Facebook because there's a narrative "Russia stole the election by using Facebook". It's wrong, but it gets the point across that Facebook's algorithms aren't transparent, FB has too much data on the users and whoever controls FB wields a powerful weapon. That got people's attention, that's what you need to for any technical issue that the general public should be informed about.

> This is great but the average user doesn't even know about fingerprinting.

So? They don't understand password hashing, either. Doesn't mean it shouldn't be implemented.

Didn't say that, nor implied it is not important.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact