Firefox Unique Id; Others

Discussion in 'privacy problems' started by hidden, Mar 13, 2012.

Thread Status:
Not open for further replies.
  1. hidden
    Offline

    hidden Registered Member

    Who can read the (unique, I believe) client id number that Firefox assigns to each user?

    Can it be changed? Made dynamic? Reset for updates?

    Do other programs (e.g. Open Office) have unique id #s? Can they be read by trackers to create a unique profile?
  2. shuverisan
    Offline

    shuverisan Registered Member

    What's your source that says Firefox has a unique ID?
  3. CasperFace
    Offline

    CasperFace Registered Member

    If you mean the Firefox profile ID, that's just an arbitrary (random) string of 8 characters. There's no security risk here, because it's only visible to your local PC/network -- not to the outside world.
  4. SBMe
    Offline

    SBMe Registered Member

    I found this site to be useful in determining what a server can see that your visiting. Also this and this.

    Most of the time it doesn't matter, or shouldn't in a free country. But with all the PIPA, SOPA, ACTA and probably a 4th acronym coming our way, we should at least be aware of these things. I myself am using TOR right now, trying to figure out how it works. Also looking into VPN's, just from last 2 night's though, which are generally less secure (LulzSec and HideMyAss).

    I also run I2P.net every 4-9 months just to keep up with how it works, of course without notes there is no way in hell I'd remember anything from these since I use so infrequently though.

    For instance I have been installing the Vidalia Bundle one and use it with: Tor Button, NoScript, AdBlock Plus, RefControl, HTTPS-Everywhere and HTTPS Finder, TabMixPlus and DownThemAll! (this last one might not be smart though, don't know). I have all my previous NoScript whitelist's deleted. I run multiple Firefox's at the same time (all separate installs, regular Firefox's and Sandboxie ones all to different folders), so just copy over profiles from time to time. Now going to keep my TOR'd ones separate though. For me to add the website links above, I had to go into NoScript and then I checked in __Embeddings__ the _Apply these restrictions to whitelisted sites too_ I also checked _Forbid WebGL_. Since I hit the Reset button I had to (?) make sure in __Advanced__ _ABE_ setting was OFF and especially the WAN IP was OFF. Maybe I should of had ABE on, but just make sure to leave the WAN IP unchecked, no idea.

    It was weird I also dnld the Tor Browser Bundle which comes configured with Vidalia, TOR and Firefox preset. However the first two links showed worse results than what I am using right now.
  5. vasa1
    Offline

    vasa1 Registered Member

    What about the operating system? Doesn't that also assign a unique id #?
  6. noone_particular
    Offline

    noone_particular Registered Member

    A bit obsolete but ID-Blaster was made for just that reason, although it doesn't cover FireFox.
  7. SBMe
    Offline

    SBMe Registered Member

    This is what ip-check.info gives for me:

    Signature - 8ab3a24c55ad99f4e3a6e5c03cad9446 (Firefox)
    What you most are talking about, plus the User-Agent one below
    ___
    User-Agent -
    Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0

    So this shows what OS that it uses. Notice that Tor Button changes my browser from 10.0.2 to 5.0, I haven't updated my browser to 11 yet, did it on the laptop, but Tor Button should still say it's 5.0 . I really have no idea why they choose 5.0, 4.0 was the newest of the changes. I'd say you either have 3.6 or 9 or 10, nothing in the middle. Especially since 9 and 10 has done much better on the memory issues.
    ___
    Other ones of interest:

    Cookies - Your browser does NOT store any cookies (essentially this means; Do NOT Track: HTTP_DNT=1 which is set to TRUE,) Of course you can do it manually and not do the Do Not Track option also, just makes it easier.
    ___
    Authentication - protected
    ___
    Cache (E-Tags) - protected
    ___
    Referer - current domain (Because of RefControl set to Forge for ALL, at least for now on TOR only though, my regular Firefox's I don't have this and don't plan on it. If I lived in China, Iran.... I would always use it among other things)
    ___
    HTTP session - 10 minutes (until your Tor identity is changed)
    ___
    Now there are problems with this, like my previous post I had to temporarily enable Java for WildersSecurity. In this post after I hit preview, some of the text is set as a link, which is strange, but can be taken off, it's just weird though.

    Of course then I think you should run CCleaner after, with 1 to 3 passes if you really want to be secure, I don't though. To really clear your stuff then you'd need 7+ passes and probably install the CCEnhancer addon to CCleaner (which can screw up your PC if not careful). Then followed by _Drive Wiper_ (took a little bit to find, which I've only used once to see that it works) and do 1-3 passes on FREE Space only on C drive. Of course living in China... and protesting against human rights.... then I'd probably do 7 or the 35 pass one every time I log off. Of course I'd make C drive as small as possible, like 25-35gb for Win7 and install most other programs and move My Documents on another partition or drive as I assume a 7 or 35 might take well over an hour even if you have 10-15gb free, who knows?

    I just read tonight on what Canada is proposing (Bill C-30), that sounds CRAZY. It's one thing for the US NSA to do it, which doesn't bother me too much. It's a bunch of BS using children to pass something like this. I read this article by a politician from Sweden that makes some sense on this stuff (never read his stuff before or heard about him).
    I guess this is why the privacy stuff is starting to matter in developed countries.

    If anyone has some better links for info I'd be interested as I'm just getting interested in this stuff.
    ----------

    (u03-15 209am) Ok I just noticed this long Topic within this WildersSec section: Firefox - Change These For Better Privacy - Security So far this is looking like a good read, only up to #10 though.
    Last edited: Mar 15, 2012
  8. hidden
    Offline

    hidden Registered Member

    Firefox unique client ID quote

    Firefox Privacy page; AUTOMATIC update section:

    "This feature also sends Potentially Personal Information to Mozilla in the form of your IP address and a cookie that contains a unique numeric value to distinguish individual Firefox installs."


    As above, who can read this UNIQUE I.D.? Websites, Comcast, spyware, Google safe browsing or other Google, etcetc.?
  9. TheWindBringeth
    Offline

    TheWindBringeth Registered Member

    Here is one ongoing bug discussion, directly related to metrics collection which some desire, that includes some info about about Firefox unique identifiers:

    https://bugzilla.mozilla.org/show_bug.cgi?id=718066

    It looks worth reading carefully, and probably at least twice, as there are some side-street links and bits of info.

    Edit: FWIW, reading through things at the link above I found myself also visiting the followup discussion at mozilla.dev.planning as well as the Talk:MetricsDataPing page:

    http://groups.google.com/group/mozilla.dev.planning/browse_thread/thread/eaae24bd14c0728c
    https://wiki.mozilla.org/Talk:MetricsDataPing

    These are specific to the Metrics feature ( https://wiki.mozilla.org/MetricsDataPing ) but shed some light on the attitude of some within Mozilla WRT privacy issues. At some point during those travels I found a link to an interesting page which discusses data collection paths:

    https://metrics.etherpad.mozilla.org/ep/pad/view/ro.9e6LG/latest?

    and if someone is interested in what Firefox reports and where the unique identifiers or near equivalents may be, this latter page looks like a potentially useful starting point. It does not, that I can see, include information on what is sent if the Safe Browsing features are enabled.
    Last edited: Mar 19, 2012
  10. hidden
    Offline

    hidden Registered Member

    Firefox DOES HAVE Unique Id

    Thank you, WindBringeth!

    From your links to Firefox I see that they do assign a unique ID to each browser, there is no way they can assure privacy of the data they collect even if they want, the data they collect could 'fingerprint' uniquely without the unique id, and that there is no consensus for dedication to user privacy within the organization, although there is some 'concern' driven by European law and possible public backlash.

    Their desperate need to understand why clients migrate away from Firefox seems to be the driving force behind all this.

    Firefox, let me save you a lot of surveillance and analytics: After ten years I am leaving Firefox because you think my privacy is less important than your marketing.
  11. TheWindBringeth
    Offline

    TheWindBringeth Registered Member

    FWIW, I think there may be (at least once existing projects get released) multiple unique ID type issues. Your previous quote mentions one, I've seen something about the safe browsing feature having one, it sounds like this metrics feature is going to be using its own one that changes periodically but still provides the means to correlate data over time and build up metrics profiles. The picture isn't clear to me but I do now (perhap later than I should!) feel that it is something that must be understood and watched.
  12. shuverisan
    Offline

    shuverisan Registered Member

    hidden & TheWindBringeth, thanks for clarifying further. I'm gonna get my read on later with this.
  13. caspian
    Offline

    caspian Registered Member

    Re: Firefox unique client ID quote

    So every browser that you download has a unique ID and Comcast and others can see it? I guess one way around that would be to download a bunch of different portable Firefox browsers, put each one in it's own truecrypt folder, and assign each one it's own identity. But that sure sounds like a lot of trouble. Is there anyway to block websites and ISP's from seeing a Firefox ID?.
  14. TheWindBringeth
    Offline

    TheWindBringeth Registered Member

    I suspect all Firefox user or installation specific ID's would be generated during the installation process or thereafter. I doubt such ID's would be embedded in the software you download (although technically speaking such can be done).

    I suspect that these Firefox IDs are only sent when specific Firefox features are communicating with specific entities such as Mozilla and/or Google and I suspect that they will only be sent over secured connections. This most definitely needs to be verified though.

    As for how they are disabled, I think that would depend on which specific feature one you are talking about. For example, it sounds as though one would have to entirely disable the MetricsPing in order to prevent if from sending its unique ID(s). When it comes to SafeBrowsing unique IDs, there is this (http://blog.sidstamm.com/2012/02/malware-and-phishing-protection-in.html) which talks about a new type of cookie that will be affected by the third-party cookie setting and there is also this (http://www.morbo.org/2012/02/new-safebrowsing-backend.html) which discusses a user-specific randomization key that seems suspicious. I'm not sure such a thing exists (yet), but it would be extremely helpful if the documentation for each Firefox release included a privacy section that outlined the unique identifiers and spelled out how to avoid them all.

    Unclear to me at this point is whether there is a way for an arbitrary website or add-on to access any of the Firefox unique identifiers via (Javascript) API.
  15. avboy
    Offline

    avboy Registered Member

    Re: Firefox unique client ID quote

    If this is indeed the solution, a use and throw approach is better. Every time download a portable FF, use it and delete it. But again, only if this is indeed the solution. If they are also mapping IPs (if static), this is not of much use. Neither is it useful in the case described in the post above mine, where the unique ID is generated on the machine and not embedded in each download.
  16. notthatguy
    Offline

    notthatguy Registered Member

    Re: Firefox unique client ID quote

    Has anyone tested the use and throw approach to see if it offers different ID's?

    If I was a betting man I would assume that the ID is generated on the machine and numerous re installs would not prevent that problem. I'm really interested to see how this develops, this is a major turning point for Firefox.
  17. shuverisan
    Offline

    shuverisan Registered Member

    Alright, I finally got a chance to read through all the bug reports and discussions. From what I can tell, what's outlined in those pages isn't actually in use yet. It's still just a (very controversial) proposal.
    Here's the full link.
    http://www.mozilla.org/en-US/legal/privacy/firefox.html

    The Firefox Privacy Policy says that the update ID is in form of a cookie, whereas the metrics ID in the bug reports is client-side javascripting. This is what the receiving server sees,
    https://wiki.mozilla.org/MetricsDataPing#Client-side

    So it seems there are three different points of generation for a Firefox unique ID we're talking about in this thread. There's the update ID which Hidden was first referring to, then the Metrics Data Ping, and then there's the Safebrowsing ID. That sucks. :doubt:
    Last edited: Apr 7, 2012
  18. mirimir
    Offline

    mirimir Registered Member

    There's a lesson here. We can't be sure that programs aren't calling home with unique IDs, and so we must assume that they are. To be safe, there must be nothing about a particular machine that associates information that we want unassociated. That includes names, IPs, email addresses, websites visited, cookies, cached data, interests, and so on.

    For example, each of my online identities has its own VM(s), and each VM always has the same Internet IP address (because it always uses the same VPN setup). Only one of them (mirimir) visits Wilders. Others have other interests, with no overlap.
Thread Status:
Not open for further replies.