is there one single add-on for firefox that can block/alter browser fingerprint?

Discussion in 'privacy technology' started by imdb, Dec 11, 2014.

  1. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    4,208
    for instance, an add-on that'll bock/alter the info shown about visitor on the following website:
    http://www.whatsmyip.org/more-info-about-you/
    an add-on for preventing visited sites from collecting/seeing visitor's browser fingerprint and os info?
    tia
     
  2. badsector

    badsector Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    51
  3. 142395

    142395 Guest

  4. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    There's no single extension that covers all fingerprinting methods. Browser headers, javascript, and plug-ins can all be tapped for identifiable information. The risk with altering them is creating a system that reports conflicting information. Example. Your browser headers report Linux with the current Firefox browser. Javascript inquiry reports Win 7 and Internet Explorer. The conflicting data is very unique and trackable.

    One more thing. Don't look at this from the perspective of blocking fingerprints. A complete lack of a fingerprint is in itself a fingerprint. This is not a simple subject with an easy answer. It needs to start with the question "who are you trying to fool, and why?" How you answer that determines what you need to do.
     
  5. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    Interesting to note that whatsmyip site shows some routers forward your local/internal ip address I have found public wifi routers do that a lot.
     
  6. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    This is one of the reasons that I so strongly advise you consider using TBB (Tor Browser Bundle), which is FF on steroids! If you don't want to run TOR you can still use TBB with the tor launcher toggled OFF. Fingerprinting control beyond what you are likely to accomplish yourself. There is NO speed loss by running this browser (TBB) with TOR off as compared to a straight out FF instance.

    As a small bonus this setup would leave you appearing to be a "generic" TOR user. Applied properly you are in effect "lost in the crowd", and isn't that the idea? So you have two profiles both generic:

    1. Normal TBB user

    2. TBB user with TOR not launched

    These profiles would leave you in a large crowd and thats a good thing!
     
  7. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    More generally, a fingerprinting risk exists for users of any extension that modifies the behavior
    of the web browser on a web page or the content of the web page itself.

    https://www.requestpolicy.com/detecting.html
     
  8. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    Agreed. I believe strongly in using a generic browser with adequate settings for that very reason. I am either #1 or #2 as posted above. 95% of the time its straight TBB. Trying to avoid being extremely unique.
     
  9. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    4,208
    thanks to all who contributed. some very useful info here. would be great to hear more on this from you guys.
     
  10. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,131
    Location:
    USA
    I agree. Secret Agent is very good at what it does. One word of caution, however. . . these types of apps can really mess up your ability to access some sites that you might regularly visit and use (like online banking, etc.).
     
  11. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Rather than using one machine/browser, and trying to make it "anonymous" (generic, like all others, random or whatever) it's better to compartmentalize. I don't care, for example, that this browser is associated with my mirimir persona. I never use it, or the VM that it's in, for anything except mirimir. All of my other personas have their own VMs. And if I want to be "anonymous", I just import a fresh Whonix instance, and delete it when I'm done.
     
  12. 142395

    142395 Guest

    Well, not a matter in my case as SA has whitelist.

    I agree some members here, the best way is use ephemeral OSes or VMs, and use many personas.
    Except that, there's no perfect way to circumvent fingerprinting.

    Actually I don't care it much, one reason is I'm almost random internet surfer. My profile in this week and next week will be much different, except a few sites like Wilders, though those few sites might track me.
    I use SA along with other privacy addons in firefox, at least it will disrupt primitive form of fingerprinting as well as other some config changes.
    Whether rondomizing/removing is better or generalizing will need another thorough discussion, maybe already done in this forum, but for those who use many security programs/addons it will be hard to hide your browser in general look.
     
  13. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    To amplify what @mirimir, yuki and others have said about the virtues of being vanilla and in the crowd, there's a lot to be said for running a standard browser with few/no add-ons in a VM or sandbox and wiping on exit. For instance, I run a Mint VM in this way, and there would not be a lot of point in fingerprinting it.

    Using the TBB probably makes you an automatic suspect in this crazy old world.

    Another form of fingerprinting I've thought about is the pattern of websites you open when you have a load of persistent tabs in your browser. Although this isn't (supposedly) visible to the websites, it certainly would be to the spooks, and correlation would be simple. Avoiding fingerprinting is extremely hard (there are also exposures in things like measuring the way an individual types for example).

    My feeling is that proper anonymity is going to withdraw from low-latency and smart-terminal type of interfaces, it's too hard (I view the browser as an up-market form of a dumb terminal to a mainframe, but still with the issues of control being ceded to the centre) - and instead, go to semi-structured (maybe XML) medium latency message-passing which will run through many nodes and be unpacked on the endpoints. Funnily enough, that's what I've always wanted from my computers - to be doing work while I get on with living, not slaved to a GUI, however attractive that is.
     
  14. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From The Cookies You Can't Crumble:
     
  15. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Each persona (obviously) has a different IP address. Some meta personas may share, however, just to add some craziness to the mix ;)
    Each persona has its own browsing pattern.
    Each persona reads different sorts of things.
     
  16. blainefry

    blainefry Registered Member

    Joined:
    Jan 25, 2014
    Posts:
    165
    I'm surprised no one's mentioned Privacy Badger...

    "Privacy Badger was born out of our desire to be able to recommend a single extension that would automatically analyze and block any tracker or ad that violated the principle of user consent..."

    https://www.eff.org/privacybadger
     
  17. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    Depending on what you're doing, there is a "real" you there which may betray itself, sometimes unconsciously. For instance, in the way you type; in the patterns of pronouns you use, coupled with favorite or unusual words. The time of day you're active. The things you know and express. Etc.

    It's hard, and that's why I think a more offline, longer latency mode would be more effective - a message-passing/api/feed based one which can be mediated by software. The problem is that services you may want information from, and some you want to contribute to, demand browsing because they want your eyeballs to be advertised at. And once they've got your eyeballs...
     
  18. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I'm using a slightly different approach to fingerprinting and anonymity. Instead of using extensions, I have Proxomitron set up to change my user agent, headers, etc to match those of the Tor Browser, regardless of what browser I'm using. This PC has also been running a Tor exit node for about a year and a half. My traffic blends right into the rest of the Tor Browsers that use it. When I'm not browsing through Tor, my traffic serves as background noise for the Tor traffic. When I do use Tor, mine's just another connection to another relay. The only way to separate my traffic would be to compare the inbound and outbound traffic on my IP. That's beyond the abilities of the commercial trackers, Google, etc. The NSA could do that, as could my ISP. If they want to waste resources on my traffic to find nothing of value, so be it. Nothing that I do requires maintaining separate identities. My real life, including finances stays off the web. As for drawing attention from using TBB, for me that's not a concern. I crossed that bridge a long time ago.
     
  19. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    In my case this would be my total "downfall" if I was of major interest to some 3 letter agency.

    I share the notion of many here on incredible compartmentalization. Separate VM's, unique persona(s) within them, etc.... Even using different circuits that are always revolving via TOR nodes at the end of the chain. Its become a hobby of sorts. LOL!!

    I have a few sites where my persona is anything but smart, although that is not too much of a stretch! I try to avoid 10,000 post persona's (my choice) so I start over after a few thousand.
     
    Last edited: Dec 15, 2014
  20. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    426
    FWIW, different browsers (and browser versions) emit request headers in differing order.
    IOW, if you spoof the user-agent: header value...
    a site interested in fingerprinting you very well may be able to determine "aha, it's a winXP ff24 user, trying to look like an Ubuntu ff31 user"

    Few, if any, among the spoofing addons consider this detail.
     
  21. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    426
    Here's a strange "why" for ya:

    About a month ago, github began kicking me in the head (we don't serve your kind here. Go update yer browser ya lamer).
    When I spoofed a newer version browser and reloaded the github page (and continued surfing extensively across various project pages)
    everything worked flawlessly... so, it's an example of being manhandled and herded into upgrading for no damn good reason (no reason of benefit to me).
     
  22. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    You can bet that this is either by design or coerced. It's a perfect example of how a minor design change can be introduced which will make a user trackable.
     
  23. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Somewhat related: p0f v3.

    See section 4 for a test of your connection.
     
  24. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    That's an excellent example of the point I wanted to make. That kind of spoof won't fool the NSA but it will work well in situations like you describe. I'm doing much the same thing, partly for the same reason. Websites see my system as XP running FireFox, more specifically, the Tor Browser, none of which is accurate. If I didn't spoof the user agent, I'd have to deal with a lot more broken pages. Pretty soon, I'll have to update my faked user agent.
     
  25. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    426
    The noose is tightening.
    "Some parts of this page failed to load. Please enable javascript and/or disable your adblocker..."

    The noose is tightening.
    "502 Bad Gateway"
    ^-- that is appearing increasingly frequently, across various sites, if you attempt to connect via anonymous proxy.
    "Elite" proxy (or not) has nothing to do with it. Sites are utilizing the blacklists of blocked.com etc
    (i suspect openDNS of selling categorized lists) to block "undesirable" visitors, based on IP/netrange of the requestor.
    It's reached the point where cURL scripted & proxied requests routed through my hosted webserver are often being 502ed
    ~~ because IP range of the requestor reflects a server farm rather than an ISP -issued last mile customer IP.

    Same holds for users connecting via TOR or subscribed VPN.
    Tor exit nodes are being throroughly mapped, and blacklisted, realtime. Similarly, IP blocks leased to VPN providers are being blacklisted (are tracked to the extent that they quickly added to subscribable blacklist) by a growing number of sites.

    yes, I agree. I do suspect it's by design

    WTH would header line ordering (need to) change for same browser, across minor versions?
    No sense asking/demanding -- the plausible deniability canned response would be
    "ah, we're continually testing, toward further optimizing the user experience".

    Further, via extensions, we can't even force reordering.
    Hmm, said differently: an extension author cannot code anything which effectively alters the ordering.
    Look to the code within "ModifyHeaders" extension to see what I'm talking about ~~ it's a crapshoot, the hardcoded browser behavior is gonna do it's own thing, regarding ordering, and when we want to inject a changed value, need to pay attention to the possibility that we could wind up with a "merged" comma-delimited string value if we don't first strip any natively inserted value.
     
    Last edited: Dec 14, 2014
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.