Firefox addons

Discussion in 'other software & services' started by Rico, Aug 28, 2017.

  1. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    630
    Location:
    Germany
    Screen size too?? Oh, I need to test it!


    BTW, I'm using "Smart Referer" but grow increasingly suspicious about if I really need it. In Chrome ScriptSafe spoofed the referer for me, (To same domain) but I'm using better addons now in Firefox. (Canvas Blocker) Though, I think none of them does spoof referer.
    List: uBlock Origin, uMatrix, Decentraleyes, HTTPS Everywhere, Cookie AutoDelete, CanvasBlocker, Nano Defender and Smart referer. Handling the user-agent is done by FireFox itself with: privacy.resistFingerprinting = true
     
  2. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,868
    Nano Defender is not listed on AMO and its not designed to run well with ublock. in fact its a another build of ublock so you have ublock installed twice.
    https://malwaretips.com/threads/nano-adblocker-with-nano-defender.79186/
    so nano is a bad ublock clone and depending on ublock, credits are all at raymond

    HTTPS Everywhere is getting futile as more and more sites are going ssl.

    privacy.resistFingerprinting known to cause issues because it is sending wrong user agent. it is also causing not installing extensions on AMO.

    you really should read more the firefox forums, eg mozillazine. (in german is camp-firefox)

    the best way to protect privacy is this tool - 100 per cent effectiv
    https://cloudfront.zoro.com/product/full/Z-qJ9zicpIx_.JPG

    btw the more you screw on firefox the more you can be identified! one in a million or so. thats also fact.
     
  3. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    630
    Location:
    Germany
    (I assume AMO is addons.mozilla.org?)
    I am not using Nano Adblocker. Nano Defender is just; - quote from your link: "An anti-adblock defuser for Nano Adblocker and uBlock Origin"
    It is there to prevent sites not loading or obfuscating the view with messages like: "Ad Blocker Interference Detected: Your ad blocker is interfering with the operation of this site. Please disable it or whitelist this site. Thank you." and, "Warum sehe ich BILD.de nicht?" (Not that I would ever read Bild.de, schlimmster Müll.)

    HTTPS everywhere will hopefully be futile soon. But for now, some HTTPS websites are loading things from resources that are unencrypted, for example. I also have about one or two alerts a day about HTTP sites. Trust me, I WANT to get rid of it.

    "privacy.resistFingerprinting known to cause issues because it is sending wrong user agent." That is the point. It sends the TOR browser fingerprint. (And does many more things only the TOR browser would)
    "it is also causing not installing extensions on AMO." Not that I know. Works fine here. Just installed Chameleon, for example. I also don't have the need to install many more addons.

    "you really should read more the firefox forums, eg mozillazine. (in german is camp-firefox)" Ok, maybe. But, you see, there is much misinformation out there. It's hard to find the right stuff. So I orient myself towards developers, like those who are working on the TOR browser. I need to read more, I know.

    "the best way to protect privacy is this tool - 100 per cent effectiv" This is dumb. It misses the issue.

    "btw the more you screw on firefox the more you can be identified! one in a million or so. thats also fact." You are perfectly identifiable if you don't do something. That means you are logically better off trying to do something against it. I mean, you are mostly right about this: You have to the right things in order be actually LESS unique. But you're wrong if you actually mean doing anything will make you more unique.
     
    Last edited: Nov 3, 2018
  4. guest

    guest Guest

    It is not an uBlockO clone. Nano Adblocker is one.
    Nano Defender != Nano Adblocker
     
  5. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    1,134
    Nano Defender can only protect either Nano Adblocker or uBlock Origin, and will prioritize Nano Adblocker.
     
  6. Lyx

    Lyx Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    149
    Globally we then have the same addons (except I have nano adblocker instead of uBlock, because
    nano adblocker is better suited to work with nano defender). And I use too CSS Exfill Protection, Don't Touch My Tabs, and, of course, Chameleon.

    Concerning adblockers, an other uBlok fork I think deserves to be noted: Ad Nauseam. Same as uBlock + "obfuscation" functionality (the add on randomly "clicks" on some ads, building for you a random "profile").

    Edit: Setting ResistFingerprinting preference to "true" is one of the Chameleon feature too, but if you use this pref, you don't have to spoof screen size and time zone, because screen size and time are already spoofed by the RFP pref itself.



    RFP is sending the FF 60 ESR UA. So, AMO will at least allow you to install all addons compatible with FF60 ESR. You may not be able to install eg FF 63 specific addons but this remain easily doable: It suffice to download the addon, and then to open it with your browser.

    Concerning the identification thing: Be aware that being unique != being traceable. The idea behind profile spoofing is that, in spoofing your profile say at each browser start, you will be a different person for each browser session. It does not matter that this person is unique each time, since he or she is different each time.
    Moreover, most people -in fact the vast majority of people- are unique on the web, so that not being unique is in itself a singularity (in math sense) that can attract attention.....

    This is the point with sites such as Panopticlick or AmIunique: They let think that being unique is bad, and being not unique is necessary good. But imagine that, trying to not be identifiable, you browse 1000 times on panopticlick to test it and the 1000th time Panopticlick tells you "you are non unique. 1000 users have exactly the same profile than you". Will you find this result entirely satisfying??
     
    Last edited: Nov 3, 2018
  7. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    630
    Location:
    Germany
    Not quite. It only sets the default screen size the browser starts with to something divisible by 100*100 or 100*200. This was done to have less random sizes of all TOR browsers (also other with enabled RFP), in order to make them all appear mostly identical, because a maximized browser window is quite random. This doesn't actually spoof anything and only works when you don't maximize the window. (Or it doesn't work perfect at all, like in my case, where the vertical size is always one pixel less than it should be: 1000x599 instead of 1000x600, i.e. This is even the case in fullscreen, for some reason.)
    With the feature in Chameleon I can finally spoof my screen size - for JS at least - to common 1080p. So I can have the browser window maximized AND I'll appear to have a fairly common screen size.
    If I would not do that, I'd have some very unique sizes -Even with RFP- like 1360x690 or 1360x670 or whatever, depending on which density setting in the customize-preferences I choose! (As reported by Panopticlick or AmIunique and everything else. And despite having a relatively common monitor resolution of 1366x768. *ugh*) Because the menu bar, search bar and bookmark bar are all subtracted from the vertical size, and the scroll bar thing is subtracted from the width - when maximized or floating. In fullscreen they are hidden.

    The only problem that I actually see with RFP is that CanvasBlocker does no longer randomize off-screen canvas's, i.e., showing the same fingerprint everytime you reload panopticlick or browserleaks: https://github.com/kkapsner/CanvasBlocker/issues/158
    "getClientRects" fingerprinting is still randomized by CanvasBlocker. (on browserleaks.com for example. https://browserleaks.com/rects)

    Oh, it's that. Interesting. I have no problem with it, so I don't care to change.

    Also, since Chameleon, I don't need Smart Referer anymore. :) So I definitively keep it.

    I'm unsure if I should randomize my user-agent with Chameleon. On the one hand it could make me stand out because all other things are stable, and on the other hand it could make the fingerprint the website records entirely useless, hiding me... man... how can anyone know anymore. It's so confusing.
     
  8. Lyx

    Lyx Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    149
    @_Nikopol: Thank you very much about the explanations concerning RFP and screen size I wasn't aware of.
     
  9. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,868
    panopticlick dont finish here, no result, amiunique tell me 1 of a million, but 42% of chrome users ^^
    people want to track me need a very large database idd, but at the end they could track me very exactly. why? because i log in to google, i log in to microsoft, i log in to xxx. they only need to combine my fingerprint and compare it with my other activities.
    that could be possible, i need to investigate some more here - got it.
    privacy.resistFingerprinting is an import from the tor project and more to come - so it means not only sending a wrong UA.
    people using firefox <60 or <58 were reduced to firefox 52. it sounds logical that now the UA is set down to v60.
    sounds like a bug^^
    ok, thanks got it. hmm, anyway has no gain from my view, ublock IMO owns such feature (unbreak list). ofc i visit pages where i am told to disable adblocker, but those pages are not worth to read - they also offer paid content and the regular articles are shortened to force people paying for it. yellow press.
    when ublock protector was active i had it installed in chrome (not firefox) it changed into nano defender (i guess) and when reading about nano adblocker i uninstalled it.

    concerning window rect (domrect) there is nothing wrong when websites detect my width to switch to a better view (ccs switch). as i mentioned google images do so. but what i can tell you also is that wilders here is also using some kind of "canvas" otherwise i am not able to insert code or quote with the button, nothing happens on click -> domrect (canvas blocker in firefox, canvas defender in chromium dont bothers)

    i think thats a matter of ublock settings
    not sure how to value it. i understood the method but at least its a matter of server security if server passes its css to other server as import
    for me it analyses css code for import from other domains. could have benefit - or not when looking into umatrix here.
    * * css inherit wont allow external css, scanning external css on code like exfil do could slow down web pages, in special when large css styles are used.´surely it has pros and cons. unfortunately it has no log file for such events. or warnings.
     
  10. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    I'm using it, too, as I think that its rationale is valid. In a nutshell, Decentraleyes locally provides javascript resources used on many websites. This has 2 benefits:

    1. It improves your privacy as it cuts the connection to the CDNs delivering those resources (with the result that they can't track you anymore).
    2. It speeds up the websites using those resources as loading them locally is faster than festching them from a CDN.

    Hence, using it in combination with uMatrix or uBlock Origin makes much sense, IMHO.
     
  11. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    630
    Location:
    Germany
    Chameleon breaks too many websites for me - worse is: even when you whitelist them. And whitelisting websites is not done very user friendly. Sometimes I even have to deactivate the addon to unbreak the website.
    And I am using the recommended settings :(
     
  12. Lyx

    Lyx Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    149
    It's weird as I have never had such problems. But I don't use all Chameleon features. Only UA spoofing, Disable Authorization, Upgrade Insecure Requests, Pevent ETag Tracking, Disable WebSockets, Screen Size and TimeZone Spoofing, FPI, and WebRTC. In particular I let History, window.name and Clent Rects be managed by CanvasBlocker, which has a far better whitelisting process.

    Or maybe using RFP with Chameleon's UA spoofing and/or script injecting options is messing up?


    Do you mean, AmIUnique tells you that only 1 browser out of 1 million, but 42% of Chrome browsers, have the same fingerprint thant yours??
    If it's the case, it seems that the AmIUnique statistics are heavily biaised, eg maybe because 99,97% of the browsers visiting it are FF, and only 12 Chrome browsers ever having visiting it. In that case, "42%" means that approx. 5 chrome browsers have the same fingerprint than yours (some of them maybe being yourself in previous visits) :)


    That's why I think profile spoofing can help: your fingerprint then is never the same. That's not a panacea of course, because the spoofing process may lead to some inconsistencies, which then can act as fingerprint. And likely, the more far from your true profile is the profile you want to mimic, the bigger are these inconsistencies risks.


    Here some details about using CSS as an attack vector.
    And a test site here.


    Which one do you think?
     
    Last edited: Nov 4, 2018
  13. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    I tried it briefly but videos wouldn't load @ YouTube.
     
  14. Lyx

    Lyx Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    149
    Maybe you should open a ticket on Github's Chameleon page, because it's very strange. I never had any problem on Youtube.
     
  15. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    630
    Location:
    Germany
    I've done some testing. It is "Spoof Source Referer" that is causing my issue. The wiki says it "Sets the referer to the requested URL.".
    For example, in this case I think it's the Error: "Failed to execute ‘postMessage’ on ‘DOMWindow’: The target origin provided (‘htt ps://static. crunchyroll .com’) does not match the recipient window’s origin (‘htt ps://www. crunchyroll .com’)." that comes up in the console when crunchyroll tries to load the player via ‘htt ps://static. crunchyroll .com/vilos/player.html#’. My assumption is that this site needs the information that comes via the referer in order to provide me with a player that load the correct video. On the other hand, as I spoofed my referer through other means it never was an issue.
    I am still not quite sure why this is the only page whose player isn't working. I think it is done this way as some sort of anti-adblock mechanism. The site is full of them.

    I also found that my user.js was enforcing "network.http.referer.XOriginPolicy" and "network.http.referer.trimmingPolicy", which the chameleon wiki says I shouldn't do. I have them in there because it's the file from ghacks.

    It seems that "Upgrade Insecure Requests" is almost the same as what the addon HTTPS Everywhere does. But the latter will also block insecure requests and provides a whitelist. Advantageous.

    I was trying to watch Parasyte on Crunchyroll, but the player wouldn't show up. As I said above; Deactivating "Spoof Source Referer" helped. Maybe it can help you too?
     
  16. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    651
    Location:
    Far East
    Sorry, I thought Nano Defender is different from uBO as described below

    https://www.reddit.com/r/uBlockOrigin/comments/9fw7na/ublock_origin_extra_vs_nano_defender/
     
  17. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    I may revisit it again later but I've got other things on my mind for now.
     
  18. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    630
    Location:
    Germany
    More problems: "Disable Authorization" breaks Reddit when logged in and trying to read messages. Again, whitelisting does not work. They really need to fix it.
     
  19. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,868
    idd, ND is not uB as some pointed me put.
    but uB extra is NOT for firefox
    currently i miss nothing and anything is fine. i give uBE a test.
     
  20. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    97,413
    Location:
    U.S.A.
  21. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    97,413
    Location:
    U.S.A.
    FYI. Adblock Plus Version 3.4.2 Released December 3, 2018.
    https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/versions/?page=1#version-3.4.2
     
  22. guest

    guest Guest

    HTTPS Everywhere 2019.1.7 (January 8, 2019)
     
  23. Hadron

    Hadron Registered Member

    Joined:
    Apr 1, 2014
    Posts:
    2,137
    I can't find the option for the Firefox Add-ons Classic Site.
    Is it gone? :(
     
  24. Bill K

    Bill K Registered Member

    Joined:
    Sep 19, 2018
    Posts:
    70
    Location:
    Naperville IL
  25. Hadron

    Hadron Registered Member

    Joined:
    Apr 1, 2014
    Posts:
    2,137
    Thanks Bill, but I don't see anything about the Firefox Add-ons page layout. There used to be an option to switch to Classic View at the bottom of the page until yesterday.
    As long as you didn't clear your cookies, the view would be remembered by your browser, but today that has all changed.

    This is the Classic View
    CMS-Backend-Opener-Add-ons-for-Firefox.png
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.