I have read that use of various browser extensions can make it easier for trackers to identify your browser through browser fingerprinting. Is there evidence, or has there been reporting, that the relative uniqueness of the browser can be altered by installed extensions that are disabled, not just extensions that are active?
@sabazi Here are some papers about fingerprinting extensions: https://singularity.be/public/papers/extensions.extended.pdf https://www.securitee.org/files/xhound-oakland17.pdf https://arxiv.org/pdf/1808.07359.pdf https://www.cyberphilosopher.org/wp-content/uploads/2019/05/extensionbloat_www2019.pdf Clearly, behavioral fingerprinting is only applicable to enabled extensions. I believe a non-behavioral technique using web accessible resources won't work if the extension was turned off. When I tried to access them on Firefox loading never ends while on Brave it's simply blocked, both were the same as the extension doesn't exist. BTW a few quotes from the papers:
@142395, thanks for taking the time to dig up those papers. I have generally assumed that fingerprinting requires an extension to be active for it to be detectable. However, I just wasn't entirely sure that there might not be some non-behavioral technique that webpages can use for detecting disabled extensions. So, for example, do any browsers that are set to automatically update extensions check for the availability of updated versions for all installed extensions, whether active or disabled; and if they do, is there any way for a webpage to eavesdrop on that process, or is the process privileged and hidden from webpages? (This probably wouldn't be a particularly useful technique, in any case, as the extension-updating checks probably occur when the browser is started and before webpages are loaded. I just raise it as a hypothetical to suggest how I am thinking about this.) From the discussions in the papers, it does seem that only non-disabled extensions can be detected--so far, anyway. But if extensions have to be active to be included in fingerprinting, which seems to be what the 4th paper implies from their testing, that has led me to wonder whether turning extensions on and off might also be a way to partly mask the user's identity with respect to cruder fingerprinting attacks that include the extensions set. The investigators suggest something similar in the 2nd paper, although approaching the issue from a different angle:
I'm not an extension dev nor IT engineer, so I'm not sure if such eavesdrop is possible. All I know is these update is done on what uBO calls behind-the-scene, and Important notes there seems to suggest now even uBO can't see them except for uBO's own ones. If even an extension w/ permission for all URLs can't see them, there'll be no reason websites can. That will work, but is too much trouble at least for me.