+ Reply to Thread
Results 1 to 12 of 12

Thread: Best FF addons and other methods for faking/spoofing and fighting fingerprinting

  1. #1
    Advanced User Renk's Avatar
    Join Date
    17.08.08
    Location
    Elsewhere
    P2P Client
    utorrent
    Posts
    582
    Activity Longevity
    1/20 19/20
    Today Posts
    0/5 ssssss582

    Best FF addons and other methods for faking/spoofing and fighting fingerprinting

    This thread is a complement/companion to the sticky "Detecting leaks and checking for browser fingerprint" above: Once you have seen your browser is leaking so many things, and is so easily fingerprintable, you may want to do something against that.

    Here are some possible methods. I tried to be as reasonably complete as possible relative of my knowledge, but being exhaustive is obviously not possible. Feel free to discuss what I wrote, and to give your own tricks an methods.


    1) General antifingrerprinting and spoofing (of which UserAgent, screen size, Time&Zone, language, media device and fonts spoofing, keyboard fingerprint fighting...):
    Chameleon
    Privacy Possum
    Trace
    (I do prefer Chameleon)


    2) Specific :
    CanvasBloker (Canvas, Audio, ClientRects, window.name protection, screen size...)
    Smart Referer (spoofing/forging referer!)
    Privacy-Oriented Origin Policy "Prevent Firefox from sending Origin headers when they are least likely to be necessary, to protect your privacy". See Ghacks article too.
    Location Guard Hide/fake your geolocation from websites. Either use a spoofed fixed location, or obfuscate your real geolocation with addition of an adjustable random noise. Remember nevertheless that even without any addon or specific configuration, your geolocation is transmitted to a browsed web site only if you explicitly allow it.

    3) Antitracking

    a) General
    Privacy Badger
    DuckDuckGo Privacy Essentials
    Ghostery., But it's complicated: Ghostery was formerly owned by Evidon, a company that collects and provides data to advertising companies... Now owned by Cliqz, itself owned by Mozilla and Hubert Burda Media. Probably best to not opt-in "sharing extension usage" and to opt out "Participing in A/B tests".

    b) Etags "Prevents Firefox from storing entity tags by removing ETag response headers unconditionally and without exceptions" (Chameleon do that too).
    ETag Stoppa

    c) Cookies etc
    See 4)

    c) email
    Trocker

    d) Isolation
    See 5)

    e) URLs sanitization
    See 6)

    f) Google specific
    Google Container "Prevent Google from tracking you around the web. The Google Container extension helps you take control and isolate your web activity from Google". Regularly updated.
    Google Container - with Integrations A fork of the former. "Additional google domains in this plugin include: Youtube, google services / apps, google ad domains, google utility domains, typo domains (probably not used for cookies, but just-in-case), other Alphabet companies, more google developer domains.
    Also an initial list of 3rd party integration apps was added (draw.io, atlassian, etc). Some of these will work without explicitly adding the to the Google Container, but many do not, an a more complete list is convenient, if not prudent". Not updated since 18 months.
    Google search link fix "Prevents Google and Yandex search pages from modifying search result links when you click them. This is useful when copying links but it also helps privacy by preventing the search engines from recording your clicks". The dev is V. Palant. Relatively recently updated.
    Don't track me Google "Removes the annoying link-conversion at Google Search / maps ". Not updated since 2 years, but seem still working.
    Remove Cookie for Google Account Chooser "Automatically to avoid(disable) remain your account information after sign-out". Not updated since 3 years.


    g) Redirections
    See 7)


    4) Addons fighting cookies and all (IndexedDB, LocalStorage, Plugin Data, Service Workers, and browser cache)
    Cookie AutoDelete
    Forget Me Not - Forget cookies & other data
    Site Bleacher


    5) Isolation
    Temporary Containers "Open tabs, websites, and links in automatically managed disposable containers". And as stated here on Arkenfox: : "Achieve almost everything First Party Isolation (FPI) does without breaking cross-domain logins. And (with or without FPI), in a hardened TC setup, this can even isolate repeat visits to the same domain, which FPI alone cannot".
    Container proxy "Allows Firefox user assign different proxies to be used in different containers".
    First Party Isolation (see 4))


    6) URL sanitization
    ClearURLs Efficient and very rarely breacks site.
    Neat URL But ClearURLs is more regularly updated.


    7) Redirections bypassing

    a) General
    Clean Links "Protects your private life (and accelerates some pages loading), by automatically detecting and skipping redirect pages, that track you on your way to the link you really wanted.
    CleanLinks differs from a number of other add-ons that do parameter removal (such as Neat URL), skip redirects (such as Skip Redirect), or both (such as ClearUrls), as it automatically detects embedded URLs in the links of redirect pages".
    Powerful with customizable rules but breaks more pages than ClearURLs and in rare occasions you have to disable the addon in order some page be correctly displayed.
    Skip Redirect "Extract the final url from the intermediary url and goes there straight away if successful".

    b) AMP (Google/Bing) specific
    Amplifier AMP/Canonical switcher It automatically redirects AMP (Accelerated Mobile Page, which are pages served by Google or Bing) to their normal HTML version, and let you the choice to go to the AMP version when/if you want it.
    Redirect AMP to HTML "Automatically redirects AMP pages to the regular web page variant".

    c) Links shorteners skipping
    Universal Bypass Efficiently does what it is supposed to do. Regularly updated. See the FAQ too.


    8) Addons decreasing your browser's entropy by setting up Tor's Uplift (possible replacement by FF about:config preferences):
    Toggle Resist Fingerprinting
    Resist Fingerprinting (see Chameleon too)
    First Party Isolation "Enables the First Party isolation pref.
    Clicking the Fishbowl icon temporarily disables it (see Chameleon too).


    9) Addons decreasing your entropy by blocking scripts and/or some APIs or features
    LibreMatrix (replacement of uMatrix, abandoned)
    uBlock Origin (with "I am an advanced user" ticked in Settings).
    Noscript
    Csp Blockler Block certain web resources types, responses headers, frame resources, and features to improve security, privacy and performance
    ScriptSafe (unfortunately abandoned)
    WebAPI Blocker Not update since 1 year.
    PolicyControl abandoned, but still very usable.
    WebAPI Manager (abandoned)


    10) Local Resource Delivering
    LocalCDN It's a fork of Decentraleyes. But I find it now more complete (more cdn supported) and more often updated than decentraleyes. Moreover, with each update, LocalCdn comes with the necessary rules to be set in your uBlock/uMatrix profile in order LocalCDN can work.
    Decentraleyes. Remains very good for its purpose, although IMO LocalCdn is now a little better.


    11) Headers Modifications
    Header Editor (need to be a bit skilled for correct usage.


    12) Punctual browser data deletion
    Nuke Private Data Optionally delete Cookies, Cache, Download History, Browsing History, IndexedDB, LocalStorage, Plugin Data, Saved Passwords, Saved Forms, Server-bound Certificates, Service Workers.
    ZBeacon Transmitter As a reward for the service you are rendering to others in installing this addon, you get the following punctual data deletion feature: Cache ("with better method than the one used by eFF"), Cookies, Download History, Form data, Browsing history, Indexed DB (storage), Local Storage, Plugin Data, Passwords, Server Bound Certificates, Service Workers, Last opened tab, window.name object


    13) Web browsing and web searches obfuscation
    OpenBubble "Mimics your online browsing behaviour and looks at topics that you may not be interested in to confuse trackers and advertising firms".
    Ad Nauseam Block most ads and randomly click on some of them. See Dev FAQ on Github too. Interesting case study paper here
    TrackMeNot. Same devs than Ad Nauseam. Obfuscates web searches "by issuing randomized queries to common search-engines". Interesting but hated by Google. You will probably end with having to solve captchas every time you really want to really use Google.
    Mystique-FF "produces background traffic while you are normally surfing the web, obscuring your real user profile by opening websites at random". Abandoned, but still working.


    14) Addons fighting some vulnerabilities
    Don't touch my tabs! (Noopener)
    CSS Exfil Protection (Chameleon do that too).
    NoEval - Disable Eval(). See here or here for more explanations. Bur NoEval beaks many sites.


    15) Direct modifications of FF configuration preferences:
    Arkenfox userjs (formerly Ghacks userjs). Very smart and depth, regularly updated (each time a nex FF version is realeased) by skilled & knowledgeable people. Recommended to read the wiki too.
    BetterFox, with subsections FastFox, SecureFox, PeskyFox, SmoothFox. Updated every month/couple of month
    i2pFox But no update since 2 years.
    See too Firefox Hardening, but except Ghack userjs (now Arkenfox), the links here seem outdated.


    16) Appendix: Comparison between browsers concerning privacy:
    Spyware Watchdog Article Catalog (needs probably a little update, eg concerning Brave). Epic Browser not considered.
    RestotrePrivacy/browsers
    vox.com
    Last edited by Renk; 16.12.20 at 10:34.
    Primo Avulso Non Deficit Alter
    Reply With QuoteReply With Quote
    Thanks

  2. Who Said Thanks:

    Instab (23.12.20) , sigduwksnsksis9283 (16.12.20) , H265 (16.12.20) , JohnareyouOK (16.12.20) , Novo sød (16.12.20) , anon (16.12.20)

  3. #2
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    39,804
    Activity Longevity
    11/20 19/20
    Today Posts
    1/5 ssss39804
    Great list, as usual. I'll have a look at all of these too, but personally, I have given up on privacy addons. You need to install a lot of them, making your browser slow, and the protection provided sometimes isn't complete and/or requires a tradeoff in functionality; disabling document fonts to prevent font tracking was always too much for me.

    Nowadays, I use Tor Browser for all but a small selection of "safe" sites. As long as you don't make important configuration changes, the fingerprint is the same as that of everyone else running it, making it useless for distinguishing individual people. It can also be used without Tor.

    A good hosts file can make an adequate replacement for most anti-trackers, as long as you're using the system resolver.
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  4. #3
    Advanced User Renk's Avatar
    Join Date
    17.08.08
    Location
    Elsewhere
    P2P Client
    utorrent
    Posts
    582
    Activity Longevity
    1/20 19/20
    Today Posts
    0/5 ssssss582
    Quote Originally Posted by anon View Post
    Personally, I have given up on privacy addons. You need to install a lot of them, making your browser slow, and the protection provided sometimes isn't complete and/or requires a tradeoff in functionality; disabling document fonts to prevent font tracking was always too much for me
    That's fair enough, but for what I remember, something like uBlockO has a negative footprint. FF mechanisms such as Containers and First Party Isolation improve privacy a lot without impairing browsing speed. And recent and well coded addons such as Chameleon don't make the browser as slow as it was previously, with former addons. Finally, for fonts tracking prevention, you no more have to take so extremes measure as document fonts disabling (although this method remains the most secure one, at the price of uglifying many web pages a fair bit).

    Nowadays, I use Tor Browser for all but a small selection of "safe" sites. As long as you don't make important configuration changes, the fingerprint is the same as that of everyone else running it, making it useless for distinguishing individual people. It can also be used without Tor.
    Using TorBrowser is probably one of the best method (if not the best) for fighting fingerprint and tracking (particularly in conjunction with Tails or Whonix). The fingerprint fighting principle consisting as you noticed to make that every TorBrowser user have essentially the same fingerprint (browser's entropy decreasing method). This works fairly well because at each time there are 1 or 2 millions of TorBrowser users. No addon has a so wide userbase, and so no addon can so efficiently fight fingerprint in using the same principle.

    BUT what I just said concerning TB and it's fingerprint fighting capabilities concerned its usage along with Tor. At each time there are far fewer of TB users not using it with Tor. So when using TB without Tor, your browser's characteristics become exceptional & exotic. You even may be the sole person browsing your favorite sites and displaying the TB fingerprint without connecting via a Tor exit node IP, so making it possible to correlate your actions on the web and track you.
    Last edited by Renk; 16.12.20 at 10:31.
    Primo Avulso Non Deficit Alter
    Reply With QuoteReply With Quote
    Thanks

  5. #4
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    39,804
    Activity Longevity
    11/20 19/20
    Today Posts
    1/5 ssss39804
    Quote Originally Posted by Renk View Post
    something like uBlockO has a negative footprint. FF mechanisms such as Containers and First Party Isolation improve privacy a lot without impairing browsing speed. And recent and well coded addons such as Chameleon don't make the browser as slow as it was previously, with former addons.
    I have already put containers, FPI and everything else that can be set up at about:config to good use. I'll try the others and possibly reevaluate my stance if they seem good enough.

    https://blog.torproject.org/life-without-ca is also worth looking at. I took a more moderate approach that only allows the 34 most important root CAs and it's worked very well so far.

    At each time there are far fewer of TB users not using it with Tor. So when using TB without Tor, your browser's characteristics become exceptional & exotic. You even may be the sole person browsing your favorite sites and displaying the TB fingerprint without connecting via a Tor exit node IP
    True, although it's considerably better than doing nothing, and requires less work than an active, addon-based effort.
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  6. #5
    Quote Originally Posted by anon View Post
    but personally, I have given up on privacy addons. You need to install a lot of them, making your browser slow, and the protection provided sometimes isn't complete and/or requires a tradeoff in functionality; disabling document fonts to prevent font tracking was always too much for me.
    same opinion here but i won't say no to few needed stuff like universal bypass and ublock and such as their pure essential rather then being for privacy.
    Quote Originally Posted by anon View Post
    A good hosts file can make an adequate replacement for most anti-trackers, as long as you're using the system resolver.
    suggest some. i am aware of few adblocking/other family friendly making hosts rather then anti tracker ones
    Reply With QuoteReply With Quote
    Thanks

  7. #6
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    39,804
    Activity Longevity
    11/20 19/20
    Today Posts
    1/5 ssss39804
    Quote Originally Posted by sigduwksnsksis9283 View Post
    suggest some. i am aware of few adblocking/other family friendly making hosts rather then anti tracker ones
    I use one of my own making, but it's too harsh for normal people. https://winhelp2002.mvps.org/hosts.htm is the most popular one and they seem to do a good job.
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  8. #7
    JohnareyouOK's Avatar
    Join Date
    31.01.19
    Location
    Earth
    P2P Client
    BiglyBT
    Posts
    254
    Activity Longevity
    0/20 7/20
    Today Posts
    0/5 ssssss254
    Pardon me for asking before testing all these extensions one by one: through this test I learn my video card name, memory size, battery level, number of installed fonts all can be read. is there any extension can spoof these info? I've tried Trace, no work.

    Also it even detects successfully which accounts I'm now logged in to ("Accounts Logged In" part, from a list of supported sites), how does it do this? Is it possible for tracker to detect we are logged in to sb using similar ways someday?

    Edit: Although the login detection is pretty inaccurate, it didn't detect my login status on Pinterest, Github, Twitter. Is it done by using OAuth or what?
    Last edited by JohnareyouOK; 22.12.20 at 17:25.
    Reply With QuoteReply With Quote
    Thanks

  9. #8
    Code:
    Accounts Logged In:
    - Spotify
    this is really a guess on those tracking cookies i suppose as im logged in beyond just spotify. so i would suggest you to keep trackers at a different browser like chrome/brave and use ff as your primary browser. then you should be safe even at a case of a leak. am interested on the spoofing part as well but i don't see a case why a private piracy site would bother making databse of our device specs.
    Last edited by sigduwksnsksis9283; 22.12.20 at 17:52.
    Reply With QuoteReply With Quote
    Thanks

  10. #9
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    39,804
    Activity Longevity
    11/20 19/20
    Today Posts
    1/5 ssss39804
    Quote Originally Posted by JohnareyouOK View Post
    Pardon me for asking before testing all these extensions one by one: through this test I learn my video card name, memory size, battery level, number of installed fonts all can be read. is there any extension can spoof these info? I've tried Trace, no work.
    Video adapter name is detectable via WebGL, RAM amount can be read from the navigator JavaScript object, battery level is exposed by the Battery API. The list of installed fonts cannot be obtained directly, but deduced with a combination of element probing and WebFonts. However, this method does not scale well and cannot detect every font in existence (it also means that low-popularity ones like Forced Square, Joystix and As I Lay Dying are ironically safer to have installed as they're very unlikely to be probed for).

    All of this information can be blocked through certain about:config parameters, or changed to predefined safe values by enabling privacy.resistFingerprinting. I don't know if these addons allow further customization, but I wouldn't recommend it in any case. You want to blend in, not stand out.

    Also it even detects successfully which accounts I'm now logged in to ("Accounts Logged In" part, from a list of supported sites), how does it do this? Is it possible for tracker to detect we are logged in to sb using similar ways someday?

    Edit: Although the login detection is pretty inaccurate, it didn't detect my login status on Pinterest, Github, Twitter. Is it done by using OAuth or what?
    The usual method involves invisibly loading resources from the target and then using JavaScript events, CSS probing or simple time measuring to see if the result is what you'd expect from a logged-in user. In principle, it can work with any site, but disabling third-party cookies or enabling first-party isolation directly affect its effectiveness. https://browserleaks.com/social has another test of this kind, if you want to compare results.

    Quote Originally Posted by sigduwksnsksis9283 View Post
    am interested on the spoofing part as well but i don't see a case why a private piracy site would bother making databse of our device specs.
    Have you not seen the 32pag.es hack screenshots? These people would collect and store DNA samples if they could. All for the sake of keeping "bad" users out, NSA-style.
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  11. #10
    Quote Originally Posted by anon View Post
    Have you not seen the 32pag.es hack screenshots?
    Probably no.
    Quote Originally Posted by anon View Post
    These people would collect and store DNA samples if they could. All for the sake of keeping "bad" users out, NSA-style.
    how much of their database got leaked? i have seen few screenshots here and there but not much of a direct info.
    Reply With QuoteReply With Quote
    Thanks

  12. #11
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    39,804
    Activity Longevity
    11/20 19/20
    Today Posts
    1/5 ssss39804
    It wasn't exactly a leak; a developer account's password was compromised, and while he used two-factor authentication, the 2FA code was broken and accepted any code The original upload is still up.

    https://ibb.co/album/nqOLFa
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  13. Who Said Thanks:

    sigduwksnsksis9283 (23.12.20)

  14. #12
    Advanced User Renk's Avatar
    Join Date
    17.08.08
    Location
    Elsewhere
    P2P Client
    utorrent
    Posts
    582
    Activity Longevity
    1/20 19/20
    Today Posts
    0/5 ssssss582
    Quote Originally Posted by JohnareyouOK View Post
    Pardon me for asking before testing all these extensions one by one: through this test I learn my video card name, memory size, battery level, number of installed fonts all can be read. is there any extension can spoof these info? I've tried Trace, no work.

    Also it even detects successfully which accounts I'm now logged in to ("Accounts Logged In" part, from a list of supported sites), how does it do this? Is it possible for tracker to detect we are logged in to sb using similar ways someday?

    Edit: Although the login detection is pretty inaccurate, it didn't detect my login status on Pinterest, Github, Twitter. Is it done by using OAuth or what?
    A good start could be to try Chameleon with diverse settings, along maybe with CanvasBlocker (more fine grained concerning some spoofing aspects)
    Primo Avulso Non Deficit Alter
    Reply With QuoteReply With Quote
    Thanks

+ Reply to Thread

Tags for this Thread

Posting Permissions

  • You may post new threads
  • You may post replies
  • You may not post attachments
  • You may not edit your posts
  •