Rendered at 15:23:14 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
lpapez 3 days ago [-]
Very cool research and wonderfully written.
I was expecting an ad for their product somewhere towards the end, but it wasn't there!
I do wonder though: why would this company report this vulnerability to Mozilla if their product is fingeprinting?
Isn't it better for the business (albeit unethical) to keep the vulnerability private, to differentiate from the competitors? For example, I don't see many threat actors burning their zero days through responsible disclosure!
valve1 3 days ago [-]
We don't use vulnerabilities in our products.
mtlynch 3 days ago [-]
I don't understand what you mean. What separates this from other fingerprinting techniques your company monetizes?
No software wants to be fingerprinted. If it did, it would offer an API with a stable identifier. All fingerprinting is exploiting unintended behavior of the target software or hardware.
giancarlostoro 3 days ago [-]
It makes sense to me, they're likely not trying to actually fingerprint Tor users. Those users will likely ignore ads, have JS disabled, etc. the real audience is people on the web using normal tooling.
Gigachad 3 days ago [-]
They can just flag all Tor users as high risk. They don't strictly need to fingerprint them when it's generally fine for websites to just block signups for Tor users or require further identification via phone number or something.
You want fingerprinting to identify low risk users to skip the inconvenient security checks.
baobabKoodaa 3 days ago [-]
Uhh okay, so they do exploit vulnerabilities, they just try to target victims who can be served ads? What a weird distinction.
zamadatix 3 days ago [-]
Most users seem to not care about ad tech/tracking as much as technical users. Even further, most seem to want to enable more tracking to [protect the children or whatever the reason is] pretty regularly (at least in opinion polls about various legislation). ToR users are not at all like that + could be harmed in a very different way... so I think it's fair to frame them differently even if I'd personally say people should be wanting to treat both as similar offenses because neither should be seen as okay in my eyes.
godelski 3 days ago [-]
> Most users seem to not care about ad tech/tracking
I don't think this is true.
Most people don't understand that they're being tracked. The ones that do generally don't understand to what extent.
You tend to get one of two responses: surprise or apathy. When people say "what are you going to do?" They don't mean "I don't care" they mean "I feel powerless to do anything about it, so I'll convince myself to not care or think about it". Honestly, the interpretation is fairly similar for when people say "but my data isn't useful" or "so what, they sell me ads (I use an ad blocker)". Those responses are mental defenses to reduce cognitive overload.
If you don't buy my belief then reframe the question to make things more apparent. Instead asking people how they feel about Google or Meta tracking them, ask how they feel about the government or some random person. "Would you be okay if I hired a PI to follow you around all day? They'll record who you talk to, when, how long, where you go, what you do, what you say, when you sleep, and everything down to what you ate for breakfast." The number of people that are going to be okay with that will plummet. As soon as you change it from "Meta" to "some guy named Mark". You'll still get nervous jokes of "you're wasting money, I'm boring" but you think they wouldn't get upset if you actually hired a PI to do that?
The problem is people don't actually understand what's being recorded and what can be done with that information. If they did they'd be outraged because we're well beyond what 1984 proposed. In 1984 the government wasn't always watching. The premise was more about a country wide Panopticon. The government could be watching at any time. We're well past that. Not only can the government and corporations do that but they can look up historical records and some data is always being recorded.
So the reason I don't buy the argument is because 1984 is so well known. If people didn't care, no one would know about that book. The problem is people still think we're headed towards 1984 and don't realize we're 20 years into that world
zamadatix 3 days ago [-]
> If you don't buy my belief then reframe the question to make things more apparent. Instead asking people how they feel about Google or Meta tracking them, ask how they feel about the government or some random person.
This is exactly what I was saying - if you look at the polls, people actually tend to support things like the UK's Online Safety Act. Explaining it more does not usually result in a change of that. The difference with a PI is you're asking about them individually instead of everyone - of course they trust themselves, they just want everyone surveilled for that same feeling of confidence.
theamk 1 days ago [-]
> As soon as you change it from "Meta" to "some guy named Mark".
There is a huge difference between those.
If someone hires a PI to follow me, they are spending like $10000/week on that. Which means that their expected value is more than that, or that PI will never pay for itself. Where will this value come from? Likely from me, after all it's me they are tracking. So I am really worried, as I am about to lose a huge amount of money (or something else valuable).
On the other hand, if a store installs a whole bunch of cameras so I am tracked anytime I am in there, then it probably costs them only a few cents to track me. So I really don't care much about how losing anything valuable.
godelski 14 hours ago [-]
> they are spending like $10000/week on that.
Maybe. A quick Google suggests it's cheaper[0]
> Which means that their expected value is more than that
But this definitely doesn't follow. Your assumption about "value" is misplaced here. You're strictly thinking monetary value. But if we want to think about monetary value, well Google currently has a market cap of 4.1T, Meta is 1.7T, and even companies like OpenAI are aiming for a 1T IPO. Companies which depend on exactly that data. If you ask me, that data is pretty fucking valuable. Trillions of dollars worth, to be precise...
> ... if a store installs a whole bunch of cameras ... then it probably costs them only a few cents to track me.
Which is a great counterpoint to the argument you were making.
The camera not only works for you, but also everybody else in the store. The cost savings is through scale. So consider the situation where "Mark" is hired to not only follow you but a lot of other people. More specifically, people who interact with one another. That data can be collected in parallel, dramatically cheapening the cost per person being tailed.
--------
But your point is off-base regardless. The point of my comment was about the data being collected. A physical person being the data collector doesn't scale very well and if we're being honest "Mark" doesn't collect nearly as much as the digital tracking systems.
The point is that it is awareness of being tracked. The average person isn't aware that they're being tracked nor aware of what is being tracked.
Let's put it this way. If I hire some guy named "Mark" to follow you and you never find out he was following you, then you'll never be upset. But suppose I later tell you. Do you then become upset?
Most people will say "yes". So the issue wasn't "how much money" it cost. Nor was it actually "I was aware I was being followed". The issue is that you were /being followed/.
Not knowing you were being followed doesn't suddenly make it okay. But realistically that's the situation we're in. People do not know they are being followed. People that do know they're being followed don't know how much is being recorded. People that do know feel powerless to take steps against it. People that feel powerless just try to move on with their lives and not think about it because it is better to think about things you can change instead of getting depressed.
> If you don't buy my belief then reframe the question to make things more apparent. Instead asking people how they feel about Google or Meta tracking them, ask how they feel about the government or some random person. "Would you be okay if I hired a PI to follow you around all day? They'll record who you talk to, when, how long, where you go, what you do, what you say, when you sleep, and everything down to what you ate for breakfast."
Yes and no, because people still will think that when it's done at scale it's different from some stalker following YOU explicitly, and not just following everybody. Also, the mental model is "they just want to sell me something, but I can just ignore and don't buy if I'm not really interested". And especially going down this second rabbit-hole opens a whole world about consumerism that not many people are comfortable with.
At the same time there are people that are totally against consumerism that should be more informed and care more about tracking and privacy; with those people it's probably easier to have that conversation.
nickburns 2 days ago [-]
Some good counterpoints. But you're suggesting more people would be okay with 'PI following them' hypothetical than GP suggests—simply with the knowledge that others are subject to the same degree of surveillance?
I'm not so sure that counterpoint in particular holds. I think to say the "number of people that are going to be okay with that will [still] plummet" is an understatement. I'd go so far as to say no one, at least no rational person, would be okay with a "record [of] who you talk to, when, how long, where you go, what you do, what you say, when you sleep", etc., just because of the scale.
darkwater 2 days ago [-]
Let me focus it from a slightly different side: my believe - from observing the world around me - is that physical privacy violation is perceived differently from a software one because of the side-effects: you gaze out of your window and see the same car with some guy in it parked there, you see the same car following you when you are going to the mall etc. There is some similar side-effect with online tracking, which is the typical "ad in my Instagram feed for something I searched for last week in Google", and there are people that are "scared" by this. But since it's just about buying things, well hey I might actually tap on that Instagram ad!
I see some success by telling people "what if was our government doing the same thing to us, even by extorting private companies? what if that same government, or the next one, just hates you for whatever reason?"
nickburns 2 days ago [-]
I take your point about the 'abstract' nature of online privacy. But another angle might be suggesting to those that are ambivalent on the issue that the pervasive (and for all intents and purposes, permanent) recordkeeping nature of 'software surveillance' should be much scarier than some guy sitting outside. I mean, at the very least, even with some guy sitting outside, you'd still have privacy inside.
But again, I hear you. Most people unfortunately have come to view the issue as being just about targeted advertising (which some go so far as to espose as a good thing).
idiotsecant 3 days ago [-]
This is a lot of text to say that people don't recognize digital tracking as a threat, even when it is explained to them. Which is basically exactly what parent post you replied to said.
People don't care. This is demonstrably true.
wholinator2 2 days ago [-]
My read of the comment is that it's almost never actually fully explained to them. And that they would almost certainly care if they actually understood what was happening. That's my experience. Once you explain that it's more information than a private investigator tailing you all day, stealing your phone could gather people usually wise up to the fact that they actually don't like it.
pmontra 3 days ago [-]
In my experience those users express a mix of surprise and irritation when they get ads about something they did minutes or hours before, but they accept that's the way things are.
I joke that I'm a no-app person, because I install very few apps and I use anti tracking tech on my phone that's even hard to explain or recommend to non technical friends. I use Firefox with uMatrix and uBlock Origin and Blockada. uMatrix is effective but breaks so many sites unless one invests time in playing with the matrix. Blockada breaks many important apps (banking) less one understands whitelisting.
autoexec 2 days ago [-]
> Most users seem to not care about ad tech/tracking as much as technical users.
Part of the problem is the misconception that the data being collected is only being used to determine which ads to show them. Companies love to frame it that way because ultimately people don't actually care that much about which ads they get shown. The more people get educated on the real world/offline uses of the data they're handing over the more they'll start to care about the tracking being done.
nickburns 2 days ago [-]
This is definitely a point that should be emphasized more in this discussion. Even still, where it ultimately falls flat (currently) is the lack of hard proof to show people that it's truly happening.
Also, the degree to which some are more comfortable with the personal privacy/'feeling of personal safety' tradeoff notwithstanding, the examples that do get media traction are predictably extremes that the average person doesn't feel applies to them.
tardedmeme 2 days ago [-]
Ad tracking data has been used to target ICE raids.
adastra22 3 days ago [-]
Painting fingerprinting as vulnerability exploit is your own very biased and very out-of-norm framing.
SiempreViernes 3 days ago [-]
Instead of trying convince-by-assertion, maybe you could try offering an actual objection to the argument raised up-thread?
On what basis do you claim that software developers, who did not establish a means of for third parties to get a stable identifier, nevertheless intended that fingerprinting techniques should work?
fc417fc802 3 days ago [-]
> Instead of trying convince-by-assertion
TBF the idea that any and all fingerprinting falls under the umbrella of exploiting a vulnerability was also presented as an assertion. At least personally I think it's a rather absurd notion.
Certainly you can exploit what I would consider a vulnerability to obtain information useful for fingerprinting. But you can also assemble readily available information and I don't think that doing so is an exploit though in most cases it probably qualifies as an unfortunate oversight on the part of the software developer.
SiempreViernes 2 days ago [-]
For the readers convenience I restated the argument also in my post, but if you look you can see it was also stated much earlier in the thread.
UqWBcuFx6NV4r 2 days ago [-]
You haven’t made an actual argument. You’ve made a repeated assertion that you feel so religiously about that you simultaneously can’t justify it and get very abrasive when someone asks you to back it up.
SiempreViernes 2 days ago [-]
Oh wow, do you really only write negative comments on others discussion? I defer to you much greater experience on being abrasive
strbean 3 days ago [-]
There's a pretty big difference between:
1) wanting functionality that isn't provided and working around that
and
2) restoring such functionality in the face of countermeasures
The absence of functionality isn't a clear signal of intent, while countermeasures against said functionality is.
And then there is the distinction between the intent of the software publisher and the intent of the user. There is a big ethical difference between "Mozilla doesn't want advertisers tracking their users" and "those users don't want to be tracked". If these guys want to draw the line at "if there is a signal from the user that they want privacy, we won't track them", I think that's reasonable.
maltelau 3 days ago [-]
The presence of the "Do Not Track" header was a pretty clear indicator of the intent of the user. Fingerprinting persisted exactly in the face of such countermeasures.
fc417fc802 3 days ago [-]
Even if the intent is clear I don't think the act of reading an available field qualifies as exploiting a vulnerability. IMO you need to actually work around a technical measure intended to stop you for it to qualify as an exploit.
> IMO you need to actually work around a technical measure intended to stop you for it to qualify as an exploit.
Even well-known vulnerabilities like SQL injection don't qualify under this definition?
fc417fc802 2 days ago [-]
Sure, my wording isn't perfect. I don't have a watertight definition ready to go. To my mind the spirit of the thing is that (for example) if a site has an http endpoint that accepts arbitrary sql queries and blindly runs them then sending your own custom query doesn't qualify as an exploit any more than scraping publicly accessible pages does. Whereas if you have to cleverly craft an sql query in a way that exploits string escapes in order to work around the restrictions that the backend has in place then that's technically an exploit (although it's an incredibly minor one against a piece of software whose developer has put on a display of utter incompetence).
The point isn't my precise wording but the underlying concept that making use of freely provided information isn't exploiting anything even if both the user and the developer are unhappy about the end result. Security boundaries are not defined post hoc by regret.
baobabKoodaa 1 days ago [-]
No, it is not. I'm talking in the context of OP, which refers to a fingerprinting "vulnerability", specifically using the word "vulnerability" to describe it.
foltik 3 days ago [-]
How would you frame it?
exe34 3 days ago [-]
Well presumably they want to make money.
sodality2 3 days ago [-]
Side channels that enable intended behavior, versus a flat-out bug like the above, though the line can often be muddied by perspective.
An example that comes to mind that I've seen is an anonymous app that allows for blocking users; you can programmatically block users, query all posts, and diff the sets to identify stable identities. However, the ability to block users is desired by the app developers; they just may not have intended this behavior, but there's no immediate solution to this. This is different than 'user_id' simply being returned in the API for no reason, which is a vulnerability. Then there's maybe a case of the user_id being returned in the API for some reason that MIGHT be important too, but that could be implemented another way more sensibly; this leans more towards vulnerability.
Ultimately most fingerprinting technologies use features that are intended behavior; Canvas/font rendering is useful for some web features (and the web target means you have to support a LOT of use cases), IP address/cookies/useragent obviously are useful, etc (though there's some case to be made about Google's pushing for these features as an advertising company!).
tomrittervg 3 days ago [-]
> Ultimately most fingerprinting technologies use features that are intended behavior
Strong disagree.
> IP address/cookies/useragent obviously are useful
Cookies are an intended tracking behavior. IP Address, as a routing address, is debatable.
> Canvas/font rendering is useful for some web features
These two are actually wonderful examples of taking web features and using them as a _side channel_ in an unintended way to derive information that can be used to track people. A better argument would be things like Language and Timezone which you could argue "The browser clearly makes these available and intends to provide this information without restriction." Using side channels to determine what fonts a user has installed... well there's an API for doing just that[0] and we (Firefox) haven't implemented it for a reason.
n.b. I am Firefox's tech lead on anti-fingerprinting so I'm kind of biased =)
The thing is, technology is either enabling something or not. The exploration space might be huge, but once an exploit is found, the exploitation code / strategy / plan can trivially proceed and be shared worldwide. So you have to deal with this when you design and patch systems.
Example: preserving paths in URLs. Safari ITP aggressively removes “utm_” and other well-known querystring parameters even in links clicked from email. Well, it is trivial to embed it in a path instead, so that first-party websites can track attribution, eg for campaign perfomance or email verification links etc. In theory, Apple and Mozilla could actually play a cat-and-mouse game with links across all their users and actually remove high-entropy path segments or confuse websites so much that they give up on all attribution. Browser makers or email client makers or messenger makers could argue that users don’t want to have attribution of their link clicks tracked silently without their permission. They could then say if users really wanted, they could manually enter a code (assisted by the OS or browser) into a website, or simply provide interactive permission of being tracked after clicking a link, otherwise the website will receive some dummy results and break. Where is the line after all?
nurettin 2 days ago [-]
Logically, they are doing correlation via publically available information - maybe better than others can - and an identifier would hurt their business since competition can use it as well.
OneDeuxTriSeiGo 3 days ago [-]
A vulnerability is distinct from unintended behavior.
Unintended identification is less than ideal but frankly is just the nature of doing business and any number of niceties are lost by aggressively avoiding fingerprinting.
In software intentionally optimized to avoid any fingerprinting however it is a vulnerability.
The distinction being that fingerprinting in general is a less than ideal side effect that gives you a minor loss in privacy but in something like Tor Browser that fingerprinting can be life or death for a whistleblower, etc. It's the distinction between an annoyance and an execution.
autoexec 2 days ago [-]
> fingerprinting in general is a less than ideal side effect that gives you a minor loss in privacy
In what way is collecting a record of a person's browsing history a "minor loss" of privacy. For many people, tracking everywhere they go online would easily expose the most sensitive personal information they have.
subscribed 3 days ago [-]
Iffy vs grossly unethical.
rockskon 3 days ago [-]
Someone discovering and making this public it doesn't mean others haven't independently discovered it.
prophesi 3 days ago [-]
I think HN needs a refresher on responsible disclosure, and that even vulnerability scanners engage in this practice for obvious reasons in that it benefits both parties. One party gains exposure, and the other gets exposure and their bug squashed without the bug wrecking havoc while they try to squash it.
NoahZuniga 3 days ago [-]
The real reason is that fingerprint.com's selling point is tracking over longer periods (months, their website claims), and this doesn't help them with that.
vorticalbox 2 days ago [-]
it allows you to track a browser forever because it is stable fingerprint point. This helps with long term tracking a great deal.
PoignardAzur 2 days ago [-]
If I understand correctly, it was only stable until you restarted Firefox / your computer.
vorticalbox 2 days ago [-]
Ok that’s change it a bit but on the other hand I’ve had my browser open for weeks now and I only restart it when the “update” button turns red lol
negura 2 days ago [-]
correct. the ordering persists for as long as the original process continues to run
dlenski 2 days ago [-]
> We don't use vulnerabilities in our products.
With all due respect, and acknowledging that your work is technically excellent…
Fingerprinting is all about extracting information about a site's visitors which those users didn't explicitly intend to reveal.
kqp 2 days ago [-]
I’m going to go out on a limb and guess that you define “vulnerability” as something like “thing that will be fixed soon”. After all, Joe Random not liking a behavior doesn’t make it a vuln, there needs to be a litmus test. Am I close?
stackghost 3 days ago [-]
All fingerprinting is a vulnerability, unless the client opts-in.
lmz 3 days ago [-]
The opt in checkbox is labeled "Enable Javascript"
When I go to https://noscriptfingerprint.com/ all I see is a blank page. My browser is pretty locked down in other ways which probably helps, but I'm still taking that as a good sign.
Ridiculous comment. People should not have to choose between functionality and privacy.
zelphirkalt 2 days ago [-]
Should not, true, but in the case of many websites the reality is that allowing JS means you lost your privacy. Just like one cannot allow webgl and canvas by default any longer.
Thanks to all the web devs who helped creating this web dystopia.
danlitt 1 days ago [-]
Yes, my point is that this does not mean it is an "opt in checkbox". I appreciate that it allows people to be nasty, it just isn't a "please be nasty" toggle.
eimrine 2 days ago [-]
Implement it then.
danlitt 1 days ago [-]
Implement what? The internet?
7bit 2 days ago [-]
Ah yes, the age old reply when people exhausted all arguments.
eimrine 2 days ago [-]
The person I have responded wrote the "should have" construction without giving any proofs why is it so. Maybe in the world of pink ponies everyone should have a free bread on the breakfast, but some things might be unintuitive in the our one.
7bit 2 days ago [-]
Lol u serious?
ZiiS 2 days ago [-]
You can't go out in public naked and just ask everyone to look away. If you want someone you don't trust to run unvetted general purpose code on your machine you have to accept that you are trading away some privacy. You can sandbox them (wear cloths) but that doesn't give you strict privacy.
danlitt 1 days ago [-]
I do wear clothes (all JS code runs in a sandbox).
This is a bit like saying "you should lock the door to your house" and therefore refusing to prosecute someone who steals from a house with a broken window frame. I did lock my door, and it's still a crime regardless!
stackghost 2 days ago [-]
It's not a binary situation. Lots of fingerprinting is based on e.g. audio or canvas rendering quirks. Browsers should be obfuscating that shit.
ZiiS 2 days ago [-]
100% we should ensure that Browser's restrict fingerprinting as much as posible. I certainly set my Firefox to have many inconviniencies to reduce the fingerprint. I am just saying this is an engineering compromise and the tradeoff will be different for different people. Wishing we can have our cake and eat it dosn't help; you do have to choose between privacy and functionality.
jachee 2 days ago [-]
Any method of “fingerprinting” and invading a browser’s privacy is inherently an exploit.
lyu07282 3 days ago [-]
[flagged]
celsoazevedo 3 days ago [-]
Would you prefer that they kept this for themselves instead of disclosing it?
I get criticizing their business and what they do wrong, but doesn't seem right to criticizing them for doing the right thing.
trinsic2 3 days ago [-]
It means they are suspect. I think its right to be wary of motives if they are involved in the very thing they aim to bring awareness too. Questions arise in my mind as to why they would do something like this in the first place.
Its been my experience that the general public doesn't seem to follow patterns and instead focus on which switch is toggled at any given moment for a company's ethical practices. This is the main reason why we are constantly gamed by orgs that have a big picture view of crowd psychology.
celsoazevedo 3 days ago [-]
I don't trust them more because of this and maybe they've disclosed it for the wrong reasons, like not allowing a competitor to use it when they don't, but at the end of the day they did disclose a serious issue, and that's good for users.
I understand where you're coming from, by the way, but sometimes the worst person you know does the right thing and it's not fair to criticize them for doing it (you could say nothing, don't have to change your opinion about them, etc). We also don't want someone to go "if I'm bad no matter what I do, then might as well make some money with this" and sell the exploit.
trinsic2 3 days ago [-]
> I understand where you're coming from, by the way, but sometimes the worst person you know does the right thing and it's not fair to criticize them for doing it (you could say nothing, don't have to change your opinion about them, etc). We also don't want someone to go "if I'm bad no matter what I do, then might as well make some money with this" and sell the exploit.
I hear you. I guess I just want to promote more vigilance. Looking at patterns and motives helps us stay balanced about these things IMHO.
lyu07282 3 days ago [-]
What are you even saying? It's like getting upset at somebody who criticizes a criminal because they once helped some grandma across the street. I'm not upset at the criminal because they helped a grandma across the street obviously that's not the fucking point.
celsoazevedo 3 days ago [-]
I'm not upset, I just don't think we should criticize someone for doing something good. Maybe they're a terrible org, maybe they deserve criticism most of the time, but not in this instance.
It's not like you can't point out that they did a good deed, but that they're still in the shitty business of fingerprinting users.
Also, if people only get the stick no matter what they do, then eventually some will embrace the dark side and at least make money out of it. And that's not good for you.
lyu07282 3 days ago [-]
The inverse is also true, letting them whitewash their image by pretending they care about your privacy and seek to protect you will be good for their public relations, but only if we let them. I refuse to be this gullible and run to their defense for no apparent reason.
celsoazevedo 3 days ago [-]
They can pretend all they want. I know what their business is, my opinion on the practices haven't changed.
And yet, they did a good thing. I will criticize everything else, but not what they did right. It doesn't mean I'll go out of my way to praise them either... if it wasn't your comment, I wouldn't have said anything at all.
diydsp 3 days ago [-]
This isn't a someone. It's a corporation, a legal fiction explicitly designed to dissolve responsibility.
celsoazevedo 3 days ago [-]
And like a broken clock that is right twice a day, sometimes a corporation also does the right thing, even if for the wrong reasons.
Nothing wrong with pointing out hypocrisy and bullshit, but criticizing something they did right? That's not how I operate. You are, of course, free to do things differently.
Vinnl 3 days ago [-]
It's more like criticising a criminal when they are helping some grandma across the street, thereby treating them more harshly than the criminals that don't do that.
Responsible disclosure and commercial fingerprinting aren't contradictory.
lyu07282 3 days ago [-]
[flagged]
flufluflufluffy 3 days ago [-]
If you take their claim that they don’t use vulnerabilities in their products as true, then I don’t see a contradiction. If it isn’t true, then obviously there is a contradiction.
But your considering of all methods that enable fingerprinting as vulnerabilities is your own opinion. There are definitely measurable signals that are based on a user’s behavior, rather than data exposed by the browser itself.
kube-system 3 days ago [-]
It's a little bit disingenuous to call intentional wont-fix features "vulnerabilities".
hrimfaxi 3 days ago [-]
They probably are not relying on it and disclosure means others can't either.
kippinsula 2 days ago [-]
the business answer is boring: you don't sit on a browser zero-day that your own product depends on. if it leaks form somewhere else, the blog post writes itself and the trust you've built with every privacy researcher and enterprise buyer evaporates. honestly the hiring page line alone, 'we found and reported X to Mozilla', is probably worth more than the fingerprinting edge they'd keep.
tcp_handshaker 2 days ago [-]
>> why would this company report this vulnerability to Mozilla if their product is fingeprinting?
Maybe because is not as serious as them and their title, made it to be? Did you read it fully?
The identifier described is not process lifetime stable, not machine stable, or profile stable, or installation stable. The article itself says it resets on a full browser restart...
So this is not a magic forever ID and not some hardware tied supercookie. Now what should we do with that title, and the authors of it?
Cider9986 2 days ago [-]
Being fingerprinted across Tor is different from being deanonymized—it basically just "psuedonomizes" you. You now have an identifier. It is a significant threat, but it is not hard to "psuedonomize" someone based on stylometry and some of the people with the highest threat model—operating an illegal site, will be pseudonymous anyway.
Don't get your opsec advice from HN. Check whonix, qubes, grapheneos, kicksecure forums/wikis. Nihilist opsec, Privacyguides.
grumbelbart2 2 days ago [-]
This fingerprint persists over private and non-private Firefox sessions until you restart Firefox. State actors might be able to connect your Google-login in FF window 1 with your tor session in FF private window 2.
sigmoid10 2 days ago [-]
Good opsec usually means you don't do this anyway. Don't use your anonymous browser for anything related to your real persona. In fact, don't re-use the OS between anonymous and public personas. Or even better: Don't re-use the hardware (also goes for networking). There will always be bugs across all levels of software and hardware that could eventually be chained to expose you. But if there is nothing there that could be exposed, you're already much better off by default. Even if that is very hard to achieve in practice.
realusername 2 days ago [-]
Usually you have TOR browser for TOR and a standard Firefox for the standard browsing so they already are two sessions.
goodpoint 2 days ago [-]
No, fingerprinting is a synonym of deanonymization.
litigator 1 days ago [-]
No. If everyone (or browser installs) had identical fingerprints... Good luck deanonymising them.
yencabulator 3 days ago [-]
> the identifier can also persist [...] as long as the Firefox process remains running
Make sure to exit Tor Browser at the end of a session. Make sure not to mix two uses in one session.
SeriousM 2 days ago [-]
Or shut down and boot tails again. You need privacy? Take your time.
friendzis 2 days ago [-]
Anyone that serious about opsec should have dedicated hardware for that anyway
Phelinofist 2 days ago [-]
Why not tails in a VM?
negura 2 days ago [-]
because your host might be compromised
negura 2 days ago [-]
the vulnerability was fixed upstream by mozilla anyway
yard2010 2 days ago [-]
Use a separate machine for these stuff, never mix your clean machines with the dirty ones, complete separation, different networks
sdrm 2 days ago [-]
better yet, disable javascript when using tor.
SirMaster 3 days ago [-]
I question why websites can even access all this info without asking or notifying the user.
Why don't browsers make it like phones where the server (app) has to be granted permission to access stuff?
michaelt 3 days ago [-]
Browser fingerprinting is an unintended side-effect of things it's sorta-kinda reasonable for browsers to provide.
A user agent that says the browser's version? Reasonable enough.
Being able to ask for fonts, if the system has them? Difficult to have font support without that.
Getting the user's timezone, language and keyboard layout? Reasonable.
The size of the screen, and the size of the browser window? Difficult to lay things out without that.
Of course a video or audio player needs to know which video formats your browser supports - how else to provide the right video?
Obviously javascript can get the time, and it's trivial to figure out the system's clock error by comparing that to the time on a server.
Before you know it, almost every browser is uniquely identifiable.
fc417fc802 3 days ago [-]
Most of the things you've listed here don't actually seem all that reasonable to me.
User agents as a concept are rather poorly thought out across the board and not all that useful but persist because that's just how technical cruft is.
Fonts should be provided by the website; if not provided the choice should take the form of a spec sent by the website including line height, sarifs or not, monospace or not, etc. There's little to no excuse for the current font situation IMO beyond poor design decisions that became heavily entrenched.
Timezone and other obviously private metadata should never be shared without the user explicitly granting permission on a case by case basis. The status quo here is completely inexcusable as is the continued failure to fix the problem.
Size of the physical screen should never be exposed under any circumstances. The current size of the browser window is reasonable on its face but now that fingerprinting is understood to be an issue should always be heavily letterboxed unless the user consents to sharing the exact value.
Video formats should be provided by the website as a list of offerings and the browser should respond with a choice; the user could optionally intervene. There's no reason to expose the full capabilities to a remote service.
Querying the current time should be gated behind an explicit permission. There's almost never a need for it. However from a fingerprinting perspective you also have to worry about correlating the rate of clock skew across clients. That can be solved by gating access to high resolution time counters behind an explicit permission as (once again) the vast majority of services have no legitimate use for such functionality.
db48x 2 days ago [-]
> Fonts should be provided by the website
No way!
I don’t ever use any font provided by the website. I don’t even let websites choose which fonts get used. Instead I choose a set of fonts (monospaced and proportional) that are readable and everything uses those.
If you want to see what that looks like, go into the Firefox settings, find the Fonts section, click Advanced, and then uncheck “Allow pages to choose their own fonts, instead of your selections above”. Be sure to adjust the “Minimum font size” while you’re here so that nobody uses text sizes that you cannot read.
Izkata 2 days ago [-]
> if not provided the choice should take the form of a spec sent by the website including line height, sarifs or not, monospace or not, etc.
Width of individual characters would still reveal the browser's choice to some extent. Stick them in an inline-block element and check its width.
> Video formats should be provided by the website as a list of offerings and the browser should respond with a choice
The server still controls what's offered and can see what's supported by offering different combinations. Besides, isn't this how it works now?
fc417fc802 2 days ago [-]
> character width
That is a fair point but it would presumably still be a step in the right direction.
> video formats
True, a malicious streaming site could still work to fingerprint your client if you watched multiple different videos. However that would require active work on the part of the server and could be mitigated by the client which is already miles better than the status quo.
I suppose my proposed solution would also introduce a new constraint that a stream couldn't switch codecs from one chunk to the next but I doubt that would be much of an issue in practice.
I don't believe that's how it works now. At present the server would typically send code that queries for codec support prior to sending video chunks. These days there's the low level WebCodecs API; [0] previously you would have used MediaSource.isTypeSupported( ... ). [1] The issue is that at present the code sent by the server handles any queries and makes the selection. That leaves the door open to run arbitrary queries for the purpose of characterizing the underlying platform.
> If the type attribute is specified, the browser immediately compares it with the media types it can display. If the type is not supported, the browser skips querying the server and directly checks the next <source> element.
fc417fc802 1 days ago [-]
Huh. That's interesting but in practice it doesn't quite work. The major streaming platforms want to handle things programmatically in chunks and they need a way to establish what codec (among various other parameters) to use before they get started. So the requirement is a browser mechanism to make that information available to server provided code running on the client. And I'm further stipulating that this mechanism should facilitate optional intervention by the user.
BizarroLand 2 days ago [-]
> fonts should be provided by the website
Yeah, because I love it when every website I go to downloads 10 megs of fonts to my computer before it starts rendering the page. Fonts should be suggested by the website, and a bog-standard "every computer has this" font should be listed as the fallback.
> Timezone and other obviously private metadata should never be shared without the user explicitly granting permission on a case by case basis
100% agree.
> Size of the physical screen should never be exposed under any circumstances
I mostly agree, but with the understanding that this would cause issues with "modern" web pages having very difficult to format layouts. Responsive design requires a response, after all.
> Video formats should be provided by the website as a list of offerings and the browser should respond with a choice
You're still getting the same feedback with this, that the browser chose to use X format, so you're not increasing privacy with this, only difficulty.
> Querying the current time should be gated behind an explicit permission
100% agree. If there is no active local processing of information that the server relies on, in the format of a game or some other interactivity, then there is no reason why the server needs to know your local time.
fc417fc802 2 days ago [-]
> fonts
That's why I said that a spec mechanism should also be provided. The issue is that sites can perform measurements regarding the layout that change based on the font used. So the browser should only ever provide a few fallbacks, nothing more, and anything else needs to come from the site itself.
> screen size
I think maybe you're confusing the physical screen with the current size of the browser window?
> video formats
The issue at present is that a site can programatically test a long list of formats against your setup to see what happens. What I'm describing increases privacy because the site can no longer directly query for the entire list of supported formats and the user can optionally control the process. Obviously it's still possible to botch the implementation on the browser's end but the point is to make it possible to do the right thing.
bblb 2 days ago [-]
These are all relics from the innocent 90's Internet. We had our global village and everything was fine. A couple of bad actors spamming blue pills here and there and that was it.
Now we have actual criminal organizations and other real bad actors.
I'm sure we can come up with something better than advertise our whole local computing platform on every HTTP request.
sandworm101 3 days ago [-]
The tor project seeks this bypass this by keeping such things standardized across users, even down to reported screen size. And there is nothing stopping the browser from fibbing as most settings dong matter all that much (ie UK v Canadian v American English).
autoexec 2 days ago [-]
This is a bad idea though, because any newly discovered means to get even a single data point results in being able to ID every tor user. I'd be better to have every tor browser always generate a random fingerprint so that even if the unexpected happens people will never get anything but random results.
rendx 2 days ago [-]
> to have every tor browser always generate a random fingerprint
Browsers do not "generate" fingerprints. They expose data that can be used to fingerprint users. You cannot "randomize" this; even if you were to return random values for, say, user screen size, with various visual side effects, it would just be another signal to fingerprint: "Oh, your browser is returning random values? Must be a Tor browser user".
autoexec 2 days ago [-]
> it would just be another signal to fingerprint: "Oh, your browser is returning random values? Must be a Tor browser user".
That's perfectly fine! As long as they can't tell which tor user you are they can't track your browsing activity or associate it to any one tor user. That's the goal. Currently tor browser sticks out like a sore thumb by trying to appear identical no matter who uses it, which is fragile because any one data point unaccounted for unmasks everyone.
IAmBroom 2 days ago [-]
> it would just be another signal to fingerprint: "Oh, your browser is returning random values? Must be a Tor browser user".
You'd have to fingerprint the browser first to determine that the "random values" were indeed coming from it.
BeetleB 3 days ago [-]
I fantasize having a browser that I can use only for viewing content.
No applications. No mail. No need for cookies.
I can use a "regular" browser for more enhanced stuff. But for simple content consumption, we can just have a "dumb" browser that can't do much.
> A user agent that says the browser's version? Reasonable enough.
No user agent. I'm guessing it will need it for JavaScript or HTML features, and dynamically update if using an old browser, but let's just not supply a user agent and let it be the reader's burden to have a reasonably decent browser.
> Being able to ask for fonts, if the system has them? Difficult to have font support without that.
What's the fallback if the system doesn't have them?
> Getting the user's timezone, language and keyboard layout? Reasonable.
Keyboard layout is irrelevant for viewing content. For timezone and language: Yeah, I can see the use cases, but these are in a small minority. Let there be a popup when requested, and the user can specify the timezone/language as requested.
> The size of the screen, and the size of the browser window? Difficult to lay things out without that.
Let's let this new browser return only from a (small) discrete set of sizes. It will pick the size closest to the actual browser window size and send that.
> Of course a video or audio player needs to know which video formats your browser supports - how else to provide the right video?
Same answer as user agent. Either let the user pick from a selection of video formats, or just hard code a reasonable one and put the onus on the user to have a browser that supports it.
> Obviously javascript can get the time, and it's trivial to figure out the system's clock error by comparing that to the time on a server.
This hypothetical browser could just not send the time :-) For 99% of content consumption, this function is not needed.
What I'm describing should be part of "Private mode". Or browsers should have an "Ultra-private" mode that is the above. If it's too complex/risky maintaining it all in one codebase ... fine. Just have a separate browser.
Right now, if I built such a browser, I'm sure a lot of sites meant for content would break. But in my fantasy world, using "Ultra-private" would be the default, and people who make sites will target them first.
I think much of the complexity in making a web browser is all the "other" stuff. Being able to run apps, cookie/privacy management, etc.
0x62 3 days ago [-]
Unfortunately you've now made an incredibly niche browser, and the lack of those metrics is a good fingerprint by itself. How browsers render SVGs can be used for fingerprinting (even the underlying OS affects this, and I assume you'll want to see those), combine with ISP from IP address, and unless theres hundreds users in every city you're now pretty easily trackable.
autoexec 2 days ago [-]
There's no problem with having a unique fingerprint. The problem is having a consistent one. Randomize the fingerprint every time and you're fine. The IP address problem applies to everyone, including anyone using tor browser. The only solution to that is not using your own IP address (VPN/proxy). If I were going to make a secure privacy focused browser it either wouldn't allow things like rendering SVGs (which have introduced vulnerabilities beyond tracking) and wouldn't allow much (if any) JS and only a sane subset of CSS.
BeetleB 3 days ago [-]
> Unfortunately you've now made an incredibly niche browser, and the lack of those metrics is a good fingerprint by itself.
If 100 people are using that browser, how will they know which one is me?
> How browsers render SVGs can be used for fingerprinting (even the underlying OS affects this, and I assume you'll want to see those)
Can you provide details on this? And how will they know which OS I'm using (through SVG rendering...)? The UserAgent definitely should not send the OS.
> combine with ISP from IP address
That's already provided whether I use Private mode or not, correct? I can always use a VPN.
pbhjpbhj 2 days ago [-]
You're the only one out of 100 that visits HN, or who's use matches a particular timezone, or who has the use pattern that [anti-]correlates with your work pattern, or ...
BeetleB 2 days ago [-]
My brain is a bit slow today:
> You're the only one out of 100 that visits HN
So the HN operator sees someone using this browser, with this timezone. Then I go to some other site. Let's pretend that site's operator and HN's are identical. How will they know that I'm the same guy who went to HN? How does he know there aren't two people who use the browser in the same timezone (and the other one doesn't go to HN)?
Atreiden 1 days ago [-]
I think the point is that it takes very few data points to effectively deanonymize someone. And the less common a data point is, the greater the information gain. "User is male" eliminates ~half of users. "User actively reads HackerNews" eliminates >99%. "User uses this niche browser that only 1000 people have ever been seen using" eliminates 99.999%.
This is how surveillance operates at scale. You don't need a stable identifier linking a specific person's identity, you just need a few data points to narrow it down to even a few thousand people. Then you apply more focus on those people, gathering data points that eliminate people until you're left with your target. And thanks to decades of global iteration on surveillance infrastructure, and AI to glue data sets together, it's all automated.
BeetleB 3 days ago [-]
I can't edit, but I forgot to add:
No support for forms. The browser is meant for content consumption. Not for interaction/creation.
One could argue that any JS capabilities to do network requests (including dynamically rendering content) would be disallowed.
Yes, I know, this is going pre-Web 2.0.
Yes, of course, most current sites won't work in that model. But I'll also say: Most current content sites don't need these capabilities. They have them because they know the browser supports them.
Again - a fantasy. I know only a few people will use it. I know that won't be enough to change web behavior. It would be nice, though, if sites carried a badge to indicate they conform to all of the above.
93po 3 days ago [-]
i've had the same thought for 20 years and unfortunately it's less likely than ever to happen now, given how many sites require javascript and have cloudflare pages before even loading a site (I get several a day).
thankfully i think traditional web surfing is probably going to die out in the next 10 years, and progressively decline a lot much sooner than that as people start to interact with AI rather than browsers (or any software for that matter).
my feed of hackernews is going to be my AI agent giving it to me in plain text very soon, and soon after that i will probably never visit the internet again because it will be impossible to know what's real and fake
as a millennial it will be interesting to experience the full cycle of being born when nothing was online, to everything being online, to then again being entirely offline by the time i'm older
fc417fc802 3 days ago [-]
> my feed of hackernews is going to be my AI agent giving it to me in plain text very soon
Wait for the advent of local agents running on local models (for privacy) followed by techniques to fingerprint agents, followed by techniques to infer query parameters based on agent behavior. I wish I was joking but it seems all too plausible.
bryan_w 3 days ago [-]
Just use Tor browser? You can turn the tor part off if you need the speed.
What you want exists, have at it
BeetleB 3 days ago [-]
As the submission shows, Tor browser isn't enough. My hypothetical browser would never have an IndexedDB API. Why should it?
"Web applications use it for offline support, caching, session state, and other local storage needs"
This use case is completely orthogonal to what my browser is meant to do. My browser would not have a concept of local storage.
The premise of starting with a modern browser and stripping away features to get privacy is flawed - it's always vulnerable to these types of things. I'm going the opposite route: Only add features if they cannot be exploited for monitoring.
francoi8 3 days ago [-]
All of these could have a set of standard non identifiable answers (eg. firefox reports the same 20 fonts, couple video formats, one among a few standard window sizes etc.) and for anything more extensive/precise, it would require the user's authorization and the user should have the option of feeding fake info (eg. fake timezone)
snailmailman 3 days ago [-]
Firefox's "Resist fingerprinting" does this. It sets timezone to UTC, standardizes the fonts, standardizes a whole bunch of other fingerprinting data, etc. It also has a "letterboxing" option to round screensize down to the nearest 100px and stuff too. Tor uses all of those settings by default, though they are also in standard firefox in about:config.
When i use Resist Fingerprinting my main issue is the timezone being set to UTC. most of the other stuff it does never causes issues. I guess sometimes sites need to read the canvas, but theres a permission box that allows that when needed. I wish there was a similar permission box for timezone.
The only other drawback to the "resist fingerprinting" option is you will encounter cloudflares' captcha checkbox everywhere and all of the time :(
autoexec 2 days ago [-]
Ideally you'd have browsers randomizing what they send instead of reporting the same info every time. That way even a deviation from the "norm" can't be assumed to ID someone.
goodpoint 2 days ago [-]
It's not reasonable for a website to find out about my browser version, OS, keyboard layout and a zillion other things, fuck this.
All these things should be opt-in and like blocked by GDPR.
t-3 3 days ago [-]
The most popular browser is made by an ad company. They also provide the majority of funding for their biggest competitor. Why would you expect anything different?
john_strinlai 3 days ago [-]
most people would expect something different from tor, surely.
octoberfranklin 2 days ago [-]
The funding for tor project is nowhere near what is needed to develop an entire browser. Mainly because the web has become such a bloatfest, not because of any wrongdoing by tor.
Apps have access to inconceivable amounts of identifiers and device characteristics, even on the well protected systems without Google Play services.
troupo 3 days ago [-]
It's a fine line between making the web usable, fingerprinting, and peppering the user with dozens or hundreds of permissions.
And since browsers rival OSes for complexity (they are basically OSes in their own right already), any part of the system can be inadvertently exposed and exploited.
3 days ago [-]
Barbing 3 days ago [-]
>Why don't browsers make it like phones where the server (app) has to be granted permission to access stuff?
Like Android phones perhaps? Unfortunate Apple gives very little granular control.
Joe_Cool 3 days ago [-]
Most stock android phones don't either. You usually get to control precise location, notifications, some background activity, SMS, Calls, Mic, Camera, SD Card, etc.
But most ROMs don't allow controls for WiFi, Cell data, Phone ID, Phone number, User ID, local storage, etc...
kelvinjps10 3 days ago [-]
all these permission you have to accept?
chneu 3 days ago [-]
Yes. A few apps have been caught doing nefarious stuff using advertising sdks, like meta, but on android most apps are well sandboxed and can only access what you approve.
Joe_Cool 2 days ago [-]
For those things you can't control it doesn't ask. You can see those under "other permissions" (or similar).
But once you look there it's too late if you care about this data and forgot to turn on airplane mode.
kingstnap 3 days ago [-]
I mean Google ain't paying for Chromium development just for the fun of it...
snowwrestler 3 days ago [-]
And yet this sort of endless (fingerprintable) browser feature list is what people cite when they claim that mobile Safari is somehow way behind Chrome, and how it’s a travesty that Chrome can’t natively implement all these (again, highly fingerprintable) features on the iPhone.
bfivyvysj 2 days ago [-]
I learned enough about security years ago that there's basically zero chance you're secure and almost 100% chance someone is watch everything you do online.
Whether they care is entirely separate.
PoignardAzur 2 days ago [-]
Ah, yes, the "fuck it" approach to infosec.
tdeck 2 days ago [-]
It seems to have worked for Fiverr.
jancsika 2 days ago [-]
Be careful when telling other campers that you think it's pointless to try to outrun a grizzly bear.
They may outwardly appear to agree with your statement, but it may be for very different reasons than you think.
Edit: clarification
IAmBroom 2 days ago [-]
"Watching" is doing heavy lifting. "Able to watch" or "being recorded, along with terabytes of parallel information from others", is more apt. Actually discriminating the signal (communications from a desired target, or about a desired topic) from noise is the problem with your "nothing you do will stop them" theory.
jimbo808 2 days ago [-]
Could be accurate but governments can be profoundly incompetent even with great capability at their disposal
phatskat 2 days ago [-]
I forget where I saw it but there’s an old adage along the lines of “even if your computer is unplugged, in a vault, with armed guards, it’s probably not safe”.
bawolff 3 days ago [-]
From the sounds of this it sounds like it doesn't persist past browser restart? I think that would significantly reduce the usefulness to attackers.
piccirello 3 days ago [-]
This excerpt from the article describes the risk well.
> In Firefox Private Browsing mode, the identifier can also persist after all private windows are closed, as long as the Firefox process remains running. In Tor Browser, the stable identifier persists even through the "New Identity" feature, which is designed to be a full reset that clears cookies and browser history and uses new Tor circuits.
fc417fc802 3 days ago [-]
I wonder why "New Identity" wasn't implemented as a fork-and-exec with a newly created profile?
vscode-rest 2 days ago [-]
Follow the money.
permo-w 2 days ago [-]
Seriously. TOR is primarily funded by the US government. Maybe this or not all bugs are deliberately left in for the sake of allowing backdoors, but people should not forget this
tardedmeme 2 days ago [-]
Or it could just be a bug.
warkdarrior 3 days ago [-]
This is where you use id bridging.
1. Website fingerprints the browser, stores a cookie with an ID and a fingerprint.
2. During the next session, it fingerprints again and compares with the cookie. If fingerprint changed, notify server about old and new fingerprint.
shevy-java 3 days ago [-]
Would it though? I guess state agencies already know all nodes or may know all nodes. When you have a ton of meta-information all cross-linked, they can probably identify people quite accurately; may not even need 100% accuracy at all times and could do with less. I was thinking about that when they used information from any surrounding area or even sniffing through walls (I think? I don't quite recall the article but wasn't there an article like that in the last 3-5 years? The idea is to amass as much information as possible, even if it may not primarily have to do with solely the target user alone; e. g. I would call it "identify via proxy information").
Barbing 3 days ago [-]
> I guess state agencies already know all nodes or may know all nodes.
Assume the same.
>The idea is to amass as much information as possible
Open enough tabs and you'd be lucky to keep firefox running for more than a couple weeks.
danlitt 2 days ago [-]
I have had hundreds of tabs open for many months in the past. The bottleneck is usually the OS crashing rather than firefox.
wongogue 2 days ago [-]
I have 488 tabs in the session with more than 50 loaded. The running session has 72 processes.
Izkata 2 days ago [-]
I'm around 1700 tabs with somewhere in the 20s or 30s loaded. It's been a month or more since I restarted firefox.
firefax 3 days ago [-]
The OP's link is timing out over Tor for me, but the Wayback[1] version loaded without issue.
Also, does anyone know of any researchers in the academic world focusing on this issue? We are aware that EFF has a project that used to be named after a pedophile on this subject, but we are more looking for professors at universities or pure research labs ala MSR or PARC than activists working for NGOs, however pure their praxis :-)
As privacy geeks, we have become fascinated with the topic -- it seems that while we can achieve security through extensions like noscript or ublock origin or firefox containers (our personal "holy trinity"), anonymity slips through our fingers due to fingerprinting issues. (Especially if we lump stylometry in the big bucket of "fingerprinting".)
>We are aware that EFF has a project that used to be named after a pedophile on this subject
You bring this up like it's a well known incident, but my googling can find no evidence of it? The only reason not say the name of the project would be if it's common knowledge, but it's not?
ChatGPT research reckons you're making it up, and I'd be curious if you have evidence to the contrary?
firefax 2 days ago [-]
It used to be called Panoptoclik (sp?), a reference to Foucault's theory of the panopticon. Focault's extracurriculars are well documented and not everything is an "incident" -- it's a thread on fingerprinting. People who study that are aware what is now called "cover your tracks", and people who do post grads tend to be well rounded enough to have read a bit of philosophy, or at least, they did in my day.
So what happened here is basically... AI told you that something that made you suspicious because you have zero subject matter expertise is suspect?
I'm not really sure how to react to someone who has a robot affirm their anxieties other than to stand by my previous statements and give a polite pointer at some terms to look up on Wikipedia rather than feed into a clanker.
spelledwrong 2 days ago [-]
Funny you mention Wikipedia
You said it was “named after a pedophile”, that is wrong
>>The word panopticon derives from the Greek word for "all seeing" – panoptes.
The concept was invented by Jeremy Bentham, who died before Foucault was born.
Interesting that you named your HN account after a famous homophobe.
firefax 24 hours ago [-]
>Interesting that you named your HN account after a famous homophobe.
that guy is no longer with the project and does brave now iirc
(it's super interesting to us that two different people took such a wild leap btw)
spelledwrong 21 hours ago [-]
>>that guy is no longer with the project and does brave now iirc
Foucault is dead.
>>(it's super interesting to us that two different people took such a wild leap btw)
It's super interesting to me that you expected people to make the wild leap from “named after a pedophile” to a project that wasn't even named after a person.
You chose to communicate poorly to make a point and are now complaining when the point turned out to not even be true.
You could have said 'Panopticlick' and people would have known what you were talking about. Instead, you left the name out and instead pointed out the rename and the “fact” that it was previously named after a pedophile. The obvious implication is that it was renamed to cover this up.
The smug tone of your follow-up leads met to the conclusion that you had some “fun” trivia from a class you took one time, and you prioritised showing that off over clear communication (while falsely implying some kind of cover-up of wrongdoing by the EFF).
toraway 2 days ago [-]
Are the allegations described here what you're referring to?
From cursory reading it sounds like satanic panic bullshit with some good old "gay men are pedophiles" thrown in, and basically just character assasination using debunked or non-existent sources.
Plus as others noted, even if true your original statement would still be a lie since a Panopticon is a concept not a person.
gosub100 2 days ago [-]
You invalidated your initial claim. Panopticon is not a pedo. Therefore the project was not named after one. Therefore the robot was right.
firefax 24 hours ago [-]
Foucault was, but if we misunderstand on purpose, the sky is the limit.
spelledwrong 20 hours ago [-]
You said “named after” when you meant “named after an idea popularized by”.
If you type one thing and expect people to understand that you meant something else then I will have to assume that by this:
>>people who do post grads tend to be well rounded enough to have read a bit of philosophy, or at least, they did in my day.
you meant you once visited a university but never enrolled in any classes?
You can complain that people on the internet misunderstand on purpose (and I agree it is far to common), but that complaint is only valid if you communicate clearly yourself.
2 days ago [-]
tomrittervg 3 days ago [-]
Mozilla is working on it. (I know you said 'Academic', but we publish papers sometimes too.)
firefax 2 days ago [-]
I'd lump Mozilla into the bucket since it's a nonprofit and open source, it's hard to come up with an objective list of what makes an org "good" so sometimes it's been useful to fall back on the fact that at least in the states, academics are bound by the IRB.
dirasieb 3 days ago [-]
what are you referring to with that EFF app part?
Cynddl 3 days ago [-]
yes, there’s an active area of research on web fingerprint, both attacks and defences. Look at conferences like PETS for instance
firefax 2 days ago [-]
pets is a good conference.
i also like anonbib as a central repo for interesting work.
Does Tor Browser still allow JavaScript by default? Because if you block execution of JavaScript, you won't be affected from what I understand.
angry_octet 3 days ago [-]
Because TBB has javascript on by default, turning it off increases your signature. It would be better if TBB defaulted to js off, with a front panel button to turn it on.
JS also dramatically improves security. TBB is stuck in a 90s mindset about privacy, as if Firefox exploits were not dime a dozen. Especially with AI making FF exploits more available, we can expect many tor sites to be actively attacking their visitors.
ux266478 3 days ago [-]
> turning it off increases your signature.
Tor endpoints are pretty easy to identify, there are plenty of handy databases for that, using it to begin with increases your uniqueness. If noscript was set to strictly disallow javascript by default, that decreases the degree to which it increases your signature relative to the baseline of using tor.
Then we have to account for the simple fact that many, many fingerprinting techniques rely on javascript, so taking them out of the picture reduces the unique identity that can be gleaned.
Are we absolutely, positively sure that the tradeoff is worth it? Without a strict repeatable measurement, I think I'm highly skeptical about whether or not a default of "allow" is a net boon to hiding your identity. I remember the rationale about the switch mostly being directed towards "most of the web is broken otherwise and that's bad."
angry_octet 3 days ago [-]
Every server knows that you're using tor, we're only talking about whether they can match your traffic to you repeatably, and particularly across sessions, which then enables traffic analysis that can lead to complete deanonymisation.
If TBB changed to js off by default that signal would be less evident, and also, fingerprinting would be harder.
Phelinofist 2 days ago [-]
> JS also dramatically improves security
How so?
angry_octet 2 days ago [-]
Sorry I somehow left out the key word 'Disabling JS'.
ranger_danger 3 days ago [-]
Disabling JavaScript actually greatly increases your fingerprint as not many users turn it off, so that instantly puts you in a much smaller bucket that you need to be unique in. Yes, not having JS means it limits your options for gathering other details, but it also requires much less effort to be unique now without JS.
Tor Browser also doesn't spoof navigator.platform at all for some reason, so sites can still see when you use Linux, even if the User-Agent is spoofing Windows.
hypeatei 3 days ago [-]
> increases your fingerprint as not many users turn it off
We're talking about users of the Tor browser, and I'd be very surprised if this was the case (that a majority keep JS turned on)
Basically every Tor guide (heh) tells you to turn it off because it's a huge vector for all types of attacks. Most onion sites have captcha systems that work without JS too which would indicate that they expect a majority to have it disabled.
Springtime 3 days ago [-]
> Disabling JavaScript actually greatly increases your fingerprint as not many users turn it off, so that instantly puts you in a much smaller bucket that you need to be unique in.
I've heard a handful of people say this but are there examples of what I would imagine would have to be server-side fingerprinting and the granularity? Since most fingerprinting I'm aware of is client-side, running via JS. While I expect server-side checks to be limited to things like which resources haven't be loaded by a particular user and anything else normally available via server logs either way, which could limit the pool but I wonder how effective in terms of tracking uniqueness across sites.
ranger_danger 3 days ago [-]
In addition to server-side bits like IP address, request headers and TLS/TCP fingerprints, there are some client-side things you can do such as with media queries, either via CSS styles or elements that support them directly like <picture>. You can get things like the installed fonts, screen size/type or platform/browser-specific identifiers.
I have my problems with that argument. Yes, less identifying bits means a smaller bucket but for the trackers, it also means more uncertainty, doesnt it? So when just a few others without JS join your bucket eg. via a VPN, profiling should become harder.
farfatched 3 days ago [-]
> Because the behavior is process-scoped rather than origin-scoped
Hmm, I'm a little confused, since in 2021 Mozilla released experimental one-process-per-site:
> This fundamental redesign of Firefox’s Security architecture extends current security mechanisms by creating operating system process-level boundaries for all sites loaded in Firefox for Desktop
Honestly it seems that most of Web Standards are used mostly for fingerprinting - I think a small number of websites uses IndexedDB (who even needs it) for actually storing data rather than fingerprinting.
That's why expansion of web standards is wrong. Browser should provide minimal APIs for interacting with device and features like IndexedDB can be implemented as WebAssembly library, leaking no valuable data.
For example, if canvas provided only access to picture buffer, and no drawing routines calling into platform-specific libraries, it would become useless for fingerprinting.
Dwedit 3 days ago [-]
You can use a browser extension like "Local Storage Editor" to see the contents of the Local Storage of a website. So far, I've seen it used for caching long-life images (like on gmail), or used as another way to do logins instead of cookies.
troupo 3 days ago [-]
> You can use a browser extension like "Local Storage Editor" to see the contents of the Local Storage of a website.
Or just open dev tools
fc417fc802 3 days ago [-]
I'm with you up to the bit about canvas. The problem there is that if you want hardware acceleration then either you can't permit services to read back what was rendered (why do they need to do that again?) or else you're inevitably going to leak lots of very subtle platform specific details. Personally I think reading back the content of a canvas should be gated behind a permission dialog.
codedokode 19 hours ago [-]
You can put hardware acceleration behind permission.
3 days ago [-]
Fokamul 2 days ago [-]
Imho, EU should make any fingerprinting illegal in all browsers.
And all browser devs should be required to actively fight against fingerprinting.
There is no legitimate need for fingerprinting in browsers.
jonathanstrange 2 days ago [-]
Fingerprinting is done by servers, not by browsers, and it is already illegal in the EU when it is done without explicit user consent and according to the GDPR data handling requirements. The GDPR covers all of this, it doesn't matter where the data comes from.
b1temy 2 days ago [-]
> ...stored in the global StorageDatabaseNameHashtable.
> This mapping:
> - Is keyed only by the database name string
> ...
> - Is shared across all origins
Why is this global keyed only by the database name string in the first place?
The post mentions a generated UUID, why not use that instead, and have a per-origin mapping of database names to UUID somewhere? Or even just have separate hash-tables for each origin? Seems like a cleaner fix to me compared to sorting (imo, though admittedly, more of a complex fix with architectural changes)
Seems to me that having a global hashtable that shares information from all origins is asking for trouble, though I'm sure there is a good explanation for this (performance, historical reasons, some benefits of this architecture I'm not aware of, etc.).
Meneth 3 days ago [-]
I'm confused.
The IndexedDB UUID is "shared across all origins", so why not use the contents of the database to identify browers, rather than the ordering?
nneonneo 3 days ago [-]
There's an instructive example on the page. Suppose a page creates the databases `a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p`, then queries their order. They might get, for example `g,c,p,a,l,f,n,d,j,b,o,h,e,m,i,k`, based on the global mapping of database names to UUIDs.
The key vulnerability here is that, for the lifetime of that Firefox process, any website that makes that set of databases is going to see the exact same output ordering, no matter what the contents of those databases are. That makes this a fingerprint: it's a stable, high-entropy identifier that persists across time, even if the contents of those databases are not preserved. It is shared even across origins (where the contents would not be), and preserved after website data is deleted -- all a website has to do to re-acquire the fingerprint is recreate the databases with the same names and observe their ordering.
Joe_Cool 3 days ago [-]
As I understood not ANY website can see it. But the same website can see it regardless if you reset your identity in Tor Browser.
So it persists between anonymous sessions.
So you could connect User A that logged out and reset the identity to User B who believed was using a fresh anonymous session and logged in afterwards.
stratos123 3 days ago [-]
No, it does allow identification across different websites (the article says "both cross-origin and same-origin tracking"). Both websites just need to create some databases with the same names. Since the databases are origin-scoped, these aren't the same databases, so you can't just write some data into one and read it on another website. But it turns out that if two websites use the same names for all these databases, the order the list of databases is returned in is random-per-user but the same regardless of website.
Joe_Cool 2 days ago [-]
OK, that's even worse. Thanks.
lxgr 3 days ago [-]
The content is obviously scoped to an origin, or IndexedDB would be a trivial evercookie.
AgentME 3 days ago [-]
It's the mapping of UUIDs to databases that is shared across origins in the browser. Only the subset of databases associated with an origin are exposed to that origin.
I think most browsers have patched this out?
i didnt do super concrete tests, but at least on my machine their demo is failing to fingerprint me across private browsing/incognito sessions as they claim. Tested in firefox and edge.
ranger_danger 3 days ago [-]
Not sure about Chromium-based browsers, but the author of this paper on the technique:
Says that Firefox has a bug that prevents favicons from being loaded from cache, which inadvertently protects against this technique. They filed a bug report on it in 2020 but nothing has happened with it yet: https://bugzilla.mozilla.org/show_bug.cgi?id=1618257
zzo38computer 2 days ago [-]
Some users disable favicons; I am one of them (although that is main because I do not use them, rather than due to that).
crazysim 3 days ago [-]
I would imagine most users of Tor are using Tor Browser. I am reading there was a responsible disclosure to Mozilla but is it me or did that section leave out when the Tor Project planned to respond or release a fixed Tor Browser? Do they like keep very close or is there a large lag?
flotzam 3 days ago [-]
Tor Browser is always quick to rebase on the latest Firefox ESR. They released an update the next day:
This is great to hear. I wish the original article was more clear on that instead of a vague "they'll get to it" which has bad connotations.
aboardRat4 2 days ago [-]
Not sure about "most". I use tor without a tor browser, because I don't care about being identified. I only used it to go around geoblocking and visit onion sites.
crazysim 2 days ago [-]
Are you really not sure? I'm pretty darn sure a lot of "normal" people don't know how to configure their systems to use a SOCKS proxy to use Tor.
aboardRat4 1 days ago [-]
But a lot of "normal" people don't use tor at all.
crazysim 1 days ago [-]
Ah I should have been more specific and saying normal Tor users.
lixtra 2 days ago [-]
> The cleanest mitigation is to return results in a canonical order, such as lexicographic sorting.
And hope that the sorting time cannot be used as a side channel.
octoberfranklin 2 days ago [-]
djbsort is constant-time.
Because most post-quantum cryptosystems need this primitive.
https://archive.ph/BbVZo — for those that would rather be fingerprinted by Google than fingerprint-com
self-portrait 2 days ago [-]
Why is Firefox DB open-source MPLv2.0 running .cpp indexedDBdatabses() script on the API:
namespace mozilla {
namespace dom::indexedDB {
using namespace mozilla::dom::quota;
using namespace mozilla::ipc;
using mozilla::dom::quota::Client;
heavyset_go 3 days ago [-]
There are others that Cloudflare and friends use for fingerprinting.
anthk 3 days ago [-]
The best for Tor would just be Links2/Links+ with the socks4a proxy set to 127.0.0.1:9050, enforcing all connection thru a proxy in the settings (mark the checkbox) and disabling cookies altogether.
angry_octet 3 days ago [-]
The best is probably tor in a VM, chromium in a separate VM, javascript disabled, on a private virtual network, with a egress firewall (not just guest VM firewalls, but enable those too) that only allows traffic from a specific origin port on the tor machine. You would also want the VM to spoof the processor features and unique IDs. System time drift/offset remains a vector which is hard to deal with.
Dump the rendered window pixels out to a simple viewer. Mouse movement is still a pain to deal with, but I would default to spoofing it as moving between clicks, with some image parsing logic to identify menu traversal.
Then it should reboot the browser process regularly.
I've been waiting for someone to make a packaged 'VPC in a box' incorporating networking and linked VMs.
keepamovin 2 days ago [-]
Your idea of "dumping the rendered window pixels out to a simple viewer" with Chromium is essentially Remote Browser Isolation (RBI). If you're looking for a packaged way to do this, BrowserBox does exactly this and has a tor-run function built-in, which:
connects Chrome to a Tor SOCKS proxy and wraps all other browsing-related network calls over torsocks. It prevents local fingerprinting leaks (like this IndexedDB ordering bug) because the browser isn't running locally at all. You can host the BrowserBox instance as an onion hidden service, use it to browse over Tor, or both.
If you want to try an ephemeral "VPC in a box" style setup where the environment is destroyed after you're done, you can easily spin it up using this new GitHub action: https://github.com/marketplace/actions/browserbox (but you need a license key, obtainable at https://browserbox.io)
This is my attempt to make it easy to spin up bbx on ephemeral infrastructure that's mostly free (GitHub Actions runners are perfect).
angry_octet 2 days ago [-]
That's great, I'll give it a try.
anthk 2 days ago [-]
Links can force to pass all connections to a proxy, so a FW might be redundant. Forget almost mouse, Links can be render the page either to plain X11 or a terminal.
angry_octet 2 days ago [-]
I'm assuming the browser is going to be compromised at some point, for example by getting it to retrieve something without using the socks proxy.
anthk 2 days ago [-]
How? Links in that case wont connect to anything.
fc417fc802 3 days ago [-]
> enforcing all connection thru a proxy in the settings (mark the checkbox)
Just use a network namespace individual pieces of software are way too easy to misconfigure.
anthk 2 days ago [-]
Links litteraly put your a graphical (X11) or terminal based checkbox to enable that to enforce everything through the proxy with the settings menu. Not too easy. If you are going to use Tor you shouldn't be just using Tor Browser by default neither if it enables some JS options. Firefox' base is too huge to configure so nothing ever leaks. There are too many components. A/V, WebGL, telemetry, WASM, WebRTC...
sixothree 3 days ago [-]
Would whonix fit that bill?
1vuio0pswjnm7 2 days ago [-]
Is it assumed that all users, including Tor users, have Javasctipt enabled
How does this "identifier" work with Javascript disabled
rendall 2 days ago [-]
This headline reads like the subject line of an alarming scam email.
VladVladikoff 3 days ago [-]
What are these databases not scoped to origin of creation like cookies?
AgentME 3 days ago [-]
They are. The leak is that if a webpage you visit creates several databases with certain names, the order is random but stays the same within the same browser session.
biosboiii 2 days ago [-]
Tor on Chromium, when?
Seriously, I am saddened that Chromium dominates the browser market as much as it does, but at this point the herd-immunity of Chromium is necessary to keep users safe.
keepamovin 2 days ago [-]
To answer "Tor on Chromium, when?", well - you can actually do this right now using BrowserBox! It has a built-in tor-run function that connects Chrome to a Tor SOCKS proxy, and it wraps any other browsing-related network calls over torsocks as well.
Because it's an isolated remote browser, you also get a lot of flexibility. You can run BrowserBox itself as an onion hidden service connected to the clearnet, or connect BrowserBox to browse over Tor, or even do both at the same time. Since this Firefox IndexedDB vulnerability relies on persisting state, you can completely avoid it by running BrowserBox (based on Chromium), and doing it ephemerally. There's actually a new GitHub action [0] that makes spinning up a purely ephemeral, disposable session incredibly easy and would be immune to this kind of process-level state tracking.
The action runs BrowserBox on a GitHub Action Runner, you can specify whether you want a CloudFlare tunnel, or a tor tunnel (which comes with torweb access). And there's a conveneince script you can use to run from the command-line - which does the setup then spits out your login link.
All you need is a BrowserBox license (not free), but then you can use it.
I would consider this a lightweight Tor-proxied Browser, not a replacement for Tor Browser, at this time as there are likely edges and leaks that the official Tor Browser has long patched. However, as cases liek this IDB bug demonstrate - no security is perfect. If you simply want a way to access tor, and add an extra "ephemeral" hop on a runner, itself over Tor, and not trying to do anything especially sensitive or life-threatening - it's probably good.
Why would a webpage reader even have an "indexdb"?
wolvoleo 3 days ago [-]
Tails (without persistent storage) will mitigate this though. I'm not too concerned.
wlonkly 3 days ago [-]
I'm not sure it will. The problem in Tor here is that the ordering persists beyond "New Identity". It does not persist between browser restarts.
wolvoleo 3 days ago [-]
But that's the key thing about tails. You start it fresh every time from a clean usb stick or iso image.
It's more than a browser restart, it's a complete system wipe every time.
Tails is made on the premise that exactly this kind of trick will occur. Sometimes even persisting between browser restart. For that reason even the persistent storage is very limited. But that's optional and cautioned against for maximum anonymity.
What would be worrying with tails would be if there was some way for some hardware identifier to be exposed. Like a serial number or MAC address. But this kind of thing is exactly what it's made to protect against.
keepamovin 2 days ago [-]
Nice, yes, a fresh Tails restart would definitely teardown the Fox process. And I think if you're disciplined, then purely ephemeral environments are the best mitigation for process-level state leaks like this IndexedDB ordering bug.
For those who want an ephemeral setup but prefer the Chromium engine over Firefox, you can achieve a similar "destroy after use" workflow using BrowserBox. It has a tor-run function that connects Chrome to a Tor SOCKS proxy and wraps all auxiliary network calls over torsocks.
You can easily spin up a purely ephemeral session using a GitHub action [0] so that absolutely no state persists once you close it. As a bonus, you can also run the BrowserBox instance itself as an onion hidden service while browsing over Tor.
But with Tor I like to have more safeguards. So I prefer to run tails in an isolated environment.
keepamovin 2 days ago [-]
You're right that BrowserBox is a commercial product and there's no free tier. Honestly, the reality of running remote browser infra and development is that a free version just gets instantly hammered by botnets, scrapers, and abuse. Keeping it paid is the only way to be sustainable.
I see Neko brought up a lot, but honestly when I tried it a couple years ago it felt pretty clunky. It seems designed more for anime watch parties than serious security or remote isolation, IMO.
I totally get the Tails/Firefox preference, tho. If you want absolute baremetal isolation on your own hardware and have the discipline for it, a fresh Tails USB is definitely the right move. BrowserBox is just a different architecture -- it's mainly for when you specifically want an ephemeral Chromium setup on ... well ... anything, need some policy controls or programmability. And don't want to fiddle with config yourself.
wolvoleo 2 days ago [-]
> Honestly, the reality of running remote browser infra and development is that a free version just gets instantly hammered by botnets, scrapers, and abuse. Keeping it paid is the only way to be sustainable.
Ah but I'd want to run it myself anyway. I wouldn't want it hosted. Especially for browsing, I don't want someone else's systems looking over my shoulder.
I avoid cloud stuff as much as possible in my personal life. When you mentioned github actions I thought it was something you could self-host too, I didn't realise it was a service only. I was looking for a docker or something but as it's not free and (less importantly) foss it won't work for me.
And yes neko is not a polished corporate solution, but it works for me as a home user. It's very flexible to build other stuff with. I have several instances here in different environments (and I don't expose them to the clear internet)
But for work yeah I know there's different options, at work we have zscaler remote browser.
keepamovin 2 days ago [-]
Totally, I get that. That's why BrowserBox is also self-hosted, and yes, has a Docker image, too! Not free nor foss, tho. But I do try to be flexible.
As to cloud - indeed, why would you want to trust a cloud provider with sensitive internal browsing? Also, providing a SaaS is a hassle, but I feel I must do it serve that side and enable those uses, some of which are cool.
wolvoleo 2 days ago [-]
Ohh I didn't realise that it's your product, sorry. It sounds interesting but I'm only a home user (in Europe with not much budget). I just use remote browsers now for navigating the complex patchwork of blocks in the EU. Some sites are blocked in holland, others in spain, etc.
keepamovin 1 days ago [-]
Hehe no worries. It’s good to chat anyway.
Amekedl 2 days ago [-]
"The signal is not just stable. It also has high capacity."
stopped reading right there
also it's nothing that anybody using tails for example should have to worry about.
Nothingburger.
fsflover 3 days ago [-]
It seems Qubes OS and Qubes-Whonix are not affected.
handedness 3 days ago [-]
> It seems Qubes OS and Qubes-Whonix are not affected.
This is dangerously incomplete and bad advice.
Qubes OS does not work the way you seem to think it does.
Creating a new identity in the Tor Browser inside a disposable VM does not automatically stop that VM and start a new disposable VM. That initial disposable VM launches the new identity from the existing process and therefore remains vulnerable, the same as any bare metal computer running Tor Browser would.
Virtualization is not magic.
A Qubes OS user needs to spin up a new disposable Whonix VM to sidestep this attack. Creating a new identity alone is ineffective in this threat model.
If you care about these projects as much as you say you do, please stop giving harmful advice. You do it in various places on the Internet and in every thread which gives you half a chance to do so, and these projects would be better off if you either took any of the extensive well-reasoned correction many people offer you, or opted to stop making such claims. The former would be ideal, the latter still vastly preferable to the existing state of affairs.
hrimfaxi 3 days ago [-]
How so? If you kept a disposable VM open and just created new identities in tor browser, how does Qubes mitigate the threat here?
handedness 3 days ago [-]
I believe you are correct, and that this poses a significant risk for people who don't properly understand the underlying concepts.
A Qubes OS user needs to start a new disposable Whonix workstation VM to sidestep this attack, NOT create a new identity in the same disposable VM's browser, which is exactly what this attack targets.
fsflover 3 days ago [-]
On Qubes, you do not create a new identity in the same VM. This would go against the Qubes approach to security/privacy. Using separate VMs for independent tasks is the whole point of using Qubes.
handedness 3 days ago [-]
> On Qubes, you do not create a new identity in the same VM. This would go against the Qubes approach to security/privacy. Using separate VMs for independent tasks is the whole point of using Qubes.
This is technically incorrect information and could get people in trouble if followed literally.
On Qubes OS, if a user creates a new identity inside a Whonix workstation disposable VM via the browser's new identity functionality, the new identity spawns within the same disposable VM. I just tested this on Qubes OS 4.3.
That, I assume would expose one to OP's vulnerability, as its still running in the same VM. I would be glad to learn that I'm incorrect in my unverified assumption.
Even Qubes OS users still need to be mindful to launch new disposable VM when keeping identities separate to sidestep this attack.
fsflover 2 days ago [-]
You are right, and I am saying exactly the same thing. You seem to misunderstand that Qubes saves you whenever you use it as designed by its security approach. To benefit from Qubes security, you have to use virtualization to compartmentalize your tasks. Only virtualization is a guarantee of security. Everything running in the same domain is assumed to be not isolated, and a compromise would affect everything in it. Even root access has no password by default in VMs. So what you're saying is obvious to any Qubes user. This is why I didn't mention it. (But I should have indeed.)
By you reasoning, Qubes doesn't provide more protection than the underlying operating systems. I've seen this myth on HN multiple times.
handedness 2 days ago [-]
This is some kind of technological No True Scotsman you keep doing.
Also, please stop grossly misreading the comments of others. You consistently do it to numerous people here.
fsflover 2 days ago [-]
This has nothing to do with "No True Scotman", because my definitions and assumptions are not flexible. They are defined by the Qubes developers and documented. You misunderstanding me does not equal me being wrong.
When I say "this tool protects you" and you reply "it doesn't protect you if you misuse it; you give dangerous advice", you are the one misleading everyone. (Same with the kill switches on Librem 5.) Other people asked me for details instead of making a personal attack, https://news.ycombinator.com/item?id=47868133
Perhaps you are right that I could add more details for newcomers, but I was not wrong or harmful, unless you think every advice must have a full documentation for tools attached to it.
2ndorderthought 3 days ago [-]
In the last ten years has qubes moved on to support more hardware? Every 4 years I would try to use it only to find it didn't support any of my hardware.
handedness 3 days ago [-]
Qubes OS hardware support, while still far from perfect, is vastly better than it was ten years ago.
Joanna Rutkowska's understandable preference for older kernels had its advantages, but the current team is much more likely to ship somewhat newer kernels and I've been surprised by what hardware 4.3 has worked well on.
Beyond that, I'm currently running a kernel from late Feb/early Mar (6.19.5).
Driver support can still be an issue, and a Wi-Fi card that doesn't play nice with Linux in general is doing to be no different on Qubes OS.
Aachen 3 days ago [-]
We buy off the shelf laptops, not sure anyone ever checked that it can run Qubes specifically before trying to install it (I'm sure of at least one person: myself). Doesn't just about any x64 machine with hardware where drivers are available in standard kernels also work with Qubes? What have you bought that's not supported?
2ndorderthought 1 days ago [-]
.y attempts were 4 yrs ago and prior to that about 4 yrs prior. Home built PC's, random laptops, etc.
fsflover 3 days ago [-]
Actually, it should work indeed, unless it lacks some Linux drivers or VT-d.
fsflover 3 days ago [-]
Tested hardware can be found here https://qubes-os.org/hcl. New hardware is being constantly added. If you plan to switch to Qubes, consider buying something from that list or, better, certified, or community-recommended hardware linked there.
hrimfaxi 3 days ago [-]
No problems on framework laptop that I've run into at least.
orbital-decay 3 days ago [-]
Most hardware (especially GPUs) is hard to virtualize in a secure manner, which is the entire point of Qubes. People who use it typically buy compatible hardware.
fsflover 3 days ago [-]
I would expect that most Qubes users (including myself) do not virtualize GPUs and use the CPU to render graphics outside of dom0.
ranger_danger 3 days ago [-]
Source?
fsflover 3 days ago [-]
Different VMs result in different identifiers.
handedness 3 days ago [-]
Creating a new identity in the browser in a disposable VM does not start a new disposable VM.
fsflover 2 days ago [-]
I never said that. I only assumed that a user followed the docs when using Qubes-Whonix.
handedness 2 days ago [-]
A dangerous assumption for someone who styles himself as the introducer of Qubes OS to new audiences.
The saying about assumptions is as true as ever, unfortunately for both of us.
fsflover 2 days ago [-]
People who use tools incorrectly bear responsibility for corresponding dangers themselves. They can always ask for an additional advice or more details. I don't understand why you are attacking me for that. See also my answer elsewhwere (and please stop repeating the same thing in every comment thread): https://news.ycombinator.com/item?id=47878794.
immanuwell 2 days ago [-]
[flagged]
LoganDark 3 days ago [-]
> For developers, this is a useful reminder that privacy bugs do not always come from direct access to identifying data. Sometimes they come from deterministic exposure of internal implementation details.
> For security and product stakeholders, the key point is simple: even an API that appears harmless can become a cross-site tracking vector if it leaks stable process-level state.
This reads almost LLM-ish. The article on the whole does not appear so, but parts of it do.
shevy-java 3 days ago [-]
Well that sucks. I guess in the long run we need a new engine and different approach. Someone should call the OpenBSD guys to come up with working ideas here.
giancarlostoro 3 days ago [-]
> Mozilla has quickly released the fix in Firefox 150 and ESR 140.10.0, and the patch is tracked in Mozilla Bug 2024220.
Did you even read the article at all? Ah my children did bad in school, time to replace them with new children and a different spouse. This is what you're suggesting essentially. A browser is not just something you simply make out of thin air. There's decades of nuance to browser engines, and I'm only thinking of the HTML nuances, not the CSS or JS nuances.
anthk 3 days ago [-]
Given the dangers of JS and WASM they could just fork Netsurf and enhance the CSS3 support. If you are a journalist, running Tor with JS and tons of modern web tech enable makes you a bright white spot in a sea of darkness.
>Physical isolation is a given safeguard that the digital world lacks
…
>In our digital lives, the situation is quite different: All of our activities typically happen on a single device. This causes us to worry about whether it’s safe to click on a link or install an app, since being hacked imperils our entire digital existence.
>Qubes eliminates this concern by allowing us to divide a device into many compartments, much as we divide a physical building into many rooms. …
Qubes OS is a great solution for this threat model. By my (admittedly cursory) understanding of this attack, one would have to chain the attack to escalate to dom0 to get around it.
Having said that, fsflover exhibits a poor grasp of how this stuff works and all should be aware that even in Qubes OS, one would need to spawn new disposable VMs for each identity; relying on the Tor Browser's new identity creation within the same disposable VM would be little different from running Tor Browser on a traditional OS.
fsflover 2 days ago [-]
> one would need to spawn new disposable VMs for each identity
This is by design how everyone should always be using Qubes OS for any task, according to its documentation and approach to security.
> relying on the Tor Browser's new identity creation within the same disposable VM would be little different from running Tor Browser on a traditional OS
You should note that improperly using Qubes OS, creating a New Identity inside of Tor Browser, even in a disposable Whonix workstation VM, would leave one vulnerable to this.
A user would have to manually start a new disposable VM for each identity.
I was expecting an ad for their product somewhere towards the end, but it wasn't there!
I do wonder though: why would this company report this vulnerability to Mozilla if their product is fingeprinting?
Isn't it better for the business (albeit unethical) to keep the vulnerability private, to differentiate from the competitors? For example, I don't see many threat actors burning their zero days through responsible disclosure!
No software wants to be fingerprinted. If it did, it would offer an API with a stable identifier. All fingerprinting is exploiting unintended behavior of the target software or hardware.
You want fingerprinting to identify low risk users to skip the inconvenient security checks.
Most people don't understand that they're being tracked. The ones that do generally don't understand to what extent.
You tend to get one of two responses: surprise or apathy. When people say "what are you going to do?" They don't mean "I don't care" they mean "I feel powerless to do anything about it, so I'll convince myself to not care or think about it". Honestly, the interpretation is fairly similar for when people say "but my data isn't useful" or "so what, they sell me ads (I use an ad blocker)". Those responses are mental defenses to reduce cognitive overload.
If you don't buy my belief then reframe the question to make things more apparent. Instead asking people how they feel about Google or Meta tracking them, ask how they feel about the government or some random person. "Would you be okay if I hired a PI to follow you around all day? They'll record who you talk to, when, how long, where you go, what you do, what you say, when you sleep, and everything down to what you ate for breakfast." The number of people that are going to be okay with that will plummet. As soon as you change it from "Meta" to "some guy named Mark". You'll still get nervous jokes of "you're wasting money, I'm boring" but you think they wouldn't get upset if you actually hired a PI to do that?
The problem is people don't actually understand what's being recorded and what can be done with that information. If they did they'd be outraged because we're well beyond what 1984 proposed. In 1984 the government wasn't always watching. The premise was more about a country wide Panopticon. The government could be watching at any time. We're well past that. Not only can the government and corporations do that but they can look up historical records and some data is always being recorded.
So the reason I don't buy the argument is because 1984 is so well known. If people didn't care, no one would know about that book. The problem is people still think we're headed towards 1984 and don't realize we're 20 years into that world
This is exactly what I was saying - if you look at the polls, people actually tend to support things like the UK's Online Safety Act. Explaining it more does not usually result in a change of that. The difference with a PI is you're asking about them individually instead of everyone - of course they trust themselves, they just want everyone surveilled for that same feeling of confidence.
There is a huge difference between those.
If someone hires a PI to follow me, they are spending like $10000/week on that. Which means that their expected value is more than that, or that PI will never pay for itself. Where will this value come from? Likely from me, after all it's me they are tracking. So I am really worried, as I am about to lose a huge amount of money (or something else valuable).
On the other hand, if a store installs a whole bunch of cameras so I am tracked anytime I am in there, then it probably costs them only a few cents to track me. So I really don't care much about how losing anything valuable.
The camera not only works for you, but also everybody else in the store. The cost savings is through scale. So consider the situation where "Mark" is hired to not only follow you but a lot of other people. More specifically, people who interact with one another. That data can be collected in parallel, dramatically cheapening the cost per person being tailed.
But your point is off-base regardless. The point of my comment was about the data being collected. A physical person being the data collector doesn't scale very well and if we're being honest "Mark" doesn't collect nearly as much as the digital tracking systems.The point is that it is awareness of being tracked. The average person isn't aware that they're being tracked nor aware of what is being tracked.
Let's put it this way. If I hire some guy named "Mark" to follow you and you never find out he was following you, then you'll never be upset. But suppose I later tell you. Do you then become upset?
Most people will say "yes". So the issue wasn't "how much money" it cost. Nor was it actually "I was aware I was being followed". The issue is that you were /being followed/.
Not knowing you were being followed doesn't suddenly make it okay. But realistically that's the situation we're in. People do not know they are being followed. People that do know they're being followed don't know how much is being recorded. People that do know feel powerless to take steps against it. People that feel powerless just try to move on with their lives and not think about it because it is better to think about things you can change instead of getting depressed.
[0] https://americanprivateinvestigator.com/how-much-does-a-priv...
Yes and no, because people still will think that when it's done at scale it's different from some stalker following YOU explicitly, and not just following everybody. Also, the mental model is "they just want to sell me something, but I can just ignore and don't buy if I'm not really interested". And especially going down this second rabbit-hole opens a whole world about consumerism that not many people are comfortable with. At the same time there are people that are totally against consumerism that should be more informed and care more about tracking and privacy; with those people it's probably easier to have that conversation.
I'm not so sure that counterpoint in particular holds. I think to say the "number of people that are going to be okay with that will [still] plummet" is an understatement. I'd go so far as to say no one, at least no rational person, would be okay with a "record [of] who you talk to, when, how long, where you go, what you do, what you say, when you sleep", etc., just because of the scale.
I see some success by telling people "what if was our government doing the same thing to us, even by extorting private companies? what if that same government, or the next one, just hates you for whatever reason?"
But again, I hear you. Most people unfortunately have come to view the issue as being just about targeted advertising (which some go so far as to espose as a good thing).
People don't care. This is demonstrably true.
I joke that I'm a no-app person, because I install very few apps and I use anti tracking tech on my phone that's even hard to explain or recommend to non technical friends. I use Firefox with uMatrix and uBlock Origin and Blockada. uMatrix is effective but breaks so many sites unless one invests time in playing with the matrix. Blockada breaks many important apps (banking) less one understands whitelisting.
Part of the problem is the misconception that the data being collected is only being used to determine which ads to show them. Companies love to frame it that way because ultimately people don't actually care that much about which ads they get shown. The more people get educated on the real world/offline uses of the data they're handing over the more they'll start to care about the tracking being done.
Also, the degree to which some are more comfortable with the personal privacy/'feeling of personal safety' tradeoff notwithstanding, the examples that do get media traction are predictably extremes that the average person doesn't feel applies to them.
On what basis do you claim that software developers, who did not establish a means of for third parties to get a stable identifier, nevertheless intended that fingerprinting techniques should work?
TBF the idea that any and all fingerprinting falls under the umbrella of exploiting a vulnerability was also presented as an assertion. At least personally I think it's a rather absurd notion.
Certainly you can exploit what I would consider a vulnerability to obtain information useful for fingerprinting. But you can also assemble readily available information and I don't think that doing so is an exploit though in most cases it probably qualifies as an unfortunate oversight on the part of the software developer.
1) wanting functionality that isn't provided and working around that
and
2) restoring such functionality in the face of countermeasures
The absence of functionality isn't a clear signal of intent, while countermeasures against said functionality is.
And then there is the distinction between the intent of the software publisher and the intent of the user. There is a big ethical difference between "Mozilla doesn't want advertisers tracking their users" and "those users don't want to be tracked". If these guys want to draw the line at "if there is a signal from the user that they want privacy, we won't track them", I think that's reasonable.
> IMO you need to actually work around a technical measure intended to stop you for it to qualify as an exploit.
Even well-known vulnerabilities like SQL injection don't qualify under this definition?
The point isn't my precise wording but the underlying concept that making use of freely provided information isn't exploiting anything even if both the user and the developer are unhappy about the end result. Security boundaries are not defined post hoc by regret.
An example that comes to mind that I've seen is an anonymous app that allows for blocking users; you can programmatically block users, query all posts, and diff the sets to identify stable identities. However, the ability to block users is desired by the app developers; they just may not have intended this behavior, but there's no immediate solution to this. This is different than 'user_id' simply being returned in the API for no reason, which is a vulnerability. Then there's maybe a case of the user_id being returned in the API for some reason that MIGHT be important too, but that could be implemented another way more sensibly; this leans more towards vulnerability.
Ultimately most fingerprinting technologies use features that are intended behavior; Canvas/font rendering is useful for some web features (and the web target means you have to support a LOT of use cases), IP address/cookies/useragent obviously are useful, etc (though there's some case to be made about Google's pushing for these features as an advertising company!).
Strong disagree.
> IP address/cookies/useragent obviously are useful
Cookies are an intended tracking behavior. IP Address, as a routing address, is debatable.
> Canvas/font rendering is useful for some web features
These two are actually wonderful examples of taking web features and using them as a _side channel_ in an unintended way to derive information that can be used to track people. A better argument would be things like Language and Timezone which you could argue "The browser clearly makes these available and intends to provide this information without restriction." Using side channels to determine what fonts a user has installed... well there's an API for doing just that[0] and we (Firefox) haven't implemented it for a reason.
n.b. I am Firefox's tech lead on anti-fingerprinting so I'm kind of biased =)
[0] https://developer.mozilla.org/en-US/docs/Web/API/Local_Font_...
The thing is, technology is either enabling something or not. The exploration space might be huge, but once an exploit is found, the exploitation code / strategy / plan can trivially proceed and be shared worldwide. So you have to deal with this when you design and patch systems.
Example: preserving paths in URLs. Safari ITP aggressively removes “utm_” and other well-known querystring parameters even in links clicked from email. Well, it is trivial to embed it in a path instead, so that first-party websites can track attribution, eg for campaign perfomance or email verification links etc. In theory, Apple and Mozilla could actually play a cat-and-mouse game with links across all their users and actually remove high-entropy path segments or confuse websites so much that they give up on all attribution. Browser makers or email client makers or messenger makers could argue that users don’t want to have attribution of their link clicks tracked silently without their permission. They could then say if users really wanted, they could manually enter a code (assisted by the OS or browser) into a website, or simply provide interactive permission of being tracked after clicking a link, otherwise the website will receive some dummy results and break. Where is the line after all?
Unintended identification is less than ideal but frankly is just the nature of doing business and any number of niceties are lost by aggressively avoiding fingerprinting.
In software intentionally optimized to avoid any fingerprinting however it is a vulnerability.
The distinction being that fingerprinting in general is a less than ideal side effect that gives you a minor loss in privacy but in something like Tor Browser that fingerprinting can be life or death for a whistleblower, etc. It's the distinction between an annoyance and an execution.
In what way is collecting a record of a person's browsing history a "minor loss" of privacy. For many people, tracking everywhere they go online would easily expose the most sensitive personal information they have.
With all due respect, and acknowledging that your work is technically excellent…
Isn't everything that you do an exploitation of vulnerabilities? https://news.ycombinator.com/from?site=fingerprint.com
Fingerprinting is all about extracting information about a site's visitors which those users didn't explicitly intend to reveal.
https://github.com/jonasstrehle/supercookie
This is a bit like saying "you should lock the door to your house" and therefore refusing to prosecute someone who steals from a house with a broken window frame. I did lock my door, and it's still a crime regardless!
I get criticizing their business and what they do wrong, but doesn't seem right to criticizing them for doing the right thing.
Its been my experience that the general public doesn't seem to follow patterns and instead focus on which switch is toggled at any given moment for a company's ethical practices. This is the main reason why we are constantly gamed by orgs that have a big picture view of crowd psychology.
I understand where you're coming from, by the way, but sometimes the worst person you know does the right thing and it's not fair to criticize them for doing it (you could say nothing, don't have to change your opinion about them, etc). We also don't want someone to go "if I'm bad no matter what I do, then might as well make some money with this" and sell the exploit.
I hear you. I guess I just want to promote more vigilance. Looking at patterns and motives helps us stay balanced about these things IMHO.
It's not like you can't point out that they did a good deed, but that they're still in the shitty business of fingerprinting users.
Also, if people only get the stick no matter what they do, then eventually some will embrace the dark side and at least make money out of it. And that's not good for you.
And yet, they did a good thing. I will criticize everything else, but not what they did right. It doesn't mean I'll go out of my way to praise them either... if it wasn't your comment, I wouldn't have said anything at all.
Nothing wrong with pointing out hypocrisy and bullshit, but criticizing something they did right? That's not how I operate. You are, of course, free to do things differently.
(Also known as the "Copenhagen Interpretation of Ethics": https://gwern.net/doc/philosophy/ethics/2015-06-24-jai-theco... )
But your considering of all methods that enable fingerprinting as vulnerabilities is your own opinion. There are definitely measurable signals that are based on a user’s behavior, rather than data exposed by the browser itself.
Maybe because is not as serious as them and their title, made it to be? Did you read it fully?
The identifier described is not process lifetime stable, not machine stable, or profile stable, or installation stable. The article itself says it resets on a full browser restart...
So this is not a magic forever ID and not some hardware tied supercookie. Now what should we do with that title, and the authors of it?
Don't get your opsec advice from HN. Check whonix, qubes, grapheneos, kicksecure forums/wikis. Nihilist opsec, Privacyguides.
Make sure to exit Tor Browser at the end of a session. Make sure not to mix two uses in one session.
Why don't browsers make it like phones where the server (app) has to be granted permission to access stuff?
A user agent that says the browser's version? Reasonable enough.
Being able to ask for fonts, if the system has them? Difficult to have font support without that.
Getting the user's timezone, language and keyboard layout? Reasonable.
The size of the screen, and the size of the browser window? Difficult to lay things out without that.
Of course a video or audio player needs to know which video formats your browser supports - how else to provide the right video?
Obviously javascript can get the time, and it's trivial to figure out the system's clock error by comparing that to the time on a server.
Before you know it, almost every browser is uniquely identifiable.
User agents as a concept are rather poorly thought out across the board and not all that useful but persist because that's just how technical cruft is.
Fonts should be provided by the website; if not provided the choice should take the form of a spec sent by the website including line height, sarifs or not, monospace or not, etc. There's little to no excuse for the current font situation IMO beyond poor design decisions that became heavily entrenched.
Timezone and other obviously private metadata should never be shared without the user explicitly granting permission on a case by case basis. The status quo here is completely inexcusable as is the continued failure to fix the problem.
Size of the physical screen should never be exposed under any circumstances. The current size of the browser window is reasonable on its face but now that fingerprinting is understood to be an issue should always be heavily letterboxed unless the user consents to sharing the exact value.
Video formats should be provided by the website as a list of offerings and the browser should respond with a choice; the user could optionally intervene. There's no reason to expose the full capabilities to a remote service.
Querying the current time should be gated behind an explicit permission. There's almost never a need for it. However from a fingerprinting perspective you also have to worry about correlating the rate of clock skew across clients. That can be solved by gating access to high resolution time counters behind an explicit permission as (once again) the vast majority of services have no legitimate use for such functionality.
No way!
I don’t ever use any font provided by the website. I don’t even let websites choose which fonts get used. Instead I choose a set of fonts (monospaced and proportional) that are readable and everything uses those.
If you want to see what that looks like, go into the Firefox settings, find the Fonts section, click Advanced, and then uncheck “Allow pages to choose their own fonts, instead of your selections above”. Be sure to adjust the “Minimum font size” while you’re here so that nobody uses text sizes that you cannot read.
Width of individual characters would still reveal the browser's choice to some extent. Stick them in an inline-block element and check its width.
> Video formats should be provided by the website as a list of offerings and the browser should respond with a choice
The server still controls what's offered and can see what's supported by offering different combinations. Besides, isn't this how it works now?
That is a fair point but it would presumably still be a step in the right direction.
> video formats
True, a malicious streaming site could still work to fingerprint your client if you watched multiple different videos. However that would require active work on the part of the server and could be mitigated by the client which is already miles better than the status quo.
I suppose my proposed solution would also introduce a new constraint that a stream couldn't switch codecs from one chunk to the next but I doubt that would be much of an issue in practice.
I don't believe that's how it works now. At present the server would typically send code that queries for codec support prior to sending video chunks. These days there's the low level WebCodecs API; [0] previously you would have used MediaSource.isTypeSupported( ... ). [1] The issue is that at present the code sent by the server handles any queries and makes the selection. That leaves the door open to run arbitrary queries for the purpose of characterizing the underlying platform.
[0] https://developer.mozilla.org/en-US/docs/Web/API/WebCodecs_A...
[1] https://developer.mozilla.org/en-US/docs/Web/API/Media_Sourc...
> If the type attribute is specified, the browser immediately compares it with the media types it can display. If the type is not supported, the browser skips querying the server and directly checks the next <source> element.
Yeah, because I love it when every website I go to downloads 10 megs of fonts to my computer before it starts rendering the page. Fonts should be suggested by the website, and a bog-standard "every computer has this" font should be listed as the fallback.
> Timezone and other obviously private metadata should never be shared without the user explicitly granting permission on a case by case basis
100% agree.
> Size of the physical screen should never be exposed under any circumstances
I mostly agree, but with the understanding that this would cause issues with "modern" web pages having very difficult to format layouts. Responsive design requires a response, after all.
> Video formats should be provided by the website as a list of offerings and the browser should respond with a choice
You're still getting the same feedback with this, that the browser chose to use X format, so you're not increasing privacy with this, only difficulty.
> Querying the current time should be gated behind an explicit permission
100% agree. If there is no active local processing of information that the server relies on, in the format of a game or some other interactivity, then there is no reason why the server needs to know your local time.
That's why I said that a spec mechanism should also be provided. The issue is that sites can perform measurements regarding the layout that change based on the font used. So the browser should only ever provide a few fallbacks, nothing more, and anything else needs to come from the site itself.
> screen size
I think maybe you're confusing the physical screen with the current size of the browser window?
> video formats
The issue at present is that a site can programatically test a long list of formats against your setup to see what happens. What I'm describing increases privacy because the site can no longer directly query for the entire list of supported formats and the user can optionally control the process. Obviously it's still possible to botch the implementation on the browser's end but the point is to make it possible to do the right thing.
Now we have actual criminal organizations and other real bad actors.
I'm sure we can come up with something better than advertise our whole local computing platform on every HTTP request.
Browsers do not "generate" fingerprints. They expose data that can be used to fingerprint users. You cannot "randomize" this; even if you were to return random values for, say, user screen size, with various visual side effects, it would just be another signal to fingerprint: "Oh, your browser is returning random values? Must be a Tor browser user".
That's perfectly fine! As long as they can't tell which tor user you are they can't track your browsing activity or associate it to any one tor user. That's the goal. Currently tor browser sticks out like a sore thumb by trying to appear identical no matter who uses it, which is fragile because any one data point unaccounted for unmasks everyone.
You'd have to fingerprint the browser first to determine that the "random values" were indeed coming from it.
No applications. No mail. No need for cookies.
I can use a "regular" browser for more enhanced stuff. But for simple content consumption, we can just have a "dumb" browser that can't do much.
> A user agent that says the browser's version? Reasonable enough.
No user agent. I'm guessing it will need it for JavaScript or HTML features, and dynamically update if using an old browser, but let's just not supply a user agent and let it be the reader's burden to have a reasonably decent browser.
> Being able to ask for fonts, if the system has them? Difficult to have font support without that.
What's the fallback if the system doesn't have them?
> Getting the user's timezone, language and keyboard layout? Reasonable.
Keyboard layout is irrelevant for viewing content. For timezone and language: Yeah, I can see the use cases, but these are in a small minority. Let there be a popup when requested, and the user can specify the timezone/language as requested.
> The size of the screen, and the size of the browser window? Difficult to lay things out without that.
Let's let this new browser return only from a (small) discrete set of sizes. It will pick the size closest to the actual browser window size and send that.
> Of course a video or audio player needs to know which video formats your browser supports - how else to provide the right video?
Same answer as user agent. Either let the user pick from a selection of video formats, or just hard code a reasonable one and put the onus on the user to have a browser that supports it.
> Obviously javascript can get the time, and it's trivial to figure out the system's clock error by comparing that to the time on a server.
This hypothetical browser could just not send the time :-) For 99% of content consumption, this function is not needed.
What I'm describing should be part of "Private mode". Or browsers should have an "Ultra-private" mode that is the above. If it's too complex/risky maintaining it all in one codebase ... fine. Just have a separate browser.
Right now, if I built such a browser, I'm sure a lot of sites meant for content would break. But in my fantasy world, using "Ultra-private" would be the default, and people who make sites will target them first.
I think much of the complexity in making a web browser is all the "other" stuff. Being able to run apps, cookie/privacy management, etc.
If 100 people are using that browser, how will they know which one is me?
> How browsers render SVGs can be used for fingerprinting (even the underlying OS affects this, and I assume you'll want to see those)
Can you provide details on this? And how will they know which OS I'm using (through SVG rendering...)? The UserAgent definitely should not send the OS.
> combine with ISP from IP address
That's already provided whether I use Private mode or not, correct? I can always use a VPN.
> You're the only one out of 100 that visits HN
So the HN operator sees someone using this browser, with this timezone. Then I go to some other site. Let's pretend that site's operator and HN's are identical. How will they know that I'm the same guy who went to HN? How does he know there aren't two people who use the browser in the same timezone (and the other one doesn't go to HN)?
This is how surveillance operates at scale. You don't need a stable identifier linking a specific person's identity, you just need a few data points to narrow it down to even a few thousand people. Then you apply more focus on those people, gathering data points that eliminate people until you're left with your target. And thanks to decades of global iteration on surveillance infrastructure, and AI to glue data sets together, it's all automated.
No support for forms. The browser is meant for content consumption. Not for interaction/creation.
One could argue that any JS capabilities to do network requests (including dynamically rendering content) would be disallowed.
Yes, I know, this is going pre-Web 2.0.
Yes, of course, most current sites won't work in that model. But I'll also say: Most current content sites don't need these capabilities. They have them because they know the browser supports them.
Again - a fantasy. I know only a few people will use it. I know that won't be enough to change web behavior. It would be nice, though, if sites carried a badge to indicate they conform to all of the above.
thankfully i think traditional web surfing is probably going to die out in the next 10 years, and progressively decline a lot much sooner than that as people start to interact with AI rather than browsers (or any software for that matter).
my feed of hackernews is going to be my AI agent giving it to me in plain text very soon, and soon after that i will probably never visit the internet again because it will be impossible to know what's real and fake
as a millennial it will be interesting to experience the full cycle of being born when nothing was online, to everything being online, to then again being entirely offline by the time i'm older
Wait for the advent of local agents running on local models (for privacy) followed by techniques to fingerprint agents, followed by techniques to infer query parameters based on agent behavior. I wish I was joking but it seems all too plausible.
What you want exists, have at it
"Web applications use it for offline support, caching, session state, and other local storage needs"
This use case is completely orthogonal to what my browser is meant to do. My browser would not have a concept of local storage.
The premise of starting with a modern browser and stripping away features to get privacy is flawed - it's always vulnerable to these types of things. I'm going the opposite route: Only add features if they cannot be exploited for monitoring.
When i use Resist Fingerprinting my main issue is the timezone being set to UTC. most of the other stuff it does never causes issues. I guess sometimes sites need to read the canvas, but theres a permission box that allows that when needed. I wish there was a similar permission box for timezone.
The only other drawback to the "resist fingerprinting" option is you will encounter cloudflares' captcha checkbox everywhere and all of the time :(
All these things should be opt-in and like blocked by GDPR.
Apps have access to inconceivable amounts of identifiers and device characteristics, even on the well protected systems without Google Play services.
And since browsers rival OSes for complexity (they are basically OSes in their own right already), any part of the system can be inadvertently exposed and exploited.
Like Android phones perhaps? Unfortunate Apple gives very little granular control.
But most ROMs don't allow controls for WiFi, Cell data, Phone ID, Phone number, User ID, local storage, etc...
Whether they care is entirely separate.
They may outwardly appear to agree with your statement, but it may be for very different reasons than you think.
Edit: clarification
> In Firefox Private Browsing mode, the identifier can also persist after all private windows are closed, as long as the Firefox process remains running. In Tor Browser, the stable identifier persists even through the "New Identity" feature, which is designed to be a full reset that clears cookies and browser history and uses new Tor circuits.
1. Website fingerprints the browser, stores a cookie with an ID and a fingerprint.
2. During the next session, it fingerprints again and compares with the cookie. If fingerprint changed, notify server about old and new fingerprint.
Assume the same.
>The idea is to amass as much information as possible
Reminded, from 2012: https://www.wired.com/2012/03/ff-nsadatacenter/
https://metrics.torproject.org/rs.html
Also, does anyone know of any researchers in the academic world focusing on this issue? We are aware that EFF has a project that used to be named after a pedophile on this subject, but we are more looking for professors at universities or pure research labs ala MSR or PARC than activists working for NGOs, however pure their praxis :-)
As privacy geeks, we have become fascinated with the topic -- it seems that while we can achieve security through extensions like noscript or ublock origin or firefox containers (our personal "holy trinity"), anonymity slips through our fingers due to fingerprinting issues. (Especially if we lump stylometry in the big bucket of "fingerprinting".)
[1] https://web.archive.org/web/20260422190706/https://fingerpri...
You bring this up like it's a well known incident, but my googling can find no evidence of it? The only reason not say the name of the project would be if it's common knowledge, but it's not?
ChatGPT research reckons you're making it up, and I'd be curious if you have evidence to the contrary?
So what happened here is basically... AI told you that something that made you suspicious because you have zero subject matter expertise is suspect?
I'm not really sure how to react to someone who has a robot affirm their anxieties other than to stand by my previous statements and give a polite pointer at some terms to look up on Wikipedia rather than feed into a clanker.
You said it was “named after a pedophile”, that is wrong
>>The word panopticon derives from the Greek word for "all seeing" – panoptes.
The concept was invented by Jeremy Bentham, who died before Foucault was born.
Interesting that you named your HN account after a famous homophobe.
that guy is no longer with the project and does brave now iirc
(it's super interesting to us that two different people took such a wild leap btw)
Foucault is dead.
>>(it's super interesting to us that two different people took such a wild leap btw)
It's super interesting to me that you expected people to make the wild leap from “named after a pedophile” to a project that wasn't even named after a person.
You chose to communicate poorly to make a point and are now complaining when the point turned out to not even be true.
You could have said 'Panopticlick' and people would have known what you were talking about. Instead, you left the name out and instead pointed out the rename and the “fact” that it was previously named after a pedophile. The obvious implication is that it was renamed to cover this up.
The smug tone of your follow-up leads met to the conclusion that you had some “fun” trivia from a class you took one time, and you prioritised showing that off over clear communication (while falsely implying some kind of cover-up of wrongdoing by the EFF).
https://lundi.am/The-Black-Masses-of-Michel-Foucault-the-Bul...
Plus as others noted, even if true your original statement would still be a lie since a Panopticon is a concept not a person.
If you type one thing and expect people to understand that you meant something else then I will have to assume that by this:
>>people who do post grads tend to be well rounded enough to have read a bit of philosophy, or at least, they did in my day.
you meant you once visited a university but never enrolled in any classes?
You can complain that people on the internet misunderstand on purpose (and I agree it is far to common), but that complaint is only valid if you communicate clearly yourself.
i also like anonbib as a central repo for interesting work.
https://www.freehaven.net/anonbib/topic.html
JS also dramatically improves security. TBB is stuck in a 90s mindset about privacy, as if Firefox exploits were not dime a dozen. Especially with AI making FF exploits more available, we can expect many tor sites to be actively attacking their visitors.
Tor endpoints are pretty easy to identify, there are plenty of handy databases for that, using it to begin with increases your uniqueness. If noscript was set to strictly disallow javascript by default, that decreases the degree to which it increases your signature relative to the baseline of using tor.
Then we have to account for the simple fact that many, many fingerprinting techniques rely on javascript, so taking them out of the picture reduces the unique identity that can be gleaned.
Are we absolutely, positively sure that the tradeoff is worth it? Without a strict repeatable measurement, I think I'm highly skeptical about whether or not a default of "allow" is a net boon to hiding your identity. I remember the rationale about the switch mostly being directed towards "most of the web is broken otherwise and that's bad."
If TBB changed to js off by default that signal would be less evident, and also, fingerprinting would be harder.
How so?
Tor Browser also doesn't spoof navigator.platform at all for some reason, so sites can still see when you use Linux, even if the User-Agent is spoofing Windows.
We're talking about users of the Tor browser, and I'd be very surprised if this was the case (that a majority keep JS turned on)
Basically every Tor guide (heh) tells you to turn it off because it's a huge vector for all types of attacks. Most onion sites have captcha systems that work without JS too which would indicate that they expect a majority to have it disabled.
I've heard a handful of people say this but are there examples of what I would imagine would have to be server-side fingerprinting and the granularity? Since most fingerprinting I'm aware of is client-side, running via JS. While I expect server-side checks to be limited to things like which resources haven't be loaded by a particular user and anything else normally available via server logs either way, which could limit the pool but I wonder how effective in terms of tracking uniqueness across sites.
https://fingerprint.com/blog/disabling-javascript-wont-stop-...
There is also a method of fingerprinting using the favicon: https://github.com/jonasstrehle/supercookie
Hmm, I'm a little confused, since in 2021 Mozilla released experimental one-process-per-site:
> This fundamental redesign of Firefox’s Security architecture extends current security mechanisms by creating operating system process-level boundaries for all sites loaded in Firefox for Desktop
https://blog.mozilla.org/security/2021/05/18/introducing-sit...
Perhaps that is not fully released?
Or perhaps it is, but IndexedDB happens to live outside of that isolation?
If so, cool!
That's why expansion of web standards is wrong. Browser should provide minimal APIs for interacting with device and features like IndexedDB can be implemented as WebAssembly library, leaking no valuable data.
For example, if canvas provided only access to picture buffer, and no drawing routines calling into platform-specific libraries, it would become useless for fingerprinting.
Or just open dev tools
And all browser devs should be required to actively fight against fingerprinting.
There is no legitimate need for fingerprinting in browsers.
Why is this global keyed only by the database name string in the first place?
The post mentions a generated UUID, why not use that instead, and have a per-origin mapping of database names to UUID somewhere? Or even just have separate hash-tables for each origin? Seems like a cleaner fix to me compared to sorting (imo, though admittedly, more of a complex fix with architectural changes)
Seems to me that having a global hashtable that shares information from all origins is asking for trouble, though I'm sure there is a good explanation for this (performance, historical reasons, some benefits of this architecture I'm not aware of, etc.).
The IndexedDB UUID is "shared across all origins", so why not use the contents of the database to identify browers, rather than the ordering?
The key vulnerability here is that, for the lifetime of that Firefox process, any website that makes that set of databases is going to see the exact same output ordering, no matter what the contents of those databases are. That makes this a fingerprint: it's a stable, high-entropy identifier that persists across time, even if the contents of those databases are not preserved. It is shared even across origins (where the contents would not be), and preserved after website data is deleted -- all a website has to do to re-acquire the fingerprint is recreate the databases with the same names and observe their ordering.
So it persists between anonymous sessions. So you could connect User A that logged out and reset the identity to User B who believed was using a fresh anonymous session and logged in afterwards.
https://www.ndss-symposium.org/wp-content/uploads/ndss2021_1...
Says that Firefox has a bug that prevents favicons from being loaded from cache, which inadvertently protects against this technique. They filed a bug report on it in 2020 but nothing has happened with it yet: https://bugzilla.mozilla.org/show_bug.cgi?id=1618257
https://blog.torproject.org/new-release-tor-browser-15010/
And hope that the sorting time cannot be used as a side channel.
Because most post-quantum cryptosystems need this primitive.
https://sorting.cr.yp.to/
namespace mozilla {
namespace dom::indexedDB {
using namespace mozilla::dom::quota;
using namespace mozilla::ipc;
using mozilla::dom::quota::Client;
Dump the rendered window pixels out to a simple viewer. Mouse movement is still a pain to deal with, but I would default to spoofing it as moving between clicks, with some image parsing logic to identify menu traversal.
Then it should reboot the browser process regularly.
I've been waiting for someone to make a packaged 'VPC in a box' incorporating networking and linked VMs.
connects Chrome to a Tor SOCKS proxy and wraps all other browsing-related network calls over torsocks. It prevents local fingerprinting leaks (like this IndexedDB ordering bug) because the browser isn't running locally at all. You can host the BrowserBox instance as an onion hidden service, use it to browse over Tor, or both.
If you want to try an ephemeral "VPC in a box" style setup where the environment is destroyed after you're done, you can easily spin it up using this new GitHub action: https://github.com/marketplace/actions/browserbox (but you need a license key, obtainable at https://browserbox.io)
This is my attempt to make it easy to spin up bbx on ephemeral infrastructure that's mostly free (GitHub Actions runners are perfect).
Just use a network namespace individual pieces of software are way too easy to misconfigure.
How does this "identifier" work with Javascript disabled
Seriously, I am saddened that Chromium dominates the browser market as much as it does, but at this point the herd-immunity of Chromium is necessary to keep users safe.
Because it's an isolated remote browser, you also get a lot of flexibility. You can run BrowserBox itself as an onion hidden service connected to the clearnet, or connect BrowserBox to browse over Tor, or even do both at the same time. Since this Firefox IndexedDB vulnerability relies on persisting state, you can completely avoid it by running BrowserBox (based on Chromium), and doing it ephemerally. There's actually a new GitHub action [0] that makes spinning up a purely ephemeral, disposable session incredibly easy and would be immune to this kind of process-level state tracking.
The action runs BrowserBox on a GitHub Action Runner, you can specify whether you want a CloudFlare tunnel, or a tor tunnel (which comes with torweb access). And there's a conveneince script you can use to run from the command-line - which does the setup then spits out your login link.
All you need is a BrowserBox license (not free), but then you can use it.
I would consider this a lightweight Tor-proxied Browser, not a replacement for Tor Browser, at this time as there are likely edges and leaks that the official Tor Browser has long patched. However, as cases liek this IDB bug demonstrate - no security is perfect. If you simply want a way to access tor, and add an extra "ephemeral" hop on a runner, itself over Tor, and not trying to do anything especially sensitive or life-threatening - it's probably good.
[0]: https://github.com/marketplace/actions/browserbox
[1]: https://github.com/BrowserBox/BrowserBox
It's more than a browser restart, it's a complete system wipe every time.
Tails is made on the premise that exactly this kind of trick will occur. Sometimes even persisting between browser restart. For that reason even the persistent storage is very limited. But that's optional and cautioned against for maximum anonymity.
What would be worrying with tails would be if there was some way for some hardware identifier to be exposed. Like a serial number or MAC address. But this kind of thing is exactly what it's made to protect against.
For those who want an ephemeral setup but prefer the Chromium engine over Firefox, you can achieve a similar "destroy after use" workflow using BrowserBox. It has a tor-run function that connects Chrome to a Tor SOCKS proxy and wraps all auxiliary network calls over torsocks.
You can easily spin up a purely ephemeral session using a GitHub action [0] so that absolutely no state persists once you close it. As a bonus, you can also run the BrowserBox instance itself as an onion hidden service while browsing over Tor.
[0]: https://github.com/marketplace/actions/browserbox
For remote browser tools I use neko https://github.com/m1k1o/neko
But with Tor I like to have more safeguards. So I prefer to run tails in an isolated environment.
I see Neko brought up a lot, but honestly when I tried it a couple years ago it felt pretty clunky. It seems designed more for anime watch parties than serious security or remote isolation, IMO.
I totally get the Tails/Firefox preference, tho. If you want absolute baremetal isolation on your own hardware and have the discipline for it, a fresh Tails USB is definitely the right move. BrowserBox is just a different architecture -- it's mainly for when you specifically want an ephemeral Chromium setup on ... well ... anything, need some policy controls or programmability. And don't want to fiddle with config yourself.
Ah but I'd want to run it myself anyway. I wouldn't want it hosted. Especially for browsing, I don't want someone else's systems looking over my shoulder.
I avoid cloud stuff as much as possible in my personal life. When you mentioned github actions I thought it was something you could self-host too, I didn't realise it was a service only. I was looking for a docker or something but as it's not free and (less importantly) foss it won't work for me.
And yes neko is not a polished corporate solution, but it works for me as a home user. It's very flexible to build other stuff with. I have several instances here in different environments (and I don't expose them to the clear internet)
But for work yeah I know there's different options, at work we have zscaler remote browser.
As to cloud - indeed, why would you want to trust a cloud provider with sensitive internal browsing? Also, providing a SaaS is a hassle, but I feel I must do it serve that side and enable those uses, some of which are cool.
This is dangerously incomplete and bad advice.
Qubes OS does not work the way you seem to think it does.
Creating a new identity in the Tor Browser inside a disposable VM does not automatically stop that VM and start a new disposable VM. That initial disposable VM launches the new identity from the existing process and therefore remains vulnerable, the same as any bare metal computer running Tor Browser would.
Virtualization is not magic.
A Qubes OS user needs to spin up a new disposable Whonix VM to sidestep this attack. Creating a new identity alone is ineffective in this threat model.
If you care about these projects as much as you say you do, please stop giving harmful advice. You do it in various places on the Internet and in every thread which gives you half a chance to do so, and these projects would be better off if you either took any of the extensive well-reasoned correction many people offer you, or opted to stop making such claims. The former would be ideal, the latter still vastly preferable to the existing state of affairs.
A Qubes OS user needs to start a new disposable Whonix workstation VM to sidestep this attack, NOT create a new identity in the same disposable VM's browser, which is exactly what this attack targets.
This is technically incorrect information and could get people in trouble if followed literally.
On Qubes OS, if a user creates a new identity inside a Whonix workstation disposable VM via the browser's new identity functionality, the new identity spawns within the same disposable VM. I just tested this on Qubes OS 4.3.
That, I assume would expose one to OP's vulnerability, as its still running in the same VM. I would be glad to learn that I'm incorrect in my unverified assumption.
Even Qubes OS users still need to be mindful to launch new disposable VM when keeping identities separate to sidestep this attack.
By you reasoning, Qubes doesn't provide more protection than the underlying operating systems. I've seen this myth on HN multiple times.
Also, please stop grossly misreading the comments of others. You consistently do it to numerous people here.
When I say "this tool protects you" and you reply "it doesn't protect you if you misuse it; you give dangerous advice", you are the one misleading everyone. (Same with the kill switches on Librem 5.) Other people asked me for details instead of making a personal attack, https://news.ycombinator.com/item?id=47868133
Perhaps you are right that I could add more details for newcomers, but I was not wrong or harmful, unless you think every advice must have a full documentation for tools attached to it.
Joanna Rutkowska's understandable preference for older kernels had its advantages, but the current team is much more likely to ship somewhat newer kernels and I've been surprised by what hardware 4.3 has worked well on.
Beyond that, I'm currently running a kernel from late Feb/early Mar (6.19.5).
Driver support can still be an issue, and a Wi-Fi card that doesn't play nice with Linux in general is doing to be no different on Qubes OS.
The saying about assumptions is as true as ever, unfortunately for both of us.
> For security and product stakeholders, the key point is simple: even an API that appears harmless can become a cross-site tracking vector if it leaks stable process-level state.
This reads almost LLM-ish. The article on the whole does not appear so, but parts of it do.
Did you even read the article at all? Ah my children did bad in school, time to replace them with new children and a different spouse. This is what you're suggesting essentially. A browser is not just something you simply make out of thin air. There's decades of nuance to browser engines, and I'm only thinking of the HTML nuances, not the CSS or JS nuances.
>Physical isolation is a given safeguard that the digital world lacks
…
>In our digital lives, the situation is quite different: All of our activities typically happen on a single device. This causes us to worry about whether it’s safe to click on a link or install an app, since being hacked imperils our entire digital existence.
>Qubes eliminates this concern by allowing us to divide a device into many compartments, much as we divide a physical building into many rooms. …
Sold
https://doc.qubes-os.org/en/latest/introduction/intro.html
Having said that, fsflover exhibits a poor grasp of how this stuff works and all should be aware that even in Qubes OS, one would need to spawn new disposable VMs for each identity; relying on the Tor Browser's new identity creation within the same disposable VM would be little different from running Tor Browser on a traditional OS.
This is by design how everyone should always be using Qubes OS for any task, according to its documentation and approach to security.
> relying on the Tor Browser's new identity creation within the same disposable VM would be little different from running Tor Browser on a traditional OS
Yes, if you use a single VM on Qubes OS for everything, then all security you get is from the OS running in this VM. This is not how you use Qubes, https://doc.qubes-os.org/en/r4.3/introduction/faq.html#how-d...
I run Qubes as a daily driver according to the docs, and my workflow was not vulnerable to the discussed attack.
Yet again, please stop grossly misreading the comments of others. You consistently do it to numerous people here.
A user would have to manually start a new disposable VM for each identity.