Slashdot Mirror
Firefox 52 Borrows One More Privacy Feature From the Tor Browser (bleepingcomputer.com)
An anonymous reader writes: Mozilla engineers have added a mechanism to Firefox 52 that prevents websites from fingerprinting users using system fonts. The user privacy protection system was borrowed from the Tor Browser, where a similar mechanism blocks websites from identifying users based on the fonts installed on their computers, only returning a list of "default fonts" per each OS. While sabotaging system font queries won't stop user fingerprinting as a whole, this is just one of the latest privacy-related updates Mozilla has added to Firefox, taken from Tor. Back in July 2016, Mozilla engineers started the Tor Uplift project, which aims to improve Firefox's privacy features with the ones present in the Tor Browser.
Improved security is good and all, but what about the basic usability of the browser? I'm talking about stuff like its performance, how much memory it uses, and the sensibility of the UI.
I'm sure some Firefox supporters will post a bunch of unrealistic benchmarks showing how Firefox can run some convoluted JavaScript benchmark the fastest. But that doesn't translate into software that's fast and enjoyable to use. On every computer I've tried, from Windows to OS X to Linux, Firefox feels so much slower than Chrome. This is without extensions, too. While Chrome consistently feels very responsive to me, Firefox always feels so slow.
The same goes for memory usage. I wouldn't say that Chrome is as much of a winner here, but it isn't unusual for me to look at top or some other process manager and seeing Firefox with many gigabytes of resident memory. Yeah, RAM is "cheap" these days, but that doesn't mean I want it to be wasted. Browsing Slashdot and a few other web sites shouldn't lead to gigabyte after gigabyte of memory being consumed!
The Firefox UI has been in shambles since Australis. It's much harder to use. Chrome isn't any better in this respect, of course. Both have abysmal UIs. What's really sad about the Firefox situation, though, is that it actually had a really good and usable UI just a few years ago, before they threw it all away to imitate Chrome.
I wish that the Firefox devs would focus on the basics again, even just for a few releases. Fix the performance issues. Reduce the memory usage. Revert back to a usable UI. Make Firefox a browser that people are excited to use, rather than one that they dread using.
if you don't have anything to hide, why worry about privacy?
...says the Anonymous Coward...
Everybody has a public life, a private life and a secret life. This needs to be respected as a fundamental right.
We already use a browser's rendering engine for almost everything else, why not emulate fonts?
Is Mozilla worried about Firefox's dwindling market share at all?
The latest numbers are downright scary, not just for Firefox users, but for everyone who care about the diversity of the web. Firefox now appears to be around only 5% to 6%, across all platforms and all device types.
That puts Firefox well below Safari for iOS 10.1 (yes, just that one version!).
That puts Firefox below UC Browser for Android.
That puts Firefox in the same neighborhood as Opera Mini, even!
Of course, Firefox's numbers are a very tiny fraction of what Chrome's are.
Doesn't Mozilla realize that their future depends on Firefox having lots of users? Nobody will sign lucrative search deals with them if Firefox can't offer user attention in return.
I'm getting really worried. I fear that sometime during 2017 we'll see Firefox drop below 5%. I wouldn't be at all surprised if 2017 ended with Firefox down around 3%.
If they really want to help prevent fingerprinting, they would change the user agent to "Firefox." There is no reason for websites to know anything, let alone everything, the detailed user agent provides. Yeah, I know the argument of "but then there is no way to tell if they want/need mobile." Yeah, that is false, if they want mobile, the user will request mobile; plus detection scripts are notoriously inaccurate as I get served mobile pages on Chromebooks (try nfl.com with a Windows UA vs a Chromebook one, for example), on desktop versions of lessor used browsers and, in many instances, on my Linux machines.
Well, they are a tab to late!
Next year, modzilla sold to chinese company!
I'm sure some Firefox supporters will post a bunch of unrealistic benchmarks showing how Firefox can run some convoluted JavaScript benchmark the fastest.
No I wouldn't bother with that. I don't think benchmarks mean much. What I can say is that anecdotally I use all the major browsers routinely and whatever speed difference they have are too insignificant for me to care about. I use Firefox the most because it's the one that annoys me the least but we're talking marginal differences. Safari and Edge aren't available cross platform so they aren't contenders to me though I do use them a fair bit for various reasons. Chrome is fine too - my preference is more based on my work flow and configuration preferences than anything else.
On every computer I've tried, from Windows to OS X to Linux, Firefox feels so much slower than Chrome.
I would disagree with that based on my own usage. I use both routinely and in both cases the constraint on speed is almost always the speed of my internet connection or the speed of the database servicing the information from the other end of the line.
I wouldn't say that Chrome is as much of a winner here, but it isn't unusual for me to look at top or some other process manager and seeing Firefox with many gigabytes of resident memory.
I wouldn't say Chrome is any better at all. Not to any meaningful degree. I'm not criticizing Chrome but I think the problem is just that there is a lot of data to display and keeping a compact memory footprint while maintaining performance is actually a rather challenging problem.
Make Firefox a browser that people are excited to use, rather than one that they dread using.
"Excited to use"? I don't want to get excited about my browser. I want to not notice my browser at all. I just don't want it getting in the way of my work flow. I don't think you could make an "exciting" browser anymore. They're fairly mature technology at this point and I'm ok with that.
if you don't have anything to hide, why worry about privacy?
...says the Anonymous Coward...
Yeah, but we can use fingerprinting to identify him. All signs post to him being an asshole.
I'm getting really worried. I fear that sometime during 2017 we'll see Firefox drop below 5%. I wouldn't be at all surprised if 2017 ended with Firefox down around 3%.
The foundation losing all its money, followed by the sacking of the entire management team, might be the best thing that could happen for the actual Firefox web browser - in the long term, at any rate.
I know I stopped using Firefox a few years ago, once it became apparent the browser itself was of (at best) only secondary importance to the Mozilla Foundation.
#DeleteChrome
Hello Trump Security Council member 003421
I'm glad that you have taken interest in comrade geekmux. He has been speaking ill of Our Glorious Leader Trump for quite some time now. He will need to be sent to the Re-Edumucation Camps as soon as possible. In addition, we have reason to believe that he enjoys watching Adult Videos where interracial couples are engaging in illegal (since the racial purity act of 2019) coupling. Please be aware of the serious implications this might have on our "Christian" nation.
Please ignore the fact that the single largest denomination/sect in the US is Catholic... and as soon as you bring this fact up... "ohh no, we shouldn't become a 'Christian nation of the Catholic denomination'- nation" is said...
I'm sorry... For daring to think about facts and logic, I'll send myself to the re-edumucation camp later this evening... but please remember to enjoy trolling people who think privacy is at all important.
started.
Most people forget that Phoenix (now known as Firefox) started as a one man independent project to cut all the bloat out of the original Mozilla Suite back in the early '00s. When it first came out it had an extremely spartan GUI, just enough stuff to make websites work, and very little customization available. However, it was faster than shit and once tabbing came in it completely embarassed the Suite's performance in comparison.
As a result of that it got bumped to official mozilla project, over time the original author got ousted as the Mozilla devs claimed credit for it as their new meal ticket, the Mozilla suite got sidelined (where it has since flourished as seamonkey under more sensible guidance, and in fact is sometimes faster than Firefox today, along with being FAR MORE customizable, having a fuller 'original' preferences menu that actually provides most of the options you want without digging through about:config manually for every minor change.)
Long story short: The only way for Mozilla based browsers to survive is a hard fork with the majority of the current leadership staff going away. The developers are more of a mixed bag, but the ones worth having and the ones getting paid don't seem to have that high of a correlation, especially in regards to security and plugging up the almost constantly increasing number of memory holes that seem to appear with every new firefox revision, rather than actually taking the time to perform a thorough review before adding more complexity that only makes things worse (as I remember it, one of the excuses for why Mozilla took so long in the first place, even though they had a mostly functional C browser structure available from the old Netscape suite... albeit with a shit build system that AFAIK nobody outside of Netscape managed to get working to develop further.)
Best way of defeating fingerprinting is to ensure that as much data as possible is randomized every time.
Wouldn't it be cool if Firefox's private browsing window was just Tor.
well its actually protestant catholic btw , not to be confused with that one that is a state religion that sounds like they wander a lot ...oh ya ROMAN catholic
Is the same AC posting?
I realize the enumerated fonts by themselves don't provide much of an identifier and it's that, plus everything else the browser can reveal about you, that provides the actual value in doing this.
However: Who in this day and age, besides graphic artists and such, even bothers installing fonts--beyond what already comes with the OS, I mean? I'd wager 99.999% of all Ubuntu installs, for a given version, have the exact same set of fonts. Same with Debian, or CentOS, or OS X or Windows 7 or 10. If I was looking at *all* machines I use, looking at the fonts would provide absolutely zero value. Why bother with *that*?
With a cavalier attitude...
Tad*
I guess you're paying the tab tonight at happy hour?
Everyone has something to hide. You wouldn't be happy if your bank statements arrived printed on the back of a postcard. You want that information hidden inside an envelope for your privacy.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
if you don't have anything to hide, why worry about privacy?
So, "geekmux", why are you using a pseudonym and posting anonymously, rather than using your full legal name here?
[long-winded attempt at a snarky reply]
dumbass, read the thread you're replying to next time and not just the last post that triggered you.
Says the guy hiding their own identity.
Your info is sorely out of date. The Foundation is not the part of Mozilla that handles Firefox, that's the Corporation. That the Corporation is wholly owned by the Foundation doesn't mean that they're the ones writing the browser or steering it. The Foundation does everything else in addition to keeping the Corporation in check.
As such, the creation of the Corporation itself is a strike against your theory that Firefox isn't their primary focus. That's not even considering that they mostly stopped working on their other products (like Thunderbird), have tried to get Firefox on mobile platforms, and have even tried to make it an OS in its own right. That's not even considering that they've been retrofitting Firefox for years now, including recently announcing that they're finally bringing the most exciting bits of Servo into Firefox.
So really, I'm not sure where this "secondary importance" theory comes from. There's a big difference between disagreeing with their direction and just making shit up to feel better about your choice to stop using Firefox.
So if I have a collection of random fonts that I add and remove from the system every day, will that mess up font tracking?
You make some really interesting claims, but they're worthless hearsay if you're just going to be an anonymous coward like me. You might as well be reading tea leaves and armchair quarterbacking like the rest of us in the peanut gallery.
We love to do that around here, without proving that our assertions are credible, and just acting like "we knew better", but to be honest all we've done is help Firefox along its merry decline, either by disapproving of every change that affects us or by jumping ship and then acting like we still know what we're talking about years later.
Blocking a request for installed fonts is a feel-good outlier, which does nothing to prevent font fingerprinting:
--> Render Html (not display) in different font families|types, and measure the width of the block element.
A few ways that might defeat actual font fingerprinting:
1) UserCSS to apply a font-normalization style that is used for all pages, or
2) UserScript to replace inline requests for fonts with standard ones, before the page is rendered.... Which only some browsers can do at all.
3) Run your browser in a jailed-directory or VM, that only has standard system fonts.
You seem to need reading comprehession lessons.
You can't reason with ignorant hypocrites. If they don't think it is important to them then it can't be to you. They can't understand that having the choice of privacy is the point. They moan endlessly about freedom[aka choice] and 'Murica but can't make the connection because they are mentally deficient.
I'll believe browser privacy when I visit youtube and don't see my 'recommended videos' in incognito mode.
if you don't have anything to hide, why worry about privacy?
I have shit to hide.
Just cruising through this digital world at 33 1/3 rpm...
You know what feature I want to see in Firefox?
FUCKING ALSA SUPPORT, I don't think that's asking too much. Pale Moon here I come, hope I can make it work.
I have lots to hide. For example, private details of my life that nobody needs to know unless I choose to share with them.
Where do I begin...
If Firefox developers really care about privacy:
- Telemetry would NOT be enabled by default
- Safebrowsing should NOT be there (- it calls home to google for every site you visit)
- The ability to disable Javascript should NOT require installation of an extension. This option used to be there more than a couple of years ago.
- about:permissions should be a menu item.
- Get rid of the stupid intrusive 'gear' button tracking crap when you visit about:blank. The page should be completely blank!
- Go to about:blank and search for http, and search for 'social'. All this calling home to Facebook and Google garbage should NOT be there!
- Geo tracking should NOT be in a browser, and should NOT be enabled by default.
This would be just the start...
So you want me to implicitly trust the Internet.
How about you first, please install win95, with no patches no antivirus or defences, and store all of your private information there. After all "you have nothing to hide" right?
I've been wondering why browsers don't do this for years now. I mean really, it was what, several years ago when it was demonstrated how thoroughly they could fingerprint a browser based off a number of characteristics, including the font list. Why on earth would my OS's entire font list be something that my browser would broadcast to any site that asked for it?!
Browsers should work the other direction: Only give information that is needed, and in the case of fonts, just give me the site. If I have a particular font, great, if not, it gets rendered in whatever I have. I'm not concerned.
Z
Everyone has something to hide.
Yup. For example: https://www.yakimawa.gov/council/
Possibly for the same reason you're using 'anonymous coward'. Of course, trolling isn't the only use for anon/pseudonymity.
Privacy is important for individual mental health, something you obviously lack.
Can't you still render an element with a given font-family property, and check the dimensions to see if the font you picked is available or not?
fingerprinting collects details on your addins, so if you add privacy addins, you reduce your privacy....?
.....except for me and my monkey
What's it like on the strange Planet of Not Understanding?
At least a little bit of this I put down to aggressive bundling. Edge/IE/Safari come standard, and I can't count the number of third-party apps that secretly install Chrome on my system. Uninstalling Chrome when I'm not 100% sure where it came from is a frequent thing I need to do after updating some software or other.
That's a good start but shouldn't they borrow all/most features?