Firefox Borrows From Tor Browser Again, Blocks Canvas Fingerprinting

An anonymous reader writes: Mozilla engineers have borrowed yet another feature from the Tor Browser and starting with version 58 Firefox will block attempts to fingerprint users using the HTML5 canvas element. The technique is widely used in the advertising industry to track users across sites. Firefox 58 is scheduled for release on January 16, 2018.

Canvas fingerprinting blocking is the second feature Mozilla engineers have borrowed from the Tor Project. Previously, Mozilla has added a mechanism to Firefox 52 that prevents websites from fingerprinting users via system fonts. Mozilla's efforts to harden Firefox are part of the Tor Uplift project, an initiative to import more privacy-focused feature from the Tor Browser into Firefox.

good!

but the way it is written makes the feature sound bad... I call bias... I like no tracking!

Re:good!

[Noah+Haders]

I agree, summary has a snotty tone. Is it a good for cutting edge security features to be expanded to mainstream browsers? I’m happy for it.

Re:good!

no , it is you, you have snotty tone,

Re:good!

I agree, summary has a snotty tone. Is it a good for cutting edge security features to be expanded to mainstream browsers? I’m happy for it.

'Borrow'. As if there is a debt to be repaid. That isn't how FOSS works. The whole point of FOSS is the Free part. No debt, no 'borrowing'. Just 'sharing' good ideas to be used by anyone for whatever they like (so don't tell people how to build pocket nukes please)

maybe a dumb question

Does this canvas element in HTML5 have legitimate uses, or was it included specifically to help advertisers covertly track users?

Re:maybe a dumb question

[Desler]

Yeah it’s for generating 2D graphics.

Re:maybe a dumb question

Browsers were able to display graphics long before HTML 5 existed.

"Canvas" is just more useless bullshit that will be abused far more often than it is used for any legitimate purpose.

Re:maybe a dumb question

Can't tell if you are a troll.

Re:maybe a dumb question

[Desler]

Browsers were able to display graphics long before HTML 5 existed.

Cool story, bro. Canvas is for procedurally generating graphics not just displaying something.

Re:maybe a dumb question

[tepples]

Canvas is for procedurally generating graphics not just displaying something.

Then have the server procedurally generate the graphics, compress them, and send them to the browser. Servers have been procedurally generated graphics long before HTML5.

The impression that I get from a lot of comments lately is that if an application wants to do more than Web 1.0 (navigation and form submission) allows, it ought to be native instead of a web application.

Re:maybe a dumb question

[DontBeAMoran]

I use canvas for a custom grayscale image conversion tool I made. It has to be real-time when the user moves the sliders, constant communication and server-side rendering and uploading just wouldn't be good enough.

Re:maybe a dumb question

[tepples]

I use canvas for a custom grayscale image conversion tool I made. It has to be real-time when the user moves the sliders, constant communication and server-side rendering and uploading just wouldn't be good enough.

You could instead make it available as source code and as a Windows executable.

Re:maybe a dumb question

[DontBeAMoran]

"A windows executable" would be of zero use to me.

Re:maybe a dumb question

[barbariccow]

I think he was suggesting that NOT EVERYTHING is appropriate for the web. And surely that is true, web 2.0 and such only really gained momentum because of how crappy windoze is that the only trusted way to run applications on business computers was in a sandbox..

Re:maybe a dumb question

[tepples]

You could instead make it available as source code and as a Windows executable.

"A windows executable" would be of zero use to me.

Then compile the source code.

Re:maybe a dumb question

[DontBeAMoran]

And how do you compile PHP, HTML, CSS and Javascript into a cross-platform application?

Re:maybe a dumb question

Remove the first and you have an off-line webpage.

... unless you are thinking that the "lets do everything client-side" still needs to communicate with the mothership to be able to function.

Re:maybe a dumb question

[Carewolf]

Does this canvas element in HTML5 have legitimate uses, or was it included specifically to help advertisers covertly track users?

Yes, but reading from it is much more questionable. Not only do a website rarely have use of encoded pixels, and if they want to copy a block they could just paint the commands again.

Re:maybe a dumb question

[tepples]

Translate the PHP into Node and use Electron.

Awesome

Web browsers should add these kind of features, not other silly stuff.

I use canvas defender for a while, works

Plugin that randomizes and regenerates the canvas on a user set basis, works great. Firefox does good things sometimes.

Addons

[markdavis]

Fingerprint blocking is a good feature, unlike the last unnecessary "screen print" or whatever feature. However, I won't be "upgrading" because half the addons I need won't work. :( I suspect a lot of us will be stuck on older versions of Firefox for quite a while...

Re:Addons

[serviscope_minor]

I've actually spoken informally to some firefox people in person regarding addons.

They do know it's a problem, but they feel that the temporary disruption was worth it. They also know the new webextension system is not yet up to the task of replacing the old extensions, but neither is the old one is severely holding up the browser in terms of both security and performance.

The idea is that they get the first version up and running, then work on improving the extension system to put back as many of the missing bits as they can, but in a manner which doesn't break performance or security. With luck, by the time the last pre change LTS goes out of support, the new extension will be able to support the kind of things that people need. Apparently there are quite a lot of heavy extension users at Mozilla so there's internal pressure to get firefox to be as good as it always was in this regard.

Personally I'm optimistic that they can achieve their goal.

Re:Addons

[markdavis]

I understand their reason and desire to switch to webextension, but the issue is that there are some things that many of us need to do that NO "webextension" addon is going to be allowed to do. This is because these new addons will not be allowed to modify the UI or underlying operation of the browser. Three such examples:

FlashStopper (stops html5 video autoplay)
ClassicThemeRestorer (makes the UI bearable)
EnvironmentProxy (sets proxy based on environment variables)

I am confident other important addons will be retained- I already see that UblockOrigin, Adblock Plus (as "AdBlock 57+"), and NukeAnything all work. But I can't bear to use the browser without certain other things.

Re:Addons

[Hognoxious]

Asshole hangs out with assholes. Whodathunkit?

Re:Addons

You proving your own point, asshole?

Re:Addons

The idea is that they get the first version up and running, then work on improving the extension system to put back as many of the missing bits as they can

Fine, but they shouldn't push that out on the public before it's ready. FF57 doesn't run about half the extensions I use, so I can't upgrade past 56 until it's done.

Don't release it until it's ready. It's not ready until it has extension parity with the older versions. This only acts to push people off FF to Chrome. FF was all about the extension ecosystem and if those are going to be broken, people might as well just use Chrome anyway.

Re:Addons

At this point it's become clear that anything more transformative than basic UI stuff is not something that can be properly supported while keeping the core product tenable. I too went through a denial phase where I presumed that it was possible to keep every addon working while fixing the core browser, if Mozilla just magically put in even more effort and didn't care what it actually cost, but we have to acknowledge reality sooner or later. We're not the ones doing the work, we're just complaining that we can't hack it with the same tools anymore. All of our bickering about what we personally "need" isn't helping make Firefox any better, and if Firefox dies we won't have these addons anyway. Time to get seriously involved again and figure out a new way to do these things that works better for everyone, rather than just ourselves.

Re:Addons

[0100010001010011]

Refusing to break backwards compatibility is how you end up in the situation Microsoft is in.

Sometimes you need to clean out the attic. I've tested betas and am fairly impressed. Anything that is used will get ported or someone will make something to do something similar.

Re:Addons

It's not a terrible idea to get WebExtensions running and ramp up to a better feature set. It's turning off the old extension system while the new API implementation is still bare-bones which is causing the problem.

Re:Addons

[markdavis]

Well said. I think the main issue was and has been, however, that Mozilla hasn't really been listening to what the users (and often developers) are saying. We wouldn't complain about the loss of addons that modify the UI had Mozilla not taken away the native ability for user to control the UI. A classic example is "tabs on bottom." It was HUGELY unpopular when Firefox finally removed that single option. And there was really no good reason to remove it. Addons saved the day, and now that will be gone too. And they added insult to injury by adding stuff that users didn't care about or want, things like screenprint, hello, pocket... things that could have easily been optional or even included addons. Development resources that could have gone to filling that UI-control that users do want, and/or performance, and/or bug fixing.

My example of the "Flash Stopper" addon really is a perfect example of the jam in which people find themselves. It is something the browser should be able to do, natively and correctly. Autoplay of video is a HUGE annoyance to many users. And the built-in feature that Firefox offers to supposedly help control the problem is just broken. Here is the bug report: https://bugzilla.mozilla.org/s... 2 years and still broken! And now the addon that fixed the problem for perhaps 50,000 users (who managed to find it) will be forever gone because WebExtensions won't allow even third-parties to fix it.

My other example- the Environment Proxy is another perfect example. Up to version XX (forget which), Firefox honored the environment variables for simple proxy control. And one day- BAM, it is just broken. An addon came out to work around the problem, and many years later, there is STILL no native fix. And WebExtensions will take away that solution, too.

So please understand why I am complaining so loudly. It isn't just about not liking change, there are real issues that leave me and others in a real pickle.

Re:Addons

[MrL0G1C]

https://www.waterfoxproject.or...
A fork that continues 'legacy' support.

Re:Addons

The problem here isn't that Mozilla chose to not replace everything, but that they chose a timeline that doesn't work for you. You expected them to miraculously have everything ready for you on a silver platter before they shipped an improved core browser, and when they decided they couldn't do everything before they *had* to ship a core browser, you found yourself in a pickle.

Anyone complaining that they're "not listening" is honestly just full of themselves at this point. Mozilla clearly are listening: there are dozens of API tweaks and fixes they put into WebExtensions already, including full-blown APIs that people need for their addons to be ported, many approved and sitting in a backlog waiting for someone to implement them, even while more contentious requests are still being investigated. But because your pet bugs aren't addressed yet, "they aren't listening".

We as a userbase now have to collectively share in a bit of introspection, before we lose all perspective. We're not entitled to sitting around until someone does everything for us. Others have volunteered fixes for their pet bugs, or found people who could do it for them. I've even seen Mozilla employees waste their time off fixing bugs and making APIs they don't have any personal investment in. And yet, "they aren't listening".

Case in point: why hasn't someone fixed your environment variable bug after all this time, instead opting to hack around it until the hack no longer works, and then merely complaining? If 50,000 people care about something, they should invest the time to making sure it will work, not just expect the red carpet rolled out for them and pretend it's something somebody else should do for them. The core engineers have been focusing on things that help far more than 50,000 users, and those kinds of improvements never end. Hence why 50,000 users may be left forever waiting, unless they do something themselves.

Re:Addons

[Hognoxious]

Good comeback, Cal!

Re:Addons

[CrashNBrn]

This is because these new addons will not be allowed to modify the UI or underlying operation of the browser.

Not so much. Firefox's UI can be modified with CSS. Just like when Australis was first introduced.

Tree Style Tab is running in a customizable sidebar; normal tabs at the top can be hidden - with CSS. Try that in Chrome... The least useless SideTabs for Chrome is Sidewise, and it has to run in a completely separate window.

There's also Tab Center Redux - a continuation of Mozilla's Tab Center (Test Pilot experiment), which completely replaces top tabs with side tabs.

And for all the curmudgeons that reject change, there's the Basilisk browser which is "created and maintained by the team behind Pale Moon, and is a fully independent fork of the Mozilla/Firefox code".

There's also a hard-fork of Mozilla's XUL platform UXP - Unified XUL Platform.

More info over at ghacks (in the comments): https://www.ghacks.net/2017/08...
Re Waterfox, etc.

Re:Addons

Personally I am not optimistic at all.
Mozilla devs simply do not understand the point of an API, which is why most of the extension developers pissed off when they constantly broke said API every other release.
API changes should be as invisible as possible to secondary developers. They shouldn't need to give a damn what happens unless a feature is being outright removed. Everything else should be [default parameter] if not specified.
That's what a good API is supposed to be.
Instead, they changed the goals so much even the goalie was confused, their constant changing of the interface instead of just sitting the fuck down and making a solid design choice is also what pissed so many people off and eventually ended with them leaving.

Never, ever, again.
Mozilla couldn't pay me to use that shitheap again. No figure. My sanity is worth more than money.

Re:Addons

They might. They also might have lost all their power users by then. People who rely on addons will not be happy to downgrade to an outdated, vulnerable LTS without any tangible prospect of getting back on the train.

Re:Addons

sounds like they're shoveling shit to try to slow the exodus of addon developers. so many of them are saying 'fuck it' and leaving. if mozilla doesn't have a plan of action, not only in place, but visibly in-progress, that shows they actually care and are putting features and browser access back into the api that the addon developers need, they won't be coming back. firefox will just be the chrome clone they have wanted it to become since 2011.

long live pale moon.

Re:Addons

[theweatherelectric]

long live pale moon

How does Pale Moon perform in benchmarks and real world usage (like, say, an HTML5 game) versus Firefox 57? Do you have concrete numbers you can show me?

Re:Addons

[Waccoon]

There's also the problem that defining a new API is something that's been put off for way too long, because they wasted so much time with marketing gimmicks and UI redesigns.

It's an extensive change and certainly not easy, but it's clear to the Mozilla community that many things in the browser have been broken and essentially ignored for the better part of 10 years (freezes due to cycle collections, for example, which IMO is a bigger problem than raw performance). Once Chrome launched, Mozilla had an, "Oh, shit!" moment in the same vein of Netscape when IE stopped being terrible. Mozilla is still in panic mode, and had they been on the ball, the rollout would have been more graceful and there would be more emulation options.

Like many suspected would happen... apk

See subject: "New feature/method" abused to be used against you the user - un-F'ing-believable! It's getting so you can't trust modern wares/browsers!

* Another "pet peeve" I have? I've taken a peek @ many new browsers & it seems they also make it impossible to block javascript in the browser itself natively too (unless that's changed since last I looked)...

APK

P.S.=> This is why I still mostly use Opera 12.18 classic 64-bit (not "chopera") - it literally has "BySite" preferences where I globally block javascript & then, set exception sites (for sites that demand javascript use - most still don't though, not really)... apk

Re: Like many suspected would happen... apk

How are you doing? Real question. I hadn't read you in a while. All good?

Wouldnt I need to run Javascript from advertisers?

How can they use Canvas fingerprinting if I don't allow their scripts to run? Nice try.

Speaking of Firefox

[wjcofkc]

If like me you gave up on it years ago because it became bloated and slow, try out the latest beta. It's really fast even under a heavy load.

Re:Speaking of Firefox

Does it still stream data to Amazon Wiretapping Services (*.aws.com). Does it still perform automatic updates? Set up a SSDP server?

https://groups.google.com/foru...

Re:Speaking of Firefox

Firefox 57 is incredibly smooth and fast. I think it will bring lots of people back to Firefox. The only requirement is that they make replacements for the most important extensions.

Re:Speaking of Firefox

I'm running 64-bit (v.56.0.2) now, seems to be quite snappy. Since PR 1.0. I've always been supportive of FF, hoping they'd fix the latest bu - I mean features. : )

Re:Speaking of Firefox

[antdude]

OK, but what about the old extensions? :P

Re:Speaking of Firefox

[ayesnymous]

Memory usage got really bad in a recent release. Previously I'd have 10 windows open with around 100 tabs total, and that took up about 2 GB of RAM. For the last few weeks though, those same 10 windows/100 tabs causes Firefox to get up to 6 GB memory usage.

Thanks, Mozilla!

Look: I've a lot of beefs with you. Among other things that you took away the simple "disable Javascript" checkbox, slowly pushing the Web to one where "Web programmers" can assume that everyone is running with Javascript.

But this last move... awesome, thanks (and I say that as one who doesn't really benefit from it, because I've learnt to run a castrated no-javascript profile for ~98% of my Web usage).

When Palemoon/CyberFox/Waterfox do it?

See subject: Then I'll try the new FF engine for 64-bit when THEY incorporate it & then only.

* See, I llike FF for 1 reason - it's faster than IE 11 & is as compatible for online websurfing. However, for things like for instance, saving bookmarks/favorites (import/export)? It's SLOWER THAN HELL vs. say, what I typically mostly STILL use in Classic Opera 12.18 64-bit (& there is a GIANT speed differential between them in that example).

APK

P.S.=> I believe much of it is faster - I've been reading that all over the place online but I don't completely TRUST it is all (especially after seeing this HTML 5 being abused for tracking this way - not that it's Mozilla's fault imo though)... apk

Posted via Palemoon... apk

See subject: I don't post as much as I used to (very busy in other capacities in my life is why) but I still do. My posts were probably just "buried" is all (price of posting ac is that for many browsers, but Opera classic I use & the stylesheet type I use doesn't "do" the 'burial view' other browsers do when you keep activated javascript "ON @ ALL TIMES" (something I bitched about in my posts here today) causing 'hidden posts' you have to use the scripted 'slider control' they have on this site to expose those).

APK

P.S.=> Life's pretty good in any event though to reaffirm my answer to you... apk

Re:Posted via Palemoon... apk

[Noah+Haders]

Good man, I’m glad. I will always think of you as the HOSTS guy.

Borrowed from a derivative project?

[FatdogHaiku]

OK, "Mozilla engineers have borrowed yet another feature from the Tor Browser" sounds like they are ripping off some projects better design features, but to be fair, the Tor Browser is BUILT on Firefox to begin with.
That being the case, how is this not just common sense on the part of Mozilla to use features of the derivative to make their own browser better? Tor is still using the Mozilla Public License for their browser so I just don't get the slant of the headline...

https://en.wikipedia.org/wiki/Tor_(anonymity_network)#Tor_Browser

Re:Borrowed from a derivative project?

Open source works. News at 11.

Re:Borrowed from a derivative project?

[Freshly+Exhumed]

Tor and Mozilla folks work together on these things. That's what they themselves say.

Re:Borrowed from a derivative project?

Pulling good security features upstream back into the "Kernel" (base product) is not a bad idea.

Re:Borrowed from a derivative project?

[FatdogHaiku]

That only makes sense. My problem was with the confusing headline, the way it reads, there is something wrong with their arrangement, and I just don't see that...

Re:Borrowed from a derivative project?

I didn't interpret the writer as implying Firefox was ripping off Tor Browser. You're looking at it from the perspective of a proprietary software developer or a entity that is competing with another. To us free software developers this is a badge of honour and that is the reason we're pointing it out. When an upstream project we've created a derivative work off of or fork thereof any upstream developers importing changes we've made in our version demonstrates the pinnacle of our successes. Presumably if our work wasn't of value they'd never have taken it up for adoption. I also will point out that it's mostly the west that thinks like this. In China and other cultures people look at an act of copying as something to be proud of. Ones work was good enough to be worth copying.

Re:Penis in butt!

Butters, no one cares anymore.

Unfortunately blocking is self identifying

Unfortunately this sounds good on paper but in practice it's not going to make any difference for now. Until a sizable portion of browsers do this, blocking is actually going to be an identifying characteristic. The advertisers are going to get a line up of victims and instead of you being the one with Arial and Roboto on their hat, you're going to be the one wearing the tin foil one. That's still a unique, identifying feature until enough of us are wearing tin-foil that they can't tell us apart (by our hats).

A better solution (imo) would be to return a random fingerprint that's changed after a random number of calls. You shouldn't return a random one every time because that's identifying as well, 'oh, this is the guy with the rainbow hat'. Randomization makes it harder to identify you and has the added benefit of jamming up the advertisers database with garbage data-points they have to try to correlate against.

Re:Unfortunately blocking is self identifying

[maestroX]

Unfortunately this sounds good on paper but in practice it's not going to make any difference for now. Until a sizable portion of browsers do this, blocking is actually going to be an identifying characteristic. The advertisers are going to get a line up of victims and instead of you being the one with Arial and Roboto on their hat, you're going to be the one wearing the tin foil one. That's still a unique, identifying feature until enough of us are wearing tin-foil that they can't tell us apart (by our hats).

Firefox usage is still above 5% nowadays. Not much, but enough to ensure improvement over identification through font fingerprinting.
Blocking at least hides software (OS)/hardware details, which make targeting vulnerabilities a lot harder.

Re:Unfortunately blocking is self identifying

[fahrbot-bot]

Unfortunately this sounds good on paper but in practice it's not going to make any difference for now. Until a sizable portion of browsers do this, blocking is actually going to be an identifying characteristic. The advertisers are going to get a line up of victims and instead of you being the one with Arial and Roboto on their hat, you're going to be the one wearing the tin foil one. That's still a unique, identifying feature until enough of us are wearing tin-foil that they can't tell us apart (by our hats).

Firefox usage is still above 5% nowadays. Not much, but enough to ensure improvement over identification through font fingerprinting. Blocking at least hides software (OS)/hardware details, which make targeting vulnerabilities a lot harder.

Though I can't attest to the validity of the argument, here's an article I thought was interesting describing how blocking canvas fingerprinting on a low-adoption scale may make one more easily trackable (as the blocking can be used as an identifier): How Canvas Fingerprint Blockers Make You Easily Trackable If the argument is valid, then adding the capability to Firefox and having blocking enabled by default will help eceryone.

Re:Unfortunately blocking is self identifying

A "sizable portion of browsers"? What nonsense is that?

There are dozens of other characteristics of your browser that can be used to attempt to identify you - from your User-Agent to your language to your screen resolution.

With all that information available, a "canvas fingerprint" only serves to distinguish you from all the other people who have exactly the same User-Agent, exactly the same math library, screen resolution, installed fonts, and so on, as you do. It doesn't matter what fraction of the world shares the same canvas fingerprint as you - only what fraction of the users who are otherwise indistinguishable from you.

If all Firefox 58 users return exactly the same canvas data, that doesn't make them any more identifiable - they are already clearly distinguished as Firefox 58 users by the part of their User-Agent that reads "Firefox/58".

(I'd also point out that there is not going to be any effective way to spoof canvas "fingerprints." You could introduce random noise and perhaps foil really dumb attackers, but there's no way you can make my Radeon "look like" a GeForce.)

I prefer this (sarcasm on my part but...?)

See subject: It applies (pun more or less?) "The Lord of Hosts" (no I am not that but it seems to apply per your statement even).

APK

P.S.=> I hope that this new FF engine gets into Palemoon, CyberFox & WaterFox - apparently from what I've been reading, this lastest round of browser motors from Mozilla ARE noticeably faster than previous builds... apk

Re:Wouldnt I need to run Javascript from advertise

[Noah+Haders]

Yeah, i’ll meme that

https://imgur.com/a/85dq7

more platforms than actual users

Summary needs help as usual.

Agreed, 110% "great minds think alike"... apk

See subject & this post from myself mirroring your sentiments https://news.slashdot.org/comments.pl?sid=11314085&cid=55489177/ & it's also true in the last version of Chrome I checked (no more commandline switch to shutoff javascript there either).

* Man, lol - it's like Hedge Funds & mortgage backed security ratings that collapsed the markets - stick in a bunch of "triple A" rated elements BUT stick in slices of crap (makes the whole sandwich BOGUS) too!

APK

P.S.=> It seems to me that the 'powers that be' making browsers intend to make them ADVERTISING & TRACKING systems - I suspect they are being coerced to do so (except Google's Chrome - that IS intentional on THEIR end, they live off ads)... apk

Re:Agreed, 110% "great minds think alike"... apk

Yes, I saw your other post. Mozilla's position in this is a bit discouraging, all other browsers being the spawn of the devil (Google, Microsoft and Apple).

Seems being "in the middle of it" gives them an unhealthy bias, "cool tech" first, to the detriment of the user. Sad.

> like Hedge Funds & mortgage backed security ratings :-)

Firefox

[beep54]

Hope this trickles out as I have given up on Firefox and now use Pale Moon.

Re:Firefox

Ditto for Waterfox

Ctrl+Q

[tepples]

At this point it's become clear that anything more transformative than basic UI stuff is not something that can be properly supported

Even the UI isn't malleable enough.

I tried Firefox 57 during the first few days of beta. When reaching for Ctrl+W, Ctrl+Tab, or Ctrl+Shift+Tab while researching sources to cite in a Slashdot comment, I would often accidentally press the adjacent Ctrl+Q, causing data loss in forms that neither the browser nor the website knows how to save. Firefox's Restore Previous Session doesn't save script-built forms, such as Slashdot's inline reply form. Nor does Slashdot save them at Preview.

The Keybinder extension worked through Firefox 56, but the attempt to make an analogous WebExtension is blocked on bug 1325692, which is marked as not to be fixed in time for the release of Firefox 57. From the AMO page of one such attempt:

This add-on does not work as expected in Linux, until bug 1325692 is fixed.

Once Firefox 57 becomes the stable release, I'll be downgrading to Firefox ESR 52 and staying there as long as bug 1325692 remains unfixed.

Re:Penis in butt!

He said "what-what?"

Blocking is the Wrong Approach

I like the idea that Mozilla is working with the Tor guys, they have a lot in common.

But not this. Tor users want to blend together to appear indistinguishable because that's what Tor itself does. But normal browser users aren't behind Tor. They don't have the same use case. What's the point of looking exactly like every other browser if you continue to use the same IP address for days at a time?

Instead of just trying to block fingerprinting outright, Mozilla should be looking at ways to corrupt fingerprinting. They are sort of doing that with their contextual identities through containers work. The idea is that depending on what task you are doing, you should appear as a different (unique) identity. So browse facebook with one "identity" browse ESPN with another "identity" and if ESPN includes facebooky stuff on their site, it reads as your ESPN identity not your facebook identity.

Instead of outright blocking canvas fingerprinting, they should corrupt the canvas fingerprint such that if facebook reads the canvas they get your facebook fingerprint and if ESPN reads the canvas they get your ESPN fingerprint. And if you are using Tor, they get a generic Tor fingerprint that all Tor users share.

A related problem is that this is all an arms race. Canvas fingerprinting is just the easiest current method (just like 3rd party cookies used to be the easiest method). There are lots of other methods too, like timing 3d rendering speeds, looking at battery levels, etc. Each time Mozilla shuts down one fingerprinting method, the trackers will look for something else. In the end, the only way to make *widespread* fixes is to outlaw tracking.

So to that end I wish Mozilla would show an alert of some sort every time a site tries to do a fingerprint or otherwise track the user. They get away with all this sneaky shit today because few regular people have any idea of how much they are being tracked. If all the tracking was constantly in their face, it would make people angry. And that anger could be translated into support for laws making tracking illegal. That wouldn't stop criminals and spy agencies. But it would stop the vast majority of legal businesses. And the are the ones driving the tracking industry with their billions of dollars.

Pale Moon

[Paronymous_Coward]

Pale Moon, a Firefox fork, has had this for ages in about:config
Just set "canvas.poisondata" to "true"

Re:Pale Moon

And the benefits for the feature there are rendered nonexistent, because you're one of a few thousand people using Pale Moon, and one of the ever fewer subset of those users who have toggled that feature.

You're right!

You just won a FREE T-shirt!

Block all 3rd party cookies

[madbrain]

Hey Mozilla engineers, if you really want to lower tracking for your users, you should change the default 3rd party cookies setting from "allow from visited" to "never". No more seeing ads for the things you have searched for, after doing that, among other things.

It breaks a few low-value sites like some message boards, but screw those. Privacy is more important.

Re:Block all 3rd party cookies

Hey Mozilla, listen to this guy. He clearly knows what he's talking about and has all the data, so just trust him. To hell with your users who use sites that would break. Their privacy is more important, so you should bust their experience on Firefox, making them jump ship to whatever the default browser on their system is that actually works with the sites they use, which will surely be more privacy-minded than Firefox. And those users don't matter, because they aren't hardliners like us. Just fight the battle on conviction alone, and you'll win just like you did with your hardline stance against DRM.

Re:Block all 3rd party cookies

There are add-ons for that purpose, uMatrix is one of them, uMatrix allows you to tweak the cookies setting in fine-grained fashion. Too bad CookieMonster add-on was discontinued.

Thank-You... apk

See subject & thanks much for the setting - I had no idea it was there or what that one did (I only use FF for YouTube really is why).

APK

P.S.=> It's folks like you that keep me coming here - I get to learn a new trick of somekind I didn't know before... apk

Re:Thank-You... apk

[WallyL]

See subject. It's people like you that keep me coming back, for the giggles. Oh, and learning things on occasion.

Re:Thank-You... apk

My, my. Look everyone! A brand new 7 digit trolling sockpuppet account named WallyL!

I find this hard to believe

I run Fedora Linux on most of my machines, so Microsoft's browsers and Apple's browser are not options.
My main internet system won't run Chrome, and since Chrome == google == no privacy anyway, I use Firefox.

Ever since version 45 or so, firefox easily bogs down and devours all machine performance, sometimes making the system unresponsive for over 30 minutes. When it's doing this it is usually thrashing the hard drive (lotsa swap activity) because the damned browser is allowing ad companies to shovel mountains of video onto the local drive, exceeding the explicit limits and consuming all free memory and usually while running piles of javascript garbage that users USED to be able to disable in Firefox. Shutting down can take over an hour - half an hour to stop firefox and then 30-45 minutes while Linux cleansup the wreckage left all over the drive by the "webcontent" task. It's NOT a virus etc since I can wipe the drive and do a clean re-install and reproduce the same problem. I no longer have the patience to wait so long while Firefox is loading google crap, and advertisements, and tracking crap, so when it bogs down and is using 100% CPU time and all the memory I now just yank the power cord out of the wall and reboot. Happily, Linus and friends have made the kernel and filesystem robust enough to recover from that scenario far faster than Firefox can recover from its own javascript abuses.

Life's too short to spend time waiting on a machine running code that some moron at mozilla or on the Linux kernel team could not bother to properly test. There is simply NO EXCUSE for an app like a web browser giving a higher priority to the loading of web page content and processing of Javascript over the user interacting with the GUI. Firefox SHOULD immediately halt ANYTHING related to a tab the INSTANT the user clicks the stop button on the tab. Anything else is incompetence. There's also no excuse for Firefox no longer honoring the options to block popups and to not run javascript. There's no excuse for Firefox allowing a page to cache gigbytes of ad crap onto the local drive. The browser should auto-blacklist any web page script that hangs and refuse to ever load/run that script again without explicit permission from the user. The damned browser should NEVER become non-responsive. NEVER.

The coders at mozilla should first try impressing users with a restoration of the simple idea that the owner of a PC is in charge, rather than the perveyors of ads and trackers, before they go on to add even more features that will almost certainly just add more bloat and bugs and reduced responsiveness.

Re:I find this hard to believe

[theweatherelectric]

the damned browser is allowing ad companies to shovel mountains of video onto the local drive

So use an ad blocker. Problem solved. uBlock Origin is a good one.

Can't Wait - Tell Me Now

sorry can't wait until 2018. Tell me now how to disable access to canvas. What Firefox config setting disables it?

Disabled by default

[CaffeinatedTech]

Just read the bugzilla thread. https://bugzilla.mozilla.org/s... This is part of the `privacy.resistFingerprinting` preference which is disabled by default for all users. So developers who actually legitimately use canvas shouldn't be hit too hard. Just another post on the FAQ page.