Slashdot Mirror
Firefox Borrows From Tor Browser Again, Blocks Canvas Fingerprinting (bleepingcomputer.com)
An anonymous reader writes: Mozilla engineers have borrowed yet another feature from the Tor Browser and starting with version 58 Firefox will block attempts to fingerprint users using the HTML5 canvas element. The technique is widely used in the advertising industry to track users across sites. Firefox 58 is scheduled for release on January 16, 2018.
Canvas fingerprinting blocking is the second feature Mozilla engineers have borrowed from the Tor Project. Previously, Mozilla has added a mechanism to Firefox 52 that prevents websites from fingerprinting users via system fonts. Mozilla's efforts to harden Firefox are part of the Tor Uplift project, an initiative to import more privacy-focused feature from the Tor Browser into Firefox.
Canvas fingerprinting blocking is the second feature Mozilla engineers have borrowed from the Tor Project. Previously, Mozilla has added a mechanism to Firefox 52 that prevents websites from fingerprinting users via system fonts. Mozilla's efforts to harden Firefox are part of the Tor Uplift project, an initiative to import more privacy-focused feature from the Tor Browser into Firefox.
Yeah it’s for generating 2D graphics.
If like me you gave up on it years ago because it became bloated and slow, try out the latest beta. It's really fast even under a heavy load.
Brought to you by Carl's Junior.
I've actually spoken informally to some firefox people in person regarding addons.
They do know it's a problem, but they feel that the temporary disruption was worth it. They also know the new webextension system is not yet up to the task of replacing the old extensions, but neither is the old one is severely holding up the browser in terms of both security and performance.
The idea is that they get the first version up and running, then work on improving the extension system to put back as many of the missing bits as they can, but in a manner which doesn't break performance or security. With luck, by the time the last pre change LTS goes out of support, the new extension will be able to support the kind of things that people need. Apparently there are quite a lot of heavy extension users at Mozilla so there's internal pressure to get firefox to be as good as it always was in this regard.
Personally I'm optimistic that they can achieve their goal.
SJW n. One who posts facts.
OK, "Mozilla engineers have borrowed yet another feature from the Tor Browser" sounds like they are ripping off some projects better design features, but to be fair, the Tor Browser is BUILT on Firefox to begin with.
That being the case, how is this not just common sense on the part of Mozilla to use features of the derivative to make their own browser better? Tor is still using the Mozilla Public License for their browser so I just don't get the slant of the headline...
https://en.wikipedia.org/wiki/Tor_(anonymity_network)#Tor_Browser
You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
Browsers were able to display graphics long before HTML 5 existed.
Cool story, bro. Canvas is for procedurally generating graphics not just displaying something.
I understand their reason and desire to switch to webextension, but the issue is that there are some things that many of us need to do that NO "webextension" addon is going to be allowed to do. This is because these new addons will not be allowed to modify the UI or underlying operation of the browser. Three such examples:
FlashStopper (stops html5 video autoplay)
ClassicThemeRestorer (makes the UI bearable)
EnvironmentProxy (sets proxy based on environment variables)
I am confident other important addons will be retained- I already see that UblockOrigin, Adblock Plus (as "AdBlock 57+"), and NukeAnything all work. But I can't bear to use the browser without certain other things.
I agree, summary has a snotty tone. Is it a good for cutting edge security features to be expanded to mainstream browsers? I’m happy for it.
At this point it's become clear that anything more transformative than basic UI stuff is not something that can be properly supported while keeping the core product tenable. I too went through a denial phase where I presumed that it was possible to keep every addon working while fixing the core browser, if Mozilla just magically put in even more effort and didn't care what it actually cost, but we have to acknowledge reality sooner or later. We're not the ones doing the work, we're just complaining that we can't hack it with the same tools anymore. All of our bickering about what we personally "need" isn't helping make Firefox any better, and if Firefox dies we won't have these addons anyway. Time to get seriously involved again and figure out a new way to do these things that works better for everyone, rather than just ourselves.
Firefox usage is still above 5% nowadays. Not much, but enough to ensure improvement over identification through font fingerprinting.
Blocking at least hides software (OS)/hardware details, which make targeting vulnerabilities a lot harder.
Well said. I think the main issue was and has been, however, that Mozilla hasn't really been listening to what the users (and often developers) are saying. We wouldn't complain about the loss of addons that modify the UI had Mozilla not taken away the native ability for user to control the UI. A classic example is "tabs on bottom." It was HUGELY unpopular when Firefox finally removed that single option. And there was really no good reason to remove it. Addons saved the day, and now that will be gone too. And they added insult to injury by adding stuff that users didn't care about or want, things like screenprint, hello, pocket... things that could have easily been optional or even included addons. Development resources that could have gone to filling that UI-control that users do want, and/or performance, and/or bug fixing.
My example of the "Flash Stopper" addon really is a perfect example of the jam in which people find themselves. It is something the browser should be able to do, natively and correctly. Autoplay of video is a HUGE annoyance to many users. And the built-in feature that Firefox offers to supposedly help control the problem is just broken. Here is the bug report: https://bugzilla.mozilla.org/s... 2 years and still broken! And now the addon that fixed the problem for perhaps 50,000 users (who managed to find it) will be forever gone because WebExtensions won't allow even third-parties to fix it.
My other example- the Environment Proxy is another perfect example. Up to version XX (forget which), Firefox honored the environment variables for simple proxy control. And one day- BAM, it is just broken. An addon came out to work around the problem, and many years later, there is STILL no native fix. And WebExtensions will take away that solution, too.
So please understand why I am complaining so loudly. It isn't just about not liking change, there are real issues that leave me and others in a real pickle.
I use canvas for a custom grayscale image conversion tool I made. It has to be real-time when the user moves the sliders, constant communication and server-side rendering and uploading just wouldn't be good enough.
#DeleteFacebook
Pale Moon, a Firefox fork, has had this for ages in about:config
Just set "canvas.poisondata" to "true"
Firefox usage is still above 5% nowadays. Not much, but enough to ensure improvement over identification through font fingerprinting. Blocking at least hides software (OS)/hardware details, which make targeting vulnerabilities a lot harder.
Though I can't attest to the validity of the argument, here's an article I thought was interesting describing how blocking canvas fingerprinting on a low-adoption scale may make one more easily trackable (as the blocking can be used as an identifier): How Canvas Fingerprint Blockers Make You Easily Trackable If the argument is valid, then adding the capability to Firefox and having blocking enabled by default will help eceryone.
It must have been something you assimilated. . . .
Hey Mozilla engineers, if you really want to lower tracking for your users, you should change the default 3rd party cookies setting from "allow from visited" to "never". No more seeing ads for the things you have searched for, after doing that, among other things.
It breaks a few low-value sites like some message boards, but screw those. Privacy is more important.
-- Julien Pierre http://www.madbrain.com/blog
Does this canvas element in HTML5 have legitimate uses, or was it included specifically to help advertisers covertly track users?
Yes, but reading from it is much more questionable. Not only do a website rarely have use of encoded pixels, and if they want to copy a block they could just paint the commands again.