Slashdot Mirror
Firefox To Add Tor Browser Anti-Fingerprinting Technique Called Letterboxing (zdnet.com)
Mozilla is scheduled to add a new user anti-fingerprinting technique to Firefox with the release of version 67, scheduled for mid-May this year. "Called 'letterboxing,' this new technique adds 'gray spaces' to the sides of a web page when the user resizes the browser window, which are then gradually removed after the window resize operation has finished," reports ZDNet. From the report: Advertising networks often sniff certain browser features, such as the window size to create user profiles and track users as they resize their browser and move across new URLs and browser tabs. The general idea is that "letterboxing" will mask the window's real dimensions by keeping the window width and height at multiples of 200px and 100px during the resize operation -- generating the same window dimensions for all users -- and then adding a "gray space" at the top, bottom, left, or right of the current page.
The advertising code, which listens to window resize events, then reads the generic dimensions, sends the data to its server, and only after does Firefox remove the "gray spaces" using a smooth animation a few milliseconds later. In other words, letterboxing delays filling the newly-resized browser window with the actual page content long enough to trick the advertising code into reading incorrect window dimensions. The feature was first developed for the Tor Browser, and can be seen in action here. In order to enable the feature in Firefox, "users will first need to visit the about:config page, enter 'privacy.resistFingerprinting' in the search box, and toggle the browser's anti-fingerprinting features to 'true,'" reports ZDNet.
The advertising code, which listens to window resize events, then reads the generic dimensions, sends the data to its server, and only after does Firefox remove the "gray spaces" using a smooth animation a few milliseconds later. In other words, letterboxing delays filling the newly-resized browser window with the actual page content long enough to trick the advertising code into reading incorrect window dimensions. The feature was first developed for the Tor Browser, and can be seen in action here. In order to enable the feature in Firefox, "users will first need to visit the about:config page, enter 'privacy.resistFingerprinting' in the search box, and toggle the browser's anti-fingerprinting features to 'true,'" reports ZDNet.
clearly uniquely identifiable and tracksble
They never sent stuff like a list of fonts, but the list can be gleaned via CSS. Simply create hidden CSS elements with every known font in use and then query them to see if that actual font was used. The browser will even helpfully not load the actual font because it can see that the element is hidden, to avoid your code grinding the computer to a halt.
Screen resolution is the same. Even if they disable the direct JS query people would just make a bunch of CSS rules for different sizes and see which one is applied.
The ability of CSS to adapt to things like screen size is generally a good thing, the problem is that Javascript can then figure out what it did. Blocking that is possible but will cause breakage, so it needs a major browser like Firefox to do it slowly and push web developers to fix the issues. If they do it quickly with massive breakage then users will complain.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC