Firefox To Add Tor Browser Anti-Fingerprinting Technique Called Letterboxing

Mozilla is scheduled to add a new user anti-fingerprinting technique to Firefox with the release of version 67, scheduled for mid-May this year. "Called 'letterboxing,' this new technique adds 'gray spaces' to the sides of a web page when the user resizes the browser window, which are then gradually removed after the window resize operation has finished," reports ZDNet. From the report: Advertising networks often sniff certain browser features, such as the window size to create user profiles and track users as they resize their browser and move across new URLs and browser tabs. The general idea is that "letterboxing" will mask the window's real dimensions by keeping the window width and height at multiples of 200px and 100px during the resize operation -- generating the same window dimensions for all users -- and then adding a "gray space" at the top, bottom, left, or right of the current page.

The advertising code, which listens to window resize events, then reads the generic dimensions, sends the data to its server, and only after does Firefox remove the "gray spaces" using a smooth animation a few milliseconds later. In other words, letterboxing delays filling the newly-resized browser window with the actual page content long enough to trick the advertising code into reading incorrect window dimensions. The feature was first developed for the Tor Browser, and can be seen in action here. In order to enable the feature in Firefox, "users will first need to visit the about:config page, enter 'privacy.resistFingerprinting' in the search box, and toggle the browser's anti-fingerprinting features to 'true,'" reports ZDNet.

Re: Well it's a step

[morethanapapercert]

And it strikes me as pretty straight forward, even trivial, to work around this. All you would have to do is add a delay or secondary trigger to the code. Visitor resizes? then wait X milliseconds before checking window size. Or check window size only on a scroll or page down action.

Note: I'm not a web designer or coder, so I could be talking out my ass when it comes to judging the difficulty involved. But I'd be willing to bet money on it.

Re:Well it's a step

[Joce640k]

A long way to go, but I like this direction.

Really? Firefox is still sending a stupidly detailed user-agent string, exact model of graphics card, list of plugins, list of installed fonts, screen resolution, time zone, etc.

Hell, even your "Do Not Track" setting is useful to the people who want to track you - some people enable it, some people don't. Imagine that, a privacy-enhancing feature that decreases your privacy.

Re:Whitelisting

[AmiMoJo]

Whitlisting Javascript won't actually protect you from this, not entirely. For example the site can use CSS to load a different resource based on your browser window size, which the server can log along with your IP address.

It's extremely difficult to block everything that could be used to identify a browser. A better technique is to poison the data, making it unreliable and ever-changing.

Re:Great

[Wycliffe]

Except there are literally hundreds of additional data points which allow websites to uniquely identify you.

The point isn't just to identify you as unique but for you to both be unique the first time AND recognizable the next time you come back. This seems like a much easier problem to solve. Just change as many of the settings as you can each time you visit a website. If you had a browser capable of randomly tweaking settings at each page load it should be able to add enough noise that browser fingerprinting would become worthless. As an added bonus, not only would it protect your browser, the noise would add a touch of herd immunity and help other people with stock browsers as well. The goal shouldn't be to lock down a browser so that nothing is leaked but rather to leak so much random crap that it becomes worthless.