Firefox To Add Tor Browser Anti-Fingerprinting Technique Called Letterboxing (zdnet.com)

← Back to Stories (view on slashdot.org)

Firefox To Add Tor Browser Anti-Fingerprinting Technique Called Letterboxing (zdnet.com)

Posted by BeauHD on Wednesday March 6, 2019 @10:00PM from the new-and-improved dept.

Mozilla is scheduled to add a new user anti-fingerprinting technique to Firefox with the release of version 67, scheduled for mid-May this year. "Called 'letterboxing,' this new technique adds 'gray spaces' to the sides of a web page when the user resizes the browser window, which are then gradually removed after the window resize operation has finished," reports ZDNet. From the report: Advertising networks often sniff certain browser features, such as the window size to create user profiles and track users as they resize their browser and move across new URLs and browser tabs. The general idea is that "letterboxing" will mask the window's real dimensions by keeping the window width and height at multiples of 200px and 100px during the resize operation -- generating the same window dimensions for all users -- and then adding a "gray space" at the top, bottom, left, or right of the current page.

The advertising code, which listens to window resize events, then reads the generic dimensions, sends the data to its server, and only after does Firefox remove the "gray spaces" using a smooth animation a few milliseconds later. In other words, letterboxing delays filling the newly-resized browser window with the actual page content long enough to trick the advertising code into reading incorrect window dimensions. The feature was first developed for the Tor Browser, and can be seen in action here. In order to enable the feature in Firefox, "users will first need to visit the about:config page, enter 'privacy.resistFingerprinting' in the search box, and toggle the browser's anti-fingerprinting features to 'true,'" reports ZDNet.

54 of 101 comments (clear)

Min score:

Reason:

Sort:

Well it's a step by Anonymous Coward · 2019-03-06 22:11 · Score: 3, Insightful

A long way to go, but I like this direction.
1. Re: Well it's a step by Anonymous Coward · 2019-03-06 22:41 · Score: 1
  
  _After all, you still see the ad eventually right?_
  I dunno, what is an ad?
2. Re: Well it's a step by morethanapapercert · 2019-03-07 00:27 · Score: 3, Interesting
  
  And it strikes me as pretty straight forward, even trivial, to work around this. All you would have to do is add a delay or secondary trigger to the code. Visitor resizes? then wait X milliseconds before checking window size. Or check window size only on a scroll or page down action.
  Note: I'm not a web designer or coder, so I could be talking out my ass when it comes to judging the difficulty involved. But I'd be willing to bet money on it.
  
  --
  I need a wheelchair van for my son. Help me get the word out. https://www.gofundme.com/wheelchair-van-for-jj
3. Re:Well it's a step by Joce640k · 2019-03-07 01:16 · Score: 5, Interesting
  
  A long way to go, but I like this direction.
  Really? Firefox is still sending a stupidly detailed user-agent string, exact model of graphics card, list of plugins, list of installed fonts, screen resolution, time zone, etc.
  Hell, even your "Do Not Track" setting is useful to the people who want to track you - some people enable it, some people don't. Imagine that, a privacy-enhancing feature that decreases your privacy.
  
  --
  No sig today...
4. Re: Well it's a step by tepples · 2019-03-07 01:55 · Score: 1
  
  An ad is a message from a sponsor displayed in exchange for the sponsor's payment to a publisher (the operator of a website). If ads were banned, far more sites would have a paywall.
5. Re:Well it's a step by Anonymous Coward · 2019-03-07 03:37 · Score: 2, Insightful
  
  What a horrible way to spoof ad scripts.
  They abuse window dimensions, so the browser waste time & space drawing gray in order to faithfully report oddball window sizes?
  Don't waste time & space drawing gray. Just report fake rounded-down window sizes when the scripts query.
  There is no need to actually change the window size. Just lie to the ad scripts!
6. Re:Well it's a step by AmiMoJo · 2019-03-07 05:04 · Score: 3, Informative
  
  They never sent stuff like a list of fonts, but the list can be gleaned via CSS. Simply create hidden CSS elements with every known font in use and then query them to see if that actual font was used. The browser will even helpfully not load the actual font because it can see that the element is hidden, to avoid your code grinding the computer to a halt.
  Screen resolution is the same. Even if they disable the direct JS query people would just make a bunch of CSS rules for different sizes and see which one is applied.
  The ability of CSS to adapt to things like screen size is generally a good thing, the problem is that Javascript can then figure out what it did. Blocking that is possible but will cause breakage, so it needs a major browser like Firefox to do it slowly and push web developers to fix the issues. If they do it quickly with massive breakage then users will complain.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
7. Re:Well it's a step by Anonymous Coward · 2019-03-07 06:12 · Score: 1
  
  Since ads don't identify themsleves as such when they query for the information all instances of code the request the window size will see the fake size, and thus the page as a whole will render as if the fake size were real.
  Padding it with grey is juts to make it look less shitty to the end user.
8. Re: Well it's a step by Wulf2k · 2019-03-07 10:03 · Score: 1
  
  "If ads were banned, far more sites would have a paywall."
  If ads were banned, far fewer sites would exist.
  How you interpret that statement depends on whether you're an optimist or a pessimist.
9. Re:Well it's a step by Stan42 · 2019-03-08 15:11 · Score: 1
  
  Why not just us Tor then, will it make any difference ? Learning here, thanks !
Arms races by Anonymous Coward · 2019-03-06 22:33 · Score: 1

Sure, but what happens when they deploy their missle-missle-anti-anti-anti-missle-anti-anti missles?
1. Re:Arms races by Anonymous Coward · 2019-03-06 23:55 · Score: 3, Funny
  
  They learn to spell "missile" properly?
2. Re:Arms races by lgw · 2019-03-07 01:30 · Score: 2
  
  Sure, but what happens when they deploy their missle-missle-anti-anti-anti-missle-anti-anti missles?
  Those were banned by the anit-anti-missile missive.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
3. Re:Arms races by Wulf2k · 2019-03-07 10:07 · Score: 2
  
  I think I was vaccinated for the missles once.
Great by Artem+S.+Tashkinov · 2019-03-06 22:36 · Score: 1

Except there are literally hundreds of additional data points which allow websites to uniquely identify you. The best you could do without too much hassle is to run the English version of Google Chrome under the latest release of Windows 10 without any extensions or additional fonts installed. But even that is not enough since you still expose your time zone, WebGL extensions and then there are evercookies, mouse tracking, canvas fingerprinting, etc. etc. etc.
It surely looks like the WWW was built with tracking in mind. Not intentionally of course.
1. Re:Great by mrbester · 2019-03-06 23:29 · Score: 2
  
  The web was envisaged as being open by design. As it originated as something running on a closed corporate network, such openness such as identifiable information of the user wasn't considered remotely dodgy. It's only subsequently that such information has been considered to be morally dubious thanks to those who spotted a potential revenue source and exploited it.
  
  --
  "Wait. Something's happening. It's opening up! My God, it's full of apricots!"
2. Re:Great by Wycliffe · 2019-03-07 02:07 · Score: 3, Interesting
  
  Except there are literally hundreds of additional data points which allow websites to uniquely identify you.
  
  The point isn't just to identify you as unique but for you to both be unique the first time AND recognizable the next time you come back. This seems like a much easier problem to solve. Just change as many of the settings as you can each time you visit a website. If you had a browser capable of randomly tweaking settings at each page load it should be able to add enough noise that browser fingerprinting would become worthless. As an added bonus, not only would it protect your browser, the noise would add a touch of herd immunity and help other people with stock browsers as well. The goal shouldn't be to lock down a browser so that nothing is leaked but rather to leak so much random crap that it becomes worthless.
3. Re:Great by drinkypoo · 2019-03-07 03:30 · Score: 1
  
  The best you could do without too much hassle is to run the English version of Google Chrome under the latest release of Windows 10
  Run the browser that spies on you under the OS that spies on you? What a great idea!
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
4. Re:Great by squiggleslash · 2019-03-07 03:59 · Score: 1
  
  OK, and your point is what? That because there are hundreds they shouldn't start patching them one by one?
  You do realize that if there are a hundred issues, it's highly unlikely Mozilla can put in one line of code, that doesn't break anything, that fixes EVERYTHING, right?
  It looks to me as if Mozilla looked for one of the trickier ones to fix (fuzzing the font list would be easy, for example), and spent some time working on it. I'm glad they did. Now for the next fix.
  
  --
  You are not alone. This is not normal. None of this is normal.
Re: really? another about:config entry? by Anonymous Coward · 2019-03-06 22:48 · Score: 1

Ad interference or blocking sometimes has the nice side effect of letting through the better ads, like the humorous ones or the higher quality longer running ads like those multi part ads some of the agencies make for long running campaigns
Can't the javascript code just delay? by Anonymous Coward · 2019-03-06 23:02 · Score: 2, Insightful

Isn't it trivial to write some java script to delay a bit before reading browser dimensions?
Caveat by Anonymous Coward · 2019-03-06 23:06 · Score: 1

privacy.resistFingerprinting will set your useragent to Firefox 60 as i discovered when i visited the addons site in 65 and the page said i was running an incompatible version, a quick check of my useragent confirmed it was reporting 60, setting privacy.resistFingerprinting to the default false put the UA back to normal
Contraproductive by dshk · 2019-03-06 23:13 · Score: 2

Fingerprinting is useful for moderation and in the fightagainst trolls, cheaters etc. It is about identifying a computer, not about identifying a person. If they make moderation harder, then there will be less place to socialize on the web. Moreover, income from untargetted ads is only 1/3 - 1/10 of the income for targetted ads. The reduced income results in less service. People could easily pay to replace ad income, but microtransactions haven't taken off for 20 years. They cannot win either, at most they make the monopolies of the internet stronger. It seems the developer community around the web shoot itself in the foot.
1. Re:Contraproductive by Anonymous Coward · 2019-03-06 23:29 · Score: 1
  
  show us 1 discussion site that uses fingerprinting like you say ?
  and fuck the advert companies, who gives a shit if they dont receive money, 10% of free money if still free, its not as if they had to work for it
2. Re:Contraproductive by Actually,+I+do+RTFA · 2019-03-07 02:04 · Score: 2
  
  Fingerprinting is useful for moderation and in the fightagainst trolls, cheaters etc.
  That is one of it's uses, sure. And that same use would happen if you required everyone to have a verified photo ID. This benefit isn't worth the cost.
  
  . It is about identifying a computer, not about identifying a person
  I assume you know this is a lie. IDing a computer that looks at X, and IDing that same computer as signed into FB as Joe Schmo (at the same time?) is a clear way to link Joe Schmo to X.
  
  They cannot win either, at most they make the monopolies of the internet stronger. It seems the developer community around the web shoot itself in the foot.
  I don't understand what you are trying to say here. Want to clarify?
  
  --
  Your ad here. Ask me how!
resources by sad_ · 2019-03-06 23:30 · Score: 5, Insightful

people wonder why are todays computers, which are so powerful, so slow?
well, this is the answer, first you have code running trying to identify who you are, then you have code running that tries to trick the other code detection mechanism. many cpu cycles are lost.
cpu cycles are not the only wasted resource, mind you. there is also somebody coding all this stuff, which otherwise perhaps could have been implementing really cool things.

--
On a long enough timeline, the survival rate for everyone drops to zero.
1. Re:resources by thegarbz · 2019-03-07 00:25 · Score: 1
  
  people wonder why are todays computers, which are so powerful, so slow?
  No they don't. We're dedicating very few resources to actually tracking. Most slowdowns are the result of poorly designed software or ignorant people realising how much more we're doing in software these days.
  There's no reason a tracking script (or 10) should have any impact on page load times. There's also no reason to for anyone to think that using a browser from the early 00s would even function in today's internet.
  And as if to poetically prove the point I just got an email notification in my browser just as I hit preview.
2. Re:resources by Seven+Spirals · 2019-03-07 10:06 · Score: 1
  
  This among other reasons is why I wish the Mozilla folks would integrate CPU throttling for background tabs. Chrome and Opera both have it. It is extremely effective and drives down CPU usage greatly for those of us who normally have a handful (or more) of tabs open. Hopefully, it's being worked on and I just can't see a single shred of evidence to that end because it's all being done quietly? It'd be a MUCH better feature than this letterboxing shit sounds like.
Re:Contraproductive my ass. by Anonymous Coward · 2019-03-06 23:30 · Score: 1

Yah, and mass surveillance is useful to fight crime. Go live in China if you like that.
I think what we need is a proxy in front of the browser (it has to handle TLS) which just manipulates the outgoing requests and LIES to the website. Because we have been given all reasons to mistrust most of them.
Whitelisting by DrYak · 2019-03-06 23:41 · Score: 5, Insightful

Saddly it seems that whitelisting Javascript (e.g.: the Firefox NoScript extension) and keeping it to the bare strict minimum required to successfully display a web page is the only practical way to avoid/diminish the online tracking.
Luckily, it seems that nearly all the web rely on 3rd party libraries to do the tracking and thus blocking 3rd party libraries and only allowing select few helps increasing the protection against tracking.

--
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
1. Re:Whitelisting by AmiMoJo · 2019-03-07 01:34 · Score: 5, Interesting
  
  Whitlisting Javascript won't actually protect you from this, not entirely. For example the site can use CSS to load a different resource based on your browser window size, which the server can log along with your IP address.
  It's extremely difficult to block everything that could be used to identify a browser. A better technique is to poison the data, making it unreliable and ever-changing.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
2. Re:Whitelisting by Anonymous Coward · 2019-03-07 02:38 · Score: 1
  
  https://www.eff.org/privacybad...
3. Re:Whitelisting by Anonymous Coward · 2019-03-07 03:06 · Score: 3, Insightful
  
  My browser strings used to show that my computer was an 8 bit Atari 800 with 16 MB of RAM, video card was a Hercules, the OS was MS-DOS 3.2, and that the web browser was Outlook Express. If the servers "need" to collect data then we should flood them with garbage data.
4. Re: Whitelisting by Anonymous Coward · 2019-03-07 03:46 · Score: 2, Informative
  
  clearly uniquely identifiable and tracksble
5. Re:Whitelisting by Anonymous Coward · 2019-03-07 03:52 · Score: 1
  
  Even better, choke them with poisonous garbage. They want to read back stuff? Each time, pick one of these actions:
  1. Scramble whatever they read. Be it an ad cookie, screen size or other fingerprinting stuff. The data will be useless.
  2. Use the teergrube technique of sending them one byte per minute - tying up their server for a long time. The problem is not that you alone do this, but if they have 10 000 such connections.
  3. Attempt to force a buffer overflow down their throat. They expected a less than 60-character font name? Here's 60GB to go with it! Or how much of that they receive before the tcp connection suddenly breaks. Optionally, put real exploits in that buffer overflow, get a botnet consisting of compromized ad servers. Could be useful for further fun.
6. Re:Whitelisting by AmiMoJo · 2019-03-07 05:00 · Score: 3, Insightful
  
  That really helps them uniquely identify you, because you are the only one surfing the web on an Atari 800.
  What you need is an add-on that randomly changes the browser ID string every few minutes. Use a common but randomly selected one.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Re:This breaks my fullscreen HTML5 game. by Anonymous Coward · 2019-03-07 00:08 · Score: 1

Boo hoo. Stop bitching and work around it. If you're even half-decent you'll find a way, but most video game developers are lazy bastards like yourself who couldn't code a Hello World without a dozen proprietary clutches and middleware packages. You think we give a shit about your game? This is our privacy at stake, here. Find another way to identify me, asshole.
Maybe this is a stupid question by EmagGeek · 2019-03-07 00:37 · Score: 1

Maybe this is a stupid question, but wouldn't a better solution simply be to deny "advertising code" from being able to access the window size? Why does any website need to be told what your window size is anyway, or for that matter, why does it need to be told anything at all about you?
1. Re:Maybe this is a stupid question by tepples · 2019-03-07 01:38 · Score: 1
  
  Why does any website need to be told what your window size is anyway
  In order to choose the correct size of image to present to you, so that you don't end up wasting metered bandwidth downloading photos big enough to fill a 4K monitor just to display them on a smartphone's 480x800 pixel display.
There's your problem ... by Anonymous Coward · 2019-03-07 00:51 · Score: 1

The advertising code, which listens to window resize events
See, the problem is we seem to have reached the point of stupid where we let any random web page run scripts, as well as pulling in from any number of external assholes and parasites.
So, I treat ad networks for what they are .. useless sacks of shit who add no value to my life, consume my resources, and wish to harvest my personal information against my wishes. And my solution to that is to block the fuck out of these pieces of shit.
We need to get away from this busted security model in which any site can run scripts, can link to a dozen external sites who then claim you've agreed to their privacy policy and consented to scripts. Browsers have devolved to pretty much completely promiscuous so they'll run scripts from anybody anywhere, and that is eroding out security and our privacy.
Sorry, you don't get to fingerprint my browser, because your site isn't allowed to run scripts, and every site I visit that pulls in 3rd party parasites I block the parasites -- which makes them blocked everywhere.
If you work for an internet ad agency, you really deserve every user of the internet to stand in line and punch you in the throat ... because you're an asshole, and you deserve it.
As long as we keep up this fiction that we should be allowing every web site and whoever they partner with to run scripts on our browsers, we'll have this shit. We need to start reining in how much we allow sites to run scripts, and absolutely blocking the 3rd parties who add no value to the user ... and don't tell me ads and analytics offers value to me.
Sorry, but if you work for an analytics company, or an internet ad company, you really are a sack of shit who deserves the feel the wrath of everyone who is tired of being spied on ... and as such, you and your family have forfeited any right to privacy, as you have decided that we don't have any.
1. Re:There's your problem ... by tepples · 2019-03-07 01:51 · Score: 2
  
  Anonymous Coward wrote:
  
  Sorry, but if you work for an analytics company, or an internet ad company, you really are a sack of shit
  Then let's discuss how to make "Internet ad companies" and the "sack[s] of shit" who work for them obsolete. It sounds like you and other Slashdot users like you want one of three things to happen: either A. you want to keep ads but destroy "Internet ad companies", or B. you want to fund the operation of websites through payments from users, or C. you want to fund the operation of websites through some means other than ads or paywalls.
  In case A, each website would have to hire, much as in the good old days of print advertising in newspapers. This means each website would need to hire an ad sales team to make prospective advertisers aware of the existence of that website's ad space. How would you suggest to make this practical for smaller websites?
  In case B, I'm interested to see how you would circumvent banks' fees for accepting electronic payment. Pay-per-page is untenable because of the 30 cent fee that the acquiring bank takes on top of each transaction. So is paying for a pack of 100 articles on a particular site, as someone who pays $5.00 for the minimum 100-article pack just to read four articles would see 96 article view credits go to waste.
  As for case C, could you explain what you had in mind? Shut down any site that doesn't have a shopping cart and isn't run by a nonprofit organization or as an individual's hobby?
2. Re: There's your problem ... by tepples · 2019-03-07 02:03 · Score: 2
  
  You appear to suggest that users "name and shame and boycott" any website that relies on an ad network or ad exchange. Let's assume for purposes of argument that you operate a website or web application, and you want to fund the website's operation while avoiding this boycott. What would be your next step?
3. Re:There's your problem ... by Wulf2k · 2019-03-07 10:26 · Score: 1
  
  I'm all for case C.
  If it can't fund itself, does it really need to exist?
  If it's something that needs to exist, can't it fund itself?
  People get things goings at the "individual's hobby" level. Shouldn't anything grander than that be even easier to get and keep going?
Re:Idiots! by craigwilkie · 2019-03-07 01:43 · Score: 1

The way I read the summary was that the browser would maintain a "virtual window" inside of the real window. The real window could have any size; it is the size of the virtual window which would be quantised to 100px steps, and the gap between the real window and the virtual window would be the "letterbox".
Re:Idiots! by tepples · 2019-03-07 01:53 · Score: 3, Insightful

DontBeAMoran ( 4843879 ) wrote:

So congratulations, idiots. You just gave advertisers a way to target Firefox users even if they use a fake user agent string.
Targeting "Firefox users" isn't as valuable as targeting "D. B. A. Moran" who lives on 484 38th Street, apartment 79.
Re:Idiots! by DontBeAMoran · 2019-03-07 02:01 · Score: 1

But the point of this virtual window is that it is the value returned to the scripts, which is going to make it easier to target Firefox users.

--
#DeleteFacebook
Re:Idiots! by Actually,+I+do+RTFA · 2019-03-07 02:08 · Score: 1

We won't even talk about the problems this is going to create for web programmers who need to rely on knowing the exact size of the display for real-world purposes.
What uses are these?

--
Your ad here. Ask me how!
Re:Idiots! by DontBeAMoran · 2019-03-07 02:48 · Score: 1

It's used to align things when CSS fails to have a proper solution. It's used for interfaces, games, etc. It can be used to determine what resolution of image to dynamically fetch for your device. No point in downloading a 4K photo for a laptop that's not even full HD.

--
#DeleteFacebook
Public web terminals by tepples · 2019-03-07 02:52 · Score: 1

IDing a computer that looks at X, and IDing that same computer as signed into FB as Joe Schmo (at the same time?) is a clear way to link Joe Schmo to X.
It doesn't work so well when Joe Schmo logs into Facebook from the same public library computer from which other patrons log into Facebook.
1. Re:Public web terminals by Actually,+I+do+RTFA · 2019-03-07 03:37 · Score: 1
  
  I don't see why. You're ignoring time information. And ad networks are both aware of computer sharing and very good at disambiguating the users.
  I mean, sure, Jow could use a public computer for X (which can no longer be something he cannot view in public, like porn or personal financial data). He could then leave, and come back later to use Facebook. But that's not what people really do. They have FB in one tab and X in another.
  
  --
  Your ad here. Ask me how!
Re: Idiots! by Red_Forman · 2019-03-07 03:26 · Score: 1

You think people using Opera, a now-owned-by-China browser, are smarter?
You think people who use Internet Explorer, which has been abandoned by Microsoft itself over a year ago, are smarter than people who use Edge?
You're a dumbass.
Re: Idiots! by The-Ixian · 2019-03-07 07:46 · Score: 1

You're a dumbass.
Says the Chrome user.....

--
My eyes reflect the stars and a smile lights up my face.
Re:Idiots! by nadass · 2019-03-07 07:55 · Score: 1

It's used to align things when CSS fails to have a proper solution. It's used for interfaces, games, etc. It can be used to determine what resolution of image to dynamically fetch for your device. No point in downloading a 4K photo for a laptop that's not even full HD.
You should be programming for the RELATIVE CONTENT POSITIONING and allow auxiliary scripts to dynamically fetch the right-sized create assets... Unless you're talking about scroll-over advertisements that are supposed to take over the entire screen, then yeah sure I can see why you're upset.

The year 2001 called, it wants its fixed content positioning CSS definitions back...
Re:Idiots! by DontBeAMoran · 2019-03-07 09:31 · Score: 1

Relative positioning usually works, but sometimes you need to calculate something and position things manually.
Also... "allow auxiliary scripts to dynamically fetch the right-sized create assets...", how do you do that if not via javascript and reading the screen size?

--
#DeleteFacebook