Slashdot Mirror
Firefox To Add Tor Browser Anti-Fingerprinting Technique Called Letterboxing (zdnet.com)
Mozilla is scheduled to add a new user anti-fingerprinting technique to Firefox with the release of version 67, scheduled for mid-May this year. "Called 'letterboxing,' this new technique adds 'gray spaces' to the sides of a web page when the user resizes the browser window, which are then gradually removed after the window resize operation has finished," reports ZDNet. From the report: Advertising networks often sniff certain browser features, such as the window size to create user profiles and track users as they resize their browser and move across new URLs and browser tabs. The general idea is that "letterboxing" will mask the window's real dimensions by keeping the window width and height at multiples of 200px and 100px during the resize operation -- generating the same window dimensions for all users -- and then adding a "gray space" at the top, bottom, left, or right of the current page.
The advertising code, which listens to window resize events, then reads the generic dimensions, sends the data to its server, and only after does Firefox remove the "gray spaces" using a smooth animation a few milliseconds later. In other words, letterboxing delays filling the newly-resized browser window with the actual page content long enough to trick the advertising code into reading incorrect window dimensions. The feature was first developed for the Tor Browser, and can be seen in action here. In order to enable the feature in Firefox, "users will first need to visit the about:config page, enter 'privacy.resistFingerprinting' in the search box, and toggle the browser's anti-fingerprinting features to 'true,'" reports ZDNet.
The advertising code, which listens to window resize events, then reads the generic dimensions, sends the data to its server, and only after does Firefox remove the "gray spaces" using a smooth animation a few milliseconds later. In other words, letterboxing delays filling the newly-resized browser window with the actual page content long enough to trick the advertising code into reading incorrect window dimensions. The feature was first developed for the Tor Browser, and can be seen in action here. In order to enable the feature in Firefox, "users will first need to visit the about:config page, enter 'privacy.resistFingerprinting' in the search box, and toggle the browser's anti-fingerprinting features to 'true,'" reports ZDNet.
A long way to go, but I like this direction.
Isn't it trivial to write some java script to delay a bit before reading browser dimensions?
Fingerprinting is useful for moderation and in the fightagainst trolls, cheaters etc. It is about identifying a computer, not about identifying a person. If they make moderation harder, then there will be less place to socialize on the web. Moreover, income from untargetted ads is only 1/3 - 1/10 of the income for targetted ads. The reduced income results in less service. People could easily pay to replace ad income, but microtransactions haven't taken off for 20 years. They cannot win either, at most they make the monopolies of the internet stronger. It seems the developer community around the web shoot itself in the foot.
The web was envisaged as being open by design. As it originated as something running on a closed corporate network, such openness such as identifiable information of the user wasn't considered remotely dodgy. It's only subsequently that such information has been considered to be morally dubious thanks to those who spotted a potential revenue source and exploited it.
"Wait. Something's happening. It's opening up! My God, it's full of apricots!"
people wonder why are todays computers, which are so powerful, so slow?
well, this is the answer, first you have code running trying to identify who you are, then you have code running that tries to trick the other code detection mechanism. many cpu cycles are lost.
cpu cycles are not the only wasted resource, mind you. there is also somebody coding all this stuff, which otherwise perhaps could have been implementing really cool things.
On a long enough timeline, the survival rate for everyone drops to zero.
Saddly it seems that whitelisting Javascript (e.g.: the Firefox NoScript extension) and keeping it to the bare strict minimum required to successfully display a web page is the only practical way to avoid/diminish the online tracking.
Luckily, it seems that nearly all the web rely on 3rd party libraries to do the tracking and thus blocking 3rd party libraries and only allowing select few helps increasing the protection against tracking.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
They learn to spell "missile" properly?
Sure, but what happens when they deploy their missle-missle-anti-anti-anti-missle-anti-anti missles?
Those were banned by the anit-anti-missile missive.
Socialism: a lie told by totalitarians and believed by fools.
Anonymous Coward wrote:
Sorry, but if you work for an analytics company, or an internet ad company, you really are a sack of shit
Then let's discuss how to make "Internet ad companies" and the "sack[s] of shit" who work for them obsolete. It sounds like you and other Slashdot users like you want one of three things to happen: either A. you want to keep ads but destroy "Internet ad companies", or B. you want to fund the operation of websites through payments from users, or C. you want to fund the operation of websites through some means other than ads or paywalls.
In case A, each website would have to hire, much as in the good old days of print advertising in newspapers. This means each website would need to hire an ad sales team to make prospective advertisers aware of the existence of that website's ad space. How would you suggest to make this practical for smaller websites?
In case B, I'm interested to see how you would circumvent banks' fees for accepting electronic payment. Pay-per-page is untenable because of the 30 cent fee that the acquiring bank takes on top of each transaction. So is paying for a pack of 100 articles on a particular site, as someone who pays $5.00 for the minimum 100-article pack just to read four articles would see 96 article view credits go to waste.
As for case C, could you explain what you had in mind? Shut down any site that doesn't have a shopping cart and isn't run by a nonprofit organization or as an individual's hobby?
DontBeAMoran ( 4843879 ) wrote:
So congratulations, idiots. You just gave advertisers a way to target Firefox users even if they use a fake user agent string.
Targeting "Firefox users" isn't as valuable as targeting "D. B. A. Moran" who lives on 484 38th Street, apartment 79.
You appear to suggest that users "name and shame and boycott" any website that relies on an ad network or ad exchange. Let's assume for purposes of argument that you operate a website or web application, and you want to fund the website's operation while avoiding this boycott. What would be your next step?
Except there are literally hundreds of additional data points which allow websites to uniquely identify you.
The point isn't just to identify you as unique but for you to both be unique the first time AND recognizable the next time you come back. This seems like a much easier problem to solve. Just change as many of the settings as you can each time you visit a website. If you had a browser capable of randomly tweaking settings at each page load it should be able to add enough noise that browser fingerprinting would become worthless. As an added bonus, not only would it protect your browser, the noise would add a touch of herd immunity and help other people with stock browsers as well. The goal shouldn't be to lock down a browser so that nothing is leaked but rather to leak so much random crap that it becomes worthless.
I think I was vaccinated for the missles once.