Firefox w/ the Arkenfox user.js is probably as good as it gets in terms of privacy. By default, this config burns cookies on exit, standardizes the time zone to UTC, spoofs the canvas fingerprint, and does other helpful things. Basically, it makes Firefox expose the same information as the Tor browser.
In addition, I block most known advertizing/tracking domains at the DNS level (I run my own server, and use Hagezi's blacklists).
Finally, another suggestion would be to block all third party content by default using uBlock Origin and/or uMatrix. This will break a lot of websites, but automatically rules out most forms of tracking through things such as fonts hosted by Google, Adobe and others. I manually whitelist required third party domains (CDNs) for websites I frequently visit.
There's no point unless a critical mass of people use these tools. You will be the only one on your IP address using this configuration of masked fingerprinting, which is itself a fingerprint.
That's also why it's indeed useful when using Tor, because you're not identified by your base IP.
Unless we make this part of the culture, you have basically 0 recourse to browser fingerprinting except using Tor. Which can itself still be a useful fingerprint depending on the context.
EDIT: I'll add that using these tools outside of normal browsing use can be useful for obfuscating who's doing specific browsing, but it should be emphasized that using fingerprinting masking in isolation all the time is nearly as useful as not using them at all.
He was effectively years early to the “if you don’t like how twitter is run, build your own <smug face>” interesting how that argument isn’t used anymore.
As far as "obligatory xkcd" is concerned: 3154, 3155, 3159, 3160, 3162, 3165 and 3167 are all relevant. (I've found myself citing 3155 a lot, in attempts to deradicalise cranks: it sometimes works, if I can convince them to quit ChatGPT cold-turkey.)
It's fine to like the comics before around 2016, and dislike the ones afterwards, but there's nothing objective about that. Various people have put forward various thresholds for when xkcd "stopped being good", but ultimately it boils down to a combination of what TV Tropes would call "Tone Shift" and "They Changed It, Now It Sucks!".
A person used their relatively large platform to tell people that they don't support a crazy lunatic millionaire running the world's most powerful country? How scandalous!
In the USA, 2016 and onwards wasn't "just an election". It was something between a mildly harmful establishment candidate or a useless new face on one side, and "holy fucking shit are we actually letting this deranged wannabe monarch run for office?!?" on the other.
Give the man a break, it was (the start of) a crazy time, I'm actually surprised more creators didn't do something like this. If anything, it was barely even a political statement, more of a "hey fellow dems, go vote!" type thing.
No, but not understanding your audience, not being able to not divide your fanbase for absolutely no reason, and doing all that for Hillary Clinton who history will not at all be kind to…
His traffic and hot takes dropped and his influence declined to almost nothing… maybe those things aren’t unrelated?
I have packed ff with arkenfox js into container and maybe a handful other people use it https://github.com/grzegorzk/ff_in_podman. Still, most likely the IP address alone is probably the strongest part of fingerprint vector
Maybe instead it would be better to have very different vector each time?
Does it hide GPU name that is exposed via WebGL/WebGPU? Does it hide internal IP address, available via WebRTC?
> block all third party content
It's not going to work, because the fingerprinting script can be (and is often served) from first-party domain.
Also imagine if browser didn't provide drawing API for canvas (if you would have to ship your own wasm rendering library). Canvas would become useless for fingerprinting and its usage would drop manyfold. And the browser would have less code and smaller attack surface.
The number of cores is also set to 4 for everyone using this config and/or Tor.
> It's not going to work, because the fingerprinting script can be (and is often served) from first-party domain.
This may be true, but allowed third party content makes it trivially easy for Google and others to follow people around the Internet through fonts delivery systems among others.
As near as I can tell, it’s always been owned by Cliqz, who produced some privacy-focused browsers (named Dawn or Lumen) and a search engine (Tailcat) that was ultimately purchased by Brave. The whole thing is majority owned by a German media group, Hubert Burda Media, and while its missions towards increased privacy seem to be sincere, I don’t know if I’d trust them implicitly.
All that said, the main project looks to be open sourced under a GPL3 license, so distrust and verify: https://github.com/ghostery
If I infiltrate someone else’s computer, secretly run code in order to to exfiltrate data I risk prison time because objectively it seems to satisfy criminal laws over where I live.
How do prosecutors in any modern country/state not charge this behavior when done by a website owner?
The difference is that there's implied consent to run arbitrary (albeit sandboxed) code when you visit a website. Moreover it's not the website causing the code to be executed, it's your browser. Otherwise if the bar is "code is being run but the user doesn't know about it", it would lead to either any type of web pages with javascript being illegal (or maybe without javascript, given that CSS turing complete), or a cookie banner type situation where site asks for consent and everyone just blindly accepts.
The GPDR is not criminal law. But ignoring that, regulators barely pursue GPDR violations.
Consider the swaths of dark patterns surrounding cookie terror banners. The GPDR language is extremely clear that none of them are legal, but virtually nobody is ever punished.
While the GDPR does not directly prescribe prison sentences, it absolutely enables countries to establish criminal offences for severe data protection violations, and they will clearly extradite!
As someone who utilizes these tools for anti-fraud purposes, Firefox is just as trackable if not more trackable than Chrome (especially because you stand out by using a niche browser in the first place).
Firefox exposes a massive amount of identifiable information via canvas, audio device and feature detection methods. There's also active methods to detect private windows, use of the developer console and more.
-window was resized/moved, send a websocket snitch to the backend
- keep a consistent web socket open, or fetch a backend-api call for updates on X events
- more calls are made, means user is probably scrolling, inject more things/different things.
I see some js obfuscators out there where I look at the js file and it's all mumbo jumbo.
It is indeed a privacy nightmare, where whatever we do feeds the algorithms to aide in making other people do things.
But it's also used in network security, organizations etc. Staff/employees will use the system a certain way, if something enters it without the behaviors, it's detectable. I assume that's what you mean in anti-fraud.
Sad part is we don't know what the data is ever used for, and it's often bought and sold and the cycle repeats.
In the end all this shit we have to deal with is probably 99% used for deciding which ads to show you, which we are gonna block anyway, and it's all a complete and utter waste of computing power and electricity. This is how big tech "makes the world a better place" apparently.
If you enable privacy.resistFingerprinting in about:config I believe instead of trying to prevent fingerprinting entirely, it's supposed to make things annoying for the fingerprinters by regularly changing the various spoofed factors.
There is also server side fingerprinting like JA4+ and others. Also, if you somehow evade fingeprinting, you have to prepare yourself to solve some very slow Google and Cloudflare captchas.
>The only efficient protection against fingerprinting is what Orion is doing — preventing any fingerprinter from running in the first place. Orion is the only browser on the market that comes with full first-party and third-party ad and tracking script blocking, built-in by default, making sure invasive fingerprinters never run on the page.
sounds like they block "known" fingerprinting scripts and call it a day.
This is also covered in the article. I appreciated the analogy they used: You can put on a ski mask when you go to the mall, and it will conceal your identity, but you will also be instantly suspicious to everyone around you, and will likely be asked to leave most of the stores you try to visit.
This is only because there are only 0.001% of people using anonymizers. If you are a minority with specific requirements, you are shown the door almost in any case, not only on the Internet.
> Orion is the only browser on the market that comes with full first-party and third-party ad and tracking script blocking
I love Kagi, but that is a laughable statement. Brave has been offering ad and fingerprint blocking for years now. The reason why they don't have full first party blocking ("aggressive" mode blocking) on by default is because it tends to break things.
No it's usually a javascript script that does weird things like drawing strings on an invisible canvas and sends it back to the server. I'm wondering if a browser extension that intercepts those payloads and randomizes them with other people's payloads is what's called for here.
> Basically, it makes Firefox expose the same information as the Tor browser.
Is it based on the Tor browser?
Some solutions, like Tor browser or GrapheneOS, are engineered for the purpose.
Some free online tools are an aggregation of ideas from social media and someone's personal understanding. These solutions can have limited benefits or be worse than the problem. Many settings don't work as expected, there are unintended consequences (such as making the browser more unique and easier to fingerprint), unusual combinations of settings can have unintended consequences or break things (Mozilla can't test every combination of about:config settings).
unfamiliar with the Arkenfox user.js but are any of these things that are beyond what firefox enables out of the box if you turn on privacy.resistFingerprinting ? Because what you describe seems to be all stuff it does just by flipping flag.
Arkenfox does far more than that, just look at the user.js. Among others, it spoofs the time zone, number of cores, window size and many other attributes that assist fingerprinting. It basically mimics the settings of the Tor browser.
privacy.resistFingerprinting = true is basically activating most of the Tor browser features in baseline Firefox. That's why it is turned off by default. It does all the things you listed above only at a lower level than a user script. It's been in Firefox for over a decade.
The flag was in fact designed to control the activation of the Tor browser uplift features, and reduce maintenance issues. That way the Tor browser could pretty much just be Firefox with certain flags turned on.
You could just use `privacy.resistFingerprinting` in Firefox, tweak a few other settings, install uBlock Origin/uMatrix and you get the same thing, unless I'm missing something?
"This will break a lot of websites, but automatically rules out most forms of tracking…"
Whether one breaks a lot of websites or not depends on the type of user one is. People who regularly use the Google ecosystem, Amazon and Social Media etc. cannot afford to break sites for obvious reasons, they too are those that websites are most interested in tracking and fingerprinting.
Those who use the web in the way advertisers and Big Tech intend users to use it are the most vulnerable, they're the ones who most need protection.
I break websites regularly but it doesn't worry me, I browse with the premise that there are more websites on the internet than I'll ever be able to visit and if I break sites or are blocked by paywalls then there are usually alternatives and workarounds.
But then I'm not a typical user, I block ads, I usually browse with JS off, kill cookies, use block lists, use multiple browsers (there are six on this deGoogled, rooted phone), browse from multiple machines—Windows, Linux and use multiple ISPs. Also, I've no Social media or Google accounts and rarely ever purchase stuff online. Internet access is via dynamic IP addresses and routers are rebooted often. There's more but you get the picture.
I assume browsing sans JS makes me a first-class target for fingerprinting and that websites know about me but it doesn't matter. Whatever I'm doing seems to work, over the years I've had very little trouble doing everything on the web that I want to do. Clearly I'm of little interest to advertisers and I never see ads let alone targeted ones. I used to use uBlock Origin but I don't bother now as browsing sans JS is just so effective at blocking ads.
I'm lucky in the fact that I use no service that would benefit from fingerprinting me. Whilst my web browsing is atypical of most users I reckon many could benefit by being more proactive—using multiple machines, browsers, ISPs etc.—to disrupt the outflow of personal data. For example, this is being written on a rooted Android using Privacy Browser from F-Droid sans JS and with block lists. If I really need to go to a site where JS is required, I can simply hit a toggle and turn on JS or alternatively use another browser.
The sites block Tor, not fail to work with Tor browser itself. I know this is a meaningless distinction for end user.
In theory you could use Tor browser with Tor stripped (I heard this is what mullvad browser is?) or go tor-then-proxy (this is what I often do, because I sometimes use whonix at work). I don't know about libgen or Anna's archive, I don't use them.
In addition, I block most known advertizing/tracking domains at the DNS level (I run my own server, and use Hagezi's blacklists).
Finally, another suggestion would be to block all third party content by default using uBlock Origin and/or uMatrix. This will break a lot of websites, but automatically rules out most forms of tracking through things such as fonts hosted by Google, Adobe and others. I manually whitelist required third party domains (CDNs) for websites I frequently visit.