Changing the Firefox tweaks recommendation?

Hi guys,

This is my first post on the forums, so I hope you forgive me for any mistake I make here. I have been playing around with Firefox about:config page and here is what I think we should change about the Firefox tweaks recommendation on the website:

resistFingerprinting and webgl.disable should not go with each other
privacy.resistFingerprinting will attempt to randomize the webgl fingerprint. However, disabling webgl in the first place will ruin this feature and create a unique fingerprint for the browser. I think the suggestion to set webgl.disable to true should be removed from recommendation. You can test it on https://coveryourtracks.eff.org/ without any extensions and see for yourself.

Turning off telemetry
It seems like a lot of telemetry is still set to true in about:config despite of the user’s setting to not send data back to Firefox. I would suggest that we search for “telemetry” in the configuration page and set them all to false.

Keyboard fingerprint
As it turns out, the keyboard language can be used to fingerprint us as well, especially when someone is using any keyboard other than English (US). I suggest that we go to prefences -> general -> choose your preferred language for displaying pages to exactly as below (how an American would have it and how it is in Tor):

English (United States) [en-us]
English [en]

Making the fingerprint more Tor-like
The audio context can also be used to fingerprint a user. Setting dom.webaudio.enabled to false will make the audio fingerprint appear as “not available”, exactly how it is on Tor.

In addition, we can change the font fingerprint in to via javascript only instead of exposing our actual system fonts by setting browser.display.use_document_fonts to 0. The fonts will undoubtedly look a bit weird after you do this, so be sure to select the appropriate default fonts you want to use in Preferences -> General -> Language and Appearance.

Turn off the DNT Header. Tor doesn’t have this enabled by default, so we want to turn it off to blend in better. It is not like this header actually does anything anyways. Go to Preference -> Privacy & Security, change the DNT Header to “Only when firefox is set to block known tracker”. Disable “Tracking content” in enhanced tracking content as well. It is likely that most of us will use uBlockOrigin for this anyways.

Please let me know what you think about my proposed changes. I can make a Github pull request if needed as well :slight_smile:

With this setup, so long as you don’t maximize your screen, you will get a non-unique browser fingerprint on https://coveryourtracks.eff.org/ so long as you don’t maximize your browser, as it is nearly identical to Tor.

1 Like

Can’t we just use ghacks user.js?

You can. I tried it myself and personally was not a fan. A lot of stuff like search became glitchly, and I also read somewhere that Mozilla plans to stop supporting user.js files. Regardless, I think it would be nice if we can configure the browser ourselves or at least fix the webgl.disable thing on the official guide.

Maybe you’re thinking about this all wrong. Who cares if your fingerprint is unique? What matters is that it changes. It’s a lot like wifi privacy measures that generate unique MAC addresses when polling for SSIDs. What CanvasBlocker does for example is fake readouts, so that you’re always giving a different fingerprint out. Which seems to me to be the better solution rather than trying to figure out how to make a static fingerprint less unique.

A few points:

With this setup, it still randomizes your canvas & webgl hash. The issue arises when a website can figure out what you randomize and what you leave static. It can still figure out which value about you is real and what is not.

Let’s say it figures out that you randomize your webgl and canvas, but your system fonts are real and they are unique to you - every single time a user has that exact set of fonts its you.

Canvas blocker only randomizes certain values and leave others intact. My goal is to randomize the exact value that tor does and use the same static value as tor where it does it. Simply put, I believe that on top of the values which we randomize, the values that stay static should also be set to a non-unique value.

The issue with the recommendations on the website still stand, having webgl.disable set to true will stop resist.fingerprinting from randomizing the webgl hash. It will, infact, also break canvas blocker. If you set webgl.disable to true then the only extension that still randomizes your webgl I have found is Privacy Possum, but then a website can easily detect it (since it is the only extension that sets the GPU vendor to “~True”).

That seems reasonable. I should have also mentioned that I use tor browser for almost anything except which fall into my criteria as “safe for an unsafe browser”, but in my case, unsafe browser is mostly private subnets. So I’ve not had the particular cognitive load you’re dealing with.

That said, I thought ghacks had all the tor equivalent settings, or maybe I’m thinking of CHEF-KOCH’s work on firefox profiles (you can find him on gitlab I think)

Ghacks setup does seem to have all (or most) of the Tor equivalent settings, though I do find that it is quite glitchy as I said above (breaking search and whatnot). I also find the screen size buffer to be extremely annoying and unpleasant to use (while yes, not having the same buffer as tor makes me more unique).

There is also this: https://www.ghacks.net/2020/01/06/please-mozilla-dont-touch-the-user-js-functionality-in-firefox/

God knows when Firefox will drop user.js support. I think the best solution is to figure out how to get the fingerprint as close to Tor as possible using about:config now.

Even if they do, I don’t think patching prefs.js would be difficult.

I had to check. Apparently he’s been banned from Gitlab. :sweat_smile: tos;dr maybe

Wait how about using tor browser without tor network? This seems to be the best option

For this you’d have to modify the tbb source and rebuild it, I’m pretty sure, and that is non-trivial. Maybe someone has done that; or maybe there’s a simple workaround… although I seriously doubt it. If that’s what is desired maybe someone on irc://oftc.net/#tor can set you straight on it.

No you just have to change few codes before starting tor browser

if you’re talking about disabling the torbutton and torlauncher extensions, that removes some of the properties you think you’re getting without them.

1 Like