User.js: Fingerprinting protection

https://gitlab.com/librewolf-community/browser/linux/-/issues/115
Is this solvable trough user.js?

First of all, for anyone reading, I do not support LibreWolf in any way or form: I think it's a piece of shit and a complete waste of time (everything it tries to achieve can be done in Firefox), and the previous LibreFox was so fucked up it compromised security and privacy (and fingerprinting) - I do not expect that LibreWolf is any better (and I'm not going to waste my time proving it)

And then you (I don't know what role you play: except that of a hoodwinked ill-informed ignorant fool) come here and expect me (as one of the main authors whose work and years of research and testing etc forms the basis of most of LibreWolf's changes: including doing the opposite of what we think is best practice) to answer such a generic and wide-ranging question, in order to help out a PoS like LibreWolf, or at the very least to satisfy your ill-informed opinions. Why don't you guys do your own fucking research?

And you state "[blah blah] proves fingerprinting protection in Firefox is a lie by Mozilla" (edited from "Firefox is Mozilla's scam")- which tells me several things

• you automatically assume Mozilla is evil or something
• you don't understand the subject matter
• you're rabid and love confirmation bias

Those things mean I don't want to even waste my time on this - but here goes: really shortened answer.

You have misunderstood some pretty basic premises

Here's a slightly longer version... the test page is highly misleading and conflates two concepts that have no correlation - additionally, the test site does not explain anything and is sensationalist

And you have confused fingerprinters (default on: promoted) with anti-fingerprinting (off by default: never promoted, it doesn't even have a UI setting)

Here's an even longer explanation

What are the two things being conflated?

• private browsing / incognito type modes
• anti-fingerprinting

These two techniques are combating different tracking concepts. One tackles persistent local data (web storage mechanisms, history) to try and preserve local privacy and the other tackles a global concept that doesn't even need/use persistent data

private browsing / incognito type modes

• No one at Mozilla nor Firefox has ever said PB mode was about being anonymous, and it never claims to be private (except regards persistent local web storage / history)
  
  
  
  • open a new private/incognito window and read what it says, click the links
  
  
  • Here's part of Firefox
  
  
  • > While this doesn’t make you anonymous to websites or your internet service provider, it makes it easier to keep what you do online private from anyone else who uses this computer
  
  
  • Here's part of Chrome
  
  
  • > Now you can browse privately, and other people who use this device won’t see your activity. However, downloads and bookmarks will be saved.
  
  

Anti-fingerprinting vs fingerprinters

• Lets come back to this BS: "fingerprinting protection in Firefox is a lie by Mozilla"
  
  
  
  • Firefox ships with ETP (enhanced tracking protection). Part of that is a setting called "fingerprinters" - which is a list of known fingerprinting actors, and which Firefox ships with on by default
  
  
  • fingerprinting is the science or application of generating (unique) ids based on browser and device information, actively or passively - and anti-fingerprinting is the science of combating that - which Firefox does not ship with by default
  
  
  • fingerprinters !== anti-fingerprinting (one is list based, one is manipulating all results: i.e no list: as just one point of difference)
  
  
  • list based approaches (like adblockers) are not meant-to-be or able-to-be cure-alls: and Firefox has never said ETP's fingerprinters blocks all fingerprinting
  
  

Anti-fingerprinting

• There are many methods to this, but the first step is to not let FPing scripts run: = fingerprinters (or use uBlock in some config) etc. However, this is not a catch-all
• So in order to cover all possible situations: there are other methods to combat FPing: such as
  
  
  
  • disabling an API
  
  
  • returning a result to lower entropy
  
  
  • randomizing a result to raise entropy and cause instability in fingerprints
  
  
  • there are many more techniques, but I'm not going to list them
  
  
• Firefox doesn't ship with RFP on, as it isn't ready for the masses

So.. can a user.js be used to defeat fingerprinting? Yes. Comprehensively? No.

• prefs exist to disable APIs
• prefs exist to limit APIs
• prefs exist to flip on the Tor Uplift's anti-fingerprinting
• ^ outside of that there are extensions that can fill some holes

I was going to deep dive into the FPing metrics used by the test site (and I have looked), but I'll just leave it at this:

• the test site is fucking misleading
• nothing about it is new: it's just cobbled together a bunch of things already known (and mitigated) against
• it's trivial to break (even just using standard Firefox)
• it's not real world and highly misleading (because the result is based on minuscule numbers of tests), and I do not know what time frame they are keeping data
  
  
  
  • let me put that another way: as an example
  
  
  • 20 Tor Browser users on different devices all visit and give a unique name, and it re-detects all 20 of them correctly
  
  
  • That might be because those 20 Tor Browsers have a slight difference with fonts (TB uses font whitelisting but it's not perfect)
  
  
  • they might have some variation on inner window: some will be at 1000x1000, some at 1000x900 .. etc. One of them maximized his window, another dragged it wider.
  
  
  • a few of them might have not enabled spoofing as english, and instead use their build language (currently there are 34? language builds) for date formats and language headers etc
  
  
  • all up, there's enough there to affect 20 users, but in real life: the 6 million or so (concurrent?) Tor Browser users, between them, should have plenty of users in each "bucket" (or ID) - no one is really sure, because what it needs is a real world study where a million TB users all submit a single FPing test: and then it could be analyzed to show the distribution
  
  

tl;dr: fuck off

https://gitlab.com/librewolf-community/browser/linux/-/issues/115#note_335164679

BTW I opened same issue (#938) on ghacks github. I have never seen such rude and arrogant answer. It was just a simple question.

It was not just a simple question. It wasn't even a clear question. It was a link to a statement which has another link to a github page with a wild generalized statement with no facts And then you followed it with a very broad question on can a user.js defeat FPing (which would take a book to answer)? I even had to address at least three misconceptions because of the non-question.

And yes, I'm fucking blunt (to you): because you have come in here, posted something that has nothing directly to do with this repo, with pre-conceived bias and faulty assumptions, and have absolutely no knowledge on the subject matter: not Firefox's settings or their marketing, not the RFP pref, and not on how the many methods that anti-fingerprinting can work, and not on the test or how to interpret that test.

And then you expect someone to answer that? Well, I did - I actually went out of my way to give you an answer - if you're too biased or dumb to understand the answer - then fuck off (I have no time for the biased BS that people like you bring).

Pro Tip: don't come in here and link to shit like LibreWolf, or say "Firefox is Mozilla's scam", "Wouldn't touch Firefox with 4meter stick", "Firefox is a lie by Mozilla" - I'm not saying that Mozilla/Firefox don't deserve scrutiny or that they don't make the occasionally wrong decision (for some people: it's always subjective) - but you need to be rational and able to see beyond black and white. When I see words like yours, I'm not encouraged that you would be anything but a waste of time. Against my better judgement, I actually answered

Here's your answer in super condensed format

• The test is flawed as it basically has no significant data
• When lowering entropy, the hash will stay the same
• fuck off