[antsar]

According to EFF's Panopticlick[0], the biggest thing making my browser unique is the list of plugins that I am running. Short of disabling JavaScript, I don't know of a way to prevent that. Can this hypothetically be solved with Privacy Badger and are there plans to do so?

[0] https://panopticlick.eff.org/

[Foxboron]

If you use firefox you can go into about:config and set `plugins.enumerable_names` to nothing. It might make flash unavailable on some sites, so you might wan't to leave that inn.

[cpeterso]

Unfortunately, the plugins.enumerable_names feature was disabled and later removed (by me, sorry). [1] There was no way Firefox would be able to ship that feature because it broke too many websites for the minor reduction in fingerprinting. Even with your plugins "hidden", websites could still use Flash to enumerate all your system fonts.

The navigator.plugins array is now sorted alphabetically [2] to avoid an issue documented in Jonathan Mayer's thesis [3]. Gecko and WebKit sorted the navigator.plugins array by the plugins' "last modified" time. Users with the same plugins installed can still have unique fingerprints because it is unlikely that they installed their plugins in the same order.

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1169945

[2] https://bugzilla.mozilla.org/show_bug.cgi?id=793978

[3] https://www.stanford.edu/~jmayer/papers/thesis09.pdf

[deltaprotocol]

My answer is based exclusively in what you wrote, and not in my technical knowledge of Firefox's internals.

- There is no such thing as "minor" reduction in fingerprinting nowadays. This is a war, every little bit is important.

- I much prefer to have a thousand sites broken and a little bit more of privacy (or the feeling I'm doing all I can).

- A lot of people (me included) do not use Flash anyway.

Thank you for your work!

[sintaxi]

This is a very good point and I agree. How is this different from saying "we didn't fix the flaw because people exploit it"?

[antsar]

Thank you for your hard work on Firefox, Chris. Mozilla has made many good decisions with it, keeping it clearly superior to Chrome/IE in my view.

That said, I find it difficult to agree with the decision to remove features like this. So what if it can break websites? Isn't that what the "This might void your warranty!" warning is for? It seems far better to give users the option of viewing the web the way they want to view it, rather than protecting them from some broken websites at the expense of their privacy.

[lawl]

Or use the opportunity to kick flash off your system. I'm surfing without flash for probably 2 to 3 years now. These days it's really not a problem. Most sites work with html5 and those that don't have alernatives that do.

[swartzcr]

Yes there are plans to do that for the next release of PB :)

[stephengillie]

This is yet another benefit to whitelisting JavaScript. Faster page load, more lightweight pages, less advertising and spying and crapware, less information going out.

And if you like a site you can enable it.

Go ahead, call me crazy like most people do.

[jakeogh]

The web is so much better without it. It's downright annoying to use someone else's JS enabled browser.

Rough config for surf: https://gist.github.com/jakeogh/b23aac080c5c74310c88

[antsar]

I agree that this is better. Unfortunately, whitelisting is tedious so I often resort to enabling all JS when I quickly need to use a site or five that require it. Many don't have the patience to keep doing this, so disabling plugin enumeration might be a nice middle ground for them.

Security/privacy doesn't have to be all-or-nothing.

[stephengillie]

We should be able to make "Security Groups" where we can apply less-restrictive settings (JS on, cookies) to trusted sites.

The Internet Explorer security model has 4 levels (Internet, Local Intranet, Trusted Sites, Restricted Sites) and you can choose a preset security settings package, or build your own, for each level.

Maybe Chrome/FF/Safari need something more similar to that, where we can specify different groups or levels, and then assign those to websites we visit.

The biggest problem with the IE method is that the UI is more tedious to add a site to a zone in IE11, than to add a site to the JS whitelist on Mobile Chrome.

[Tanath]

uMatrix from the creator of uBlock makes JS management easy (along with other things).

[thiagowfx]

https://addons.mozilla.org/en-us/firefox/addon/noscript/

[RexRollman]

NoScript is a great extension. Even if you never used it to block anything, it is a real eye-opener on just how much stuff is being loaded when you visit a website.

[JadeNB]

The functionality is great, but see https://en.wikipedia.org/wiki/NoScript#Controversies. As https://news.ycombinator.com/item?id=9999411 points out, browser extensions have an enormous amount of power, and the developer doesn't demonstrate that he deserves the trust that that power requires.

[greenyoda]

Since NoScript is open source, I assume that people are keeping a closer eye on the code after these incidents. The author has to be aware that if he tries something like this again, people could fork the code and move on without him (like what Adblock Edge did to Adblock Plus).

[idlewords]

You're crazy!

[brave]

Have a look at Random Agent Spoofer https://github.com/dillbyrne/random-agent-spoofer (beyond spoofing the User Agent, you can fine tune a series of privacy settings).

By the way, Panopticlick is outdated (is it even maintained anymore?). You should use https://browserleaks.com