[rladd]

Latest Firefox still doesn't protect against browser fingerprinting. This from the EFF Panopticlick:

  Your browser fingerprint appears to be unique among the 303,579 tested in the past 45 days.
  Currently, we estimate that your browser has a fingerprint that conveys at least 18.21 bits of identifying information.

[danShumway]

Two things:

1. Blocking redirect tracking is about more than just fingerprinting users. I'm a huge fan of Panopticlick's work here, but it's not a be-all end-all measure of whether a browser is getting more or less private. There are a lot of different, complicated things we're talking about when we bring up browser privacy.

2. Disable Javascript with something like uMatrix by default, and that number will drop dramatically. By default with JS disabled, I think my Firefox leaks about 8 bits of information, which Panopticlick lists as sufficient protection.

Major caveat in that non-JS users are likely disproportionately represented at Panopticlick, and people shouldn't use Panopticlick as more than an indicator of what's possible. In the real world, disabling Javascript will leak more bits since fewer other users will be doing it.

However, it's still likely worth doing if you can tolerate the inconvenience. And of course, the more people that block JS by default, the better protection it provides.

[rladd]

Javascript is used by such a large percentage of sites that having it disabled is not a viable option for most people.

The point of these by-default protections is that they are supposed to work for most people. Suggesting that someone techie can do extra stuff that most people won't do is not really germane to the conversation.

[danShumway]

> is not a viable option for most people.

Of course this depends on what sites you frequent, but you'd probably be surprised. I disable Javascript by default, I'd say 70-80% of the sites I visit load. An even larger percentage load with only 1st-party Javascript enabled.

I do think excessive required Javascript on the web is a problem, but I also think Hackernews overstates this problem sometimes, to the point where people think it's literally impossible to browse the web without Javascript.

I don't think that characterization is helpful, a lot of us browse the web every day without Javascript running by default. Most news sites are fine, high-end publications like the NYT actually tend to be pretty good at progressive enhancement. Lower-quality engineered sites like Kotaku won't load images, but the articles are still completely readable.

And to be clear, permanently enabling Javascript for a specific site in UMatrix only takes 2 mouse clicks.

> Suggesting that someone techie can do extra stuff that most people won't do is not really germane to the conversation.

I suspect at least 50% of Hackernews readers are smart enough to disable Javascript and selectively enable it when a site breaks. It's germane to the conversation in that those people might want an effective way to mitigate tracking.

I don't have to restrict myself to the lowest common denominator of features when I'm choosing a browser, and I don't think other users should need to either.

Of course raising the lowest common denominator is important, but if you really care about your own security and privacy, at some point you have to make technical decisions that go beyond that. I think it's relevant to the conversation to point out in a technical forum that those options exist for people who need them and can use them.

[rladd]

By “the conversation “I mean the conversation about firefox adding default protections against tracking. These are not intended for hacker news readers or techies. They are intended for the general public. And that is what I think the conversation is about.

[1vuio0pswjnm7]

Regarding "redirect tracking" why not just disable (HTTP) redirects? Is that possible in Firefox?

Out of curiousity, what is the "threat model" when using Panopticlick? Is it suited for users that just want to avoid tracking for commercial purposes? If the user does not enable Javascript, what good is that user to such trackers? How much commercial tracking is conducted without any use of Javascript (and without cookies)?

[danShumway]

I'm not sure I'd use the word "threat model". I don't think Panopticlick is making the world more dangerous. What I'm getting at is that just because Panopticlick says it can't fingerprint you, that doesn't necessarily you can't be fingerprinted anywhere, because the audience using Panopticlick is different than the audience visiting many other sites.

So something like disabling Javascript might mean that that you blend in on Panopticlick because a lot of users disable Javascript. But on a small news site or ring of nontechnical blogs, it might help narrow you down because very few people disable Javascript.

The other thing I want to get at is that privacy isn't just about fingerprinting, it's also about the effects of being tracked, and what specific information that you're leaking. So what you bring up -- that not having Javascript makes a user less useful to an ad network -- is true. Not having Javascript makes it harder to show you flashy ads or to guarantee that you're looking at them. It makes it harder (but not impossible) to set up persistent tracking that works over longer periods of time and across multiple devices. It also makes it harder to detect and circumvent adblockers.

Disabling Javascript doesn't address threat models like using your location to change the content that you get served, or sticking information into cookies, or doing some screwy things with image caches.

But that's... sorry, it's just a kind of complicated question. I'm not sure I can give a short, concise answer about how good you should feel about a low Panopticlick score, I think that's dependent on what sites you visit and what kinds of tracking you're trying to prevent, and what other measures you're taking. It's just a very broad topic.

> why not just disable (HTTP) redirects?

Unfortunately that would break a lot of sites, so it's not feasible as a default setting in the base browser. That being said, I believe that what you're looking for is `network.http.prompt-temp-redirect` inside `about:config` if you want to disable it for yourself.

I'm not sure I'd advise it, and I suspect that it's a kind of superfluous setting if you're already invested heavily into other privacy settings, but maybe there's some benefit. I haven't played with that setting to know for certain whether or not there would be non-obvious downsides or caveats.

[1vuio0pswjnm7]

Of course the user can choose software that sends no cookies or she can remove cookies from headers with a proxy if the user-agent itself (e.g., "modern" browser) cannot be controlled adequately.

There is some relief for the location issue. It is not too difficult to discover alternate geolocated IP addresses for websites that choose to employ such strategies. Further, proxies, even just Tor with a proper config file, can give the user a specific geolocation of the user's choosing.

Do users choose different user-agents for different web usage? On smartphones we routinely see users choosing a variety different applications for different purposes, e.g., an online shopping app versus a news reading app. For example, if the user is engaged in online shopping, then she almost certainly will need to enable Javascript and cookies. However, if the user is reading^1 news on small news websites or nontechnical blogs (to use your examples) then IME neither Javascript nor cookies are required. Using the same application (the same "modern" browser) for both purposes, and with Javascript and cookies enabled, is, IME, from a technical standpoint, unnecessary. The text of the articles can be retrieved and read with much simpler software; none of this software needs Javascript nor cookies to perform its respective task.

1. The situation changes if the user is "viewing" news (photojournalism) or "watching" news (autoplaying videos). IME, neither Javascript nor cookies are required, however short of the user writing custom Javascript to process page contents, employing some software, e.g., standard UNIX utilities, other than a modern browser, to extract the image or video URLs, is sometimes necessary.

[danShumway]

> Using the same application (the same "modern" browser) for both purposes, [...is...] unnecessary. The text of the articles can be retrieved and read with much simpler software;

Well, to push this a step farther, the great thing about extensions like uMatrix are that you can turn off Javascript+Cookies on a site-specific basis. So I know people who would feel like it was too cumbersome to juggle two browsers at the same time, but who don't have the same aversions to saying, "oh sure, I could turn Javascript and cookies off by default, but turn them on for this one specific video/shopping site."

> There is some relief for the location issue.

Definitely. I didn't want to go too in depth here, but this one of the things I'm getting at when I say Panopticlick shouldn't be the only thing people look at. Panopticlick doesn't even consider geolocation around IP addresses at all, so there's an entire vector there where Panopticlick won't tell you whether or not you're vulnerable.

There's a world of considerations here that are just hard to fit into a single comment.

> employing some software, e.g., standard UNIX utilities, other than a modern browser, to extract the image or video URLs, is sometimes necessary.

cough youtube-dl cough

If you're a user who's comfortable with the terminal, this can be a game changer even ignoring the privacy aspect. I see people all the time on HN complain about bookmarking a video and having it disappear later. Not a problem if you download them.

If you want to go even farther and you're comfortable with Bash scripting, youtube-dl even has options around managing playlists, so you can kind of "subscribe" to ongoing playlists/channels and treat them like podcast RSS feeds.

But with that I'm straying off topic.

[saagarjha]

I strongly suspect Panopticlick to be broke to the point of being utterly useless.

[rladd]

Why's that?

[saagarjha]

I mean, if you go to it it will invariably tag you as being unique, which might be true, but if you look at how it breaks those down it really makes no sense at all. Browse it on an iOS device, for example: the one in x browsers have this is just way off, because every iOS device will have the exact same data for many those metrics so it doesn't make sense–for example, there is no way on in 20 browsers show the same list of fonts as a stock iOS device.