Hacker News new | ask | show | jobs
by throwaway125 4160 days ago
This can be disabled in firefox's about:config page by setting media.peerconnection.enabled to false.

The problem with disabling all these features on a case by case basis is that you contribute to a richer fingerprint this way. Browsers will become increasingly more vulnerable to fingerprinting and there doesn't seem to be a way to stop it without going back to the dark ages of the web.
4 comments
13 4160 days ago
There really needs to be a writeup of all the Firefox defaults to change to make your browser actually secure. That's one I didn't know about. I think that your local IP is actually going to be very unique for some people, more so than just having this "feature" disabled.
link
mtmail 4160 days ago
The TOR project has a fork of Firefox with lots of defaults changed to prevent user fingerprinting. They also provide patches back to Mozilla. The closest to a list of defaults to change I found is

https://www.torproject.org/projects/torbrowser/design/#Imple...

link
logn 4160 days ago
One issue is that without using Tor Browser itself, any attempts to de-fingerprint your browser end up making an extremely unique fingerprint if anyone's looking hard enough.
link
yourad_io 4160 days ago
> to make your browser actually secure

To make it secure, disable all plugins.

To make it more private, that's another story. Poor Firefox actually tries its best not to make you identifiable in some superficial ways - e.g. lying about user agent in "obscure" OSes. My FF reports 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/blah Firefox/blah', and I am not on Windows. I don't remember enabling anything like this in any way so I assume it is the default behaviour. This is with "nothing" as an option for DNT btw (neither yes nor no).

Ultimately this is moot as you can't get around your font & rendering fingerprints that can be extracted from a hidden canvas element, but hey. Still better than serving it up in a platter.

> your local IP is actually going to be very unique for some people, more so than just having this "feature" disabled.

How so? It'll fall ion pretty standard ranges. I only find any use/value in it when combined with the remote IP + the rest of your env. characteristics.

When you have to delve into about:config to disable it, 99.99% of people will have it enabled. This + your remote IP would pretty much identify you just fine.

${witty_double-edged_sword_quote}

link
synunlimited 4160 days ago
The user agent string is just a convoluted mess because websites started displaying content based on that string so newer browsers had to fake it so they would still work with these websites. User agents don't mean much nowadays because of this.
link
discostrings 4160 days ago
> Ultimately this is moot as you can't get around your font & rendering fingerprints that can be extracted from a hidden canvas element, but hey. Still better than serving it up in a platter.

This has some work to be done still, but it's a start in regard to blocking hidden canvas elements: https://addons.mozilla.org/en-US/firefox/addon/canvasblocker

link
logn 4160 days ago
I am not sure FF hides the real OS in user agents. Check about:config for general.useragent.override and if its value exists, then at some point you or a plugin specified an override.
link
yourad_io 4159 days ago
Huh, you're right. It's user-set. Go figure.
link
userbinator 4160 days ago
I think that your local IP is actually going to be very unique for some people

I'm willing to bet that almost everyone who has a single "home router"/NAT is going to be 192.168.1.2 or 192.168.1.3. There will be the exceptions on 10/8 or 173.16/12 but the majority of home networks will be 192.168/16.

link
b6 4160 days ago
I found this project recently and ended up using most of it: https://github.com/pyllyukko/user.js
link
blueskin_ 4160 days ago
That's been on my todo list for a long, long time...
link
oceanstone 4160 days ago
If you'd like an easier way to toggle this setting. https://addons.mozilla.org/en-US/firefox/addon/happy-bonobo-...

I wish Chrome would provide this setting too.

link
xfr 4160 days ago
You can use WebRTC Block on the chrome store
link
userbinator 4160 days ago
I just disable JS by default and whitelist the (very few, currently) sites that absolutely need it.

That probably means I share the same fingerprint as everyone else using the same browser with JS disabled.

link
hobs 4160 days ago
User-Agent still changes, and since people enable it for various sites, you can try to load it from different domains and see what is blocked/loaded.
link
iopq 4160 days ago
Yeah, but that Adobe Acrobat version is quite old, and that's an interesting Wacom tablet you got there...
link
ck2 4160 days ago
That approach used to work but so many sites now are utterly reliant on jquery and other bulk.

The new trend is not only needed javascript but localstorage.

I cannot believe the sheer number of sites I have to use now that will not function without localstorage enabled.

link
Kiro 4160 days ago
> very few, currently

I've tried disabling JS and all sites were completely broken and resulted in a horrible experience. I guess though if you set your bar very low few sites really need it.

link
huhtenberg 4160 days ago
Easy enough to check - https://panopticlick.eff.org/
link
logn 4160 days ago
CSS media queries reveal your fonts and screen dimensions. Maybe someone could tie that in with lazily loaded images with unique IDs, thereby tracking you. It would be nice if people could disable media queries, as they're annoying anyway sometimes. You can disable fonts, at least in firefox.
link
diminoten 4160 days ago
> I share the same fingerprint as everyone else using the same browser with JS disabled

That's not a lot of people who have JS disabled.

link
mirimir 4160 days ago
Privacy at the browser level is hopeless! The answer is to compartmentalize. This VM and its convoluted Internet connectivity are pure Mirimir. I care not that the browser has been fingerprinted, that my IP has been logged, that evercookies have been placed, etc, etc, etc.
link
blfr 4160 days ago
How do you manage your VMs? Are you using Qubes[1] or something like it? Can you easily force all traffic from a specific VM through a VPN/proxy?

[1] https://qubes-os.org/

link
mirimir 4160 days ago
I have used Qubes, and I highly recommend it. But mostly I use VirtualBox in Debian. If you search my handle, you'll find how-to guides and articles. Basically, I use local networks of gateway VMs to route traffic through nested chains of VPNs, JonDonym and Tor. I mostly use pfSense VMs, because they're so easy to secure. But Whonix is the best solution for using Tor.

One could do the same in Qubes, more elegantly. And indeed, I got the idea of workspace and gateway VMs from Joanna Rutkowska's early posts about the Qubes project.

link
hellbanner 4160 days ago
Do you have a how-to of your current setup?
link
mirimir 4160 days ago
Check out the link in my profile. There are a couple background articles on risk assessment and anonymity systems, and a series of eight how-to guides. I also write a lot on Wilders, and have at times on Tor.SE.

I use various nested VPN chains, with three VPNs minimum. I also use a bunch of Whonix instances, connecting via VPN chains. And sometimes I play with JonDonym.

link
Estragon 4158 days ago
I've read some of your guides, and I don't really understand what the chained anonymity is getting you. Could you give some examples where complex chains are useful?

I can see limited circumstances where VPN/proxy->Tor, Tor->VPN/proxy, and VPN/proxy->Tor->VPN/proxy make sense, but no need for anything more complex than that.

link