Hacker News new | ask | show | jobs
by 13 4161 days ago
There really needs to be a writeup of all the Firefox defaults to change to make your browser actually secure. That's one I didn't know about. I think that your local IP is actually going to be very unique for some people, more so than just having this "feature" disabled.
5 comments
mtmail 4160 days ago
The TOR project has a fork of Firefox with lots of defaults changed to prevent user fingerprinting. They also provide patches back to Mozilla. The closest to a list of defaults to change I found is

https://www.torproject.org/projects/torbrowser/design/#Imple...

link
logn 4160 days ago
One issue is that without using Tor Browser itself, any attempts to de-fingerprint your browser end up making an extremely unique fingerprint if anyone's looking hard enough.
link
yourad_io 4161 days ago
> to make your browser actually secure

To make it secure, disable all plugins.

To make it more private, that's another story. Poor Firefox actually tries its best not to make you identifiable in some superficial ways - e.g. lying about user agent in "obscure" OSes. My FF reports 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/blah Firefox/blah', and I am not on Windows. I don't remember enabling anything like this in any way so I assume it is the default behaviour. This is with "nothing" as an option for DNT btw (neither yes nor no).

Ultimately this is moot as you can't get around your font & rendering fingerprints that can be extracted from a hidden canvas element, but hey. Still better than serving it up in a platter.

> your local IP is actually going to be very unique for some people, more so than just having this "feature" disabled.

How so? It'll fall ion pretty standard ranges. I only find any use/value in it when combined with the remote IP + the rest of your env. characteristics.

When you have to delve into about:config to disable it, 99.99% of people will have it enabled. This + your remote IP would pretty much identify you just fine.

${witty_double-edged_sword_quote}

link
synunlimited 4160 days ago
The user agent string is just a convoluted mess because websites started displaying content based on that string so newer browsers had to fake it so they would still work with these websites. User agents don't mean much nowadays because of this.
link
discostrings 4160 days ago
> Ultimately this is moot as you can't get around your font & rendering fingerprints that can be extracted from a hidden canvas element, but hey. Still better than serving it up in a platter.

This has some work to be done still, but it's a start in regard to blocking hidden canvas elements: https://addons.mozilla.org/en-US/firefox/addon/canvasblocker

link
logn 4160 days ago
I am not sure FF hides the real OS in user agents. Check about:config for general.useragent.override and if its value exists, then at some point you or a plugin specified an override.
link
yourad_io 4159 days ago
Huh, you're right. It's user-set. Go figure.
link
userbinator 4160 days ago
I think that your local IP is actually going to be very unique for some people

I'm willing to bet that almost everyone who has a single "home router"/NAT is going to be 192.168.1.2 or 192.168.1.3. There will be the exceptions on 10/8 or 173.16/12 but the majority of home networks will be 192.168/16.

link
b6 4160 days ago
I found this project recently and ended up using most of it: https://github.com/pyllyukko/user.js
link
blueskin_ 4160 days ago
That's been on my todo list for a long, long time...
link