Fingerprinting on Firefox

I have fingerpriting protections enabled on firefox from the about:config page (privacy.resistfingerprinting + privacy.fingerprintingprotection) as well as the strict enhance tracking protection.

But when I do tests here My Fingerprint- Am I Unique ? or here https://coveryourtracks.eff.org/, I’m either unique or nearly unique.

Am I supposed to do something more?

Please do not tell me to use Tor Browser or switch to Linux. Thanks!

1 Like

Use Mullvad Browser or Firefox with Arkenfox.

Also, don’t use these fingerprinting sites.

2 Likes

Why?

2 Likes

In short: if you want good FPing protection use Tor or Mullvad browser.
If you don’t do that you will be FPed, at the very least by all the big sites.

2 Likes

Pls don’t use fingerprinting test sites, if you don’t know what they are doing and how to properly put their results into perspective.

If you’d like to use Firefox itself with the strongest anti-fingerprinting protection, learning how to setup Arkenfox and sticking to the defaults is probabably your best bet. It offers technically quite strong protection, the downside is that the userbase is quite small, and not very homogeneous, but itll be better than manually flipping about:config settings.

But as others have noted, if you want the most effective anti-fp protection there really is no substitute to either Mullvad Browser + a VPN or Tor Browser + tor. These are the only browsers that make the tradeoffs necessary to address advanced fingerprinting. Short of that, Browsers like Brave, Firefox, Librewolf can offer modest anti-fp protection against easier to fool forms of fingerprinting, and good protection against traditional tracking methods.

6 Likes

Do you have uBlock Origin installed ?
Also make sure to not have too many extensions

Edit : amiunique.org is a joke, said I was unique using Tor :rofl:
Edit 2: Reminds me that you are technically unique when using Tor, it just happens that you have hundred of housands clones :sunglasses:

Did you try this website? CreepJS

1 Like

Thanks for all the replies!

Why Mullvad is different can be found here:

https://www.privacyguides.org/en/desktop-browsers/

My only question is can I use a password manager extension with mullvad browser and import my bookmarks? Also, can I use uBO hard mode with mullvad or does that worsen the fingerprinting issue?

Also, @imls, what does that website do? It’s a little gibberish for me… :stuck_out_tongue:

Thanks!

Edit :

After further analysis, using Mullvad makes absolutely no sense to me. There is no one using it:

Google Chrome: 65.12%
Safari: 18.17%
Microsoft Edge: 5.21%
Firefox: 2.82%
Samsung Internet: 2.66%
Opera: 2.54%
UC Browser: 1.48%
Others: 0.73%

https://www.similarweb.com/browsers/

Not only that, but you have to have people be on the same VPN connections for that pool of unique users to work countering fingerprinting.

Recommending more browsers while Firefox’s market share is plummeting makes no sense to me. I would understand if Firefox was king or had at least 10-15% market share, but this is not the case.

The argument is really valid here: Revise statements on Gecko browsers (Android) to make security shortcomings clear - #54 by ddsn

Also, 2.84% of FF users is still more then 150 million users which would work more be in a similar pool as other users for fingerprinting.

I feel like using FF + arkenfox would be better in that context no?

Am I missing something?

1 Like

Mullvad browser is a “varient” of Firefox so it should be recognised as Firefox in the market share figure you quote

No, it’s like saying Edge is a variant of Chrome. Its upstream is the Firefox Long Term Support (LTS) but it is an heavily modified fork. Those marketshare figures are biased anyway, since they rely on tracking. And many of it is blocked or hindered on those browsers.

2 Likes

This is not how this works.

The short answer is the thing you are missing is that mainstream/browsers by default don’t protect enough for their users to constitute a crowd that you could blend in with.

They are a very large userbase and that is indeed beneficial and desirable with respect to preventing fingerprinting, but because most or all of these users lack protection and look unique, its not really feasible currently to blend in with mainstream browser users.

That is why browsers like the Tor Browser and Mullvad Browser take the approach that they do. Its an acknowledgement that its not currently feasible to blend in with mainstream users, who are each somewhat unique and unprotected by default. So instead, they seek to protect protect as many fingerprintable metrics as possible in combination with enforcing uniformity/homogeneity / recommending users do not modify settings or install extensions. With enough users, this strategy can create/enforce crowds of users that look homogeneous enough to blend in with eachother. With this approach a much smaller group of users can form an effective crowd. The Tor Network for example is apparently able to enable an effective amount of anonymity despite only having a few million active users at any given time. Mullvad Browser most probably has considerably less users than that at the moment, but you’ve got to start somewhere.

(Also, Thorin, the guy behind Arkenfox recommends Mullvad Browser or Tor Browser over Arkenfox when strong anti-fingerprinting protection is desired, so that should tell you something)

TL;DR most of your concerns are valid and appropriate, its just a single wrong assumption (that it is possible to blend in with the masses) is leading you to a wrong conclusion. At least that is my understanding based on what I’ve read from people much more informed than myself.

3 Likes

Only in my own weird mind does the comment above count as “the short answer”… :roll_eyes:

1 Like

@Encounter5729

This makes sense. We can’t assume no one is using it because anyone using it would not be effectively tracked.

@xe3

Thanks for this answer.

From my understanding from reading on the Mullvad website, you have to have people be on the same VPN connections for that pool of unique users to work countering fingerprinting.

Would I be correct then to assume that it is actually not possible at this time to be protected against fingerprinting because the pool of users is too small?

@Lukas Why shouldn’t I use these fingerprinting tools websites?

The below is in part thinking out loud, not intended to be an authoritative/definitive answer

I don’t know. And I’m not sure that it is knowable because I don’t think we can accurately estimate Mullvad Browsers userbase.

I do think that (for desktop) it is your best chance. A browser that ‘enforces’ uniformity to a high degree like MB or TBB, should be able to get by with a smaller userbase, compared to a browser that does not.

From my understanding from reading on the Mullvad website, you have to have people be on the same VPN connections for that pool of unique users to work countering fingerprinting.

Protecting your IP (with a reputable VPN) is indeed important (regardless of whether or not you use Mullvad Browser). And its even more important if you are going through all the trouble of defending against browser-fingerprinting.

But I’m not sure that that Mullvad Article says precisely the same thing that you stated (“you have to have people be on the same VPN connections”). While it is definitely best if a ton of Mullvad Browser users are concurrently using the same handful of VPN servers, I think that Mullvad Browser can still have utility even if you are maybe using a reputable but less popular VPN.

Consider from the perspective of an adversary. seeking to identify individuals (not targeting you personally, just opportunistic surveillance capitalism), how will this adversary determine whether all the connections they see from the VPN servers IP, are a single person’s repeated visits, a few people visiting a few times, or many people visiting once or twice? (assuming that MB does a good enough job protecting against fingerprinting and traditional tracking methods). And assuming you don’t always connect to the same VPN server, how do they reliably link your browsing across sessions? I wouldn’t bet my life on that, but I would trust it as an approach that is probably effective against untargeted and opportunistic/passive tracking and the low hanging fruit. And for more critical scenarios, I’d move to Tor Browser or Tails.

For the best chance of blending in, I’d imagine you’d want to be using Mullvad Browser + Mullvad VPN is the way to go. But I still see value in Mullvad Browser + another VPN (particularly one of the other PG recommended ones).

I’m curious to hear what others think on this topic, or if there are flaws in my thinking here?

1 Like

Well, I have tried almost every browser such as brave, firefox (hardened), libreworlf and more and almost all of them failed at hiding me at fingerprint.com website. That website has such a strong tracking that I think only Tor Browser (assumption) will be able to evade their fingerprinting techniques. Not to mention, they are also used by big providers such as google (I have read it somewhere, if I find the source, I’ll link it). I think it’s mostly useless to use even librewolf as even these browser fails on such sites.

1 Like

This is because they also use IP adress. It has nothing to do with browser. Even different browsers will have the same fingerprint as long as you use the same IP.

It might also refresh in background to detect IP changes.

I tested fingerprint.com via many different browser and different configurations. I think (I guess) the web site has a “limit” value. If you pass that value (If you are above the value) it gives you the same identifier.

I know that some anti-fingerprinting techniques can be reverted (can be catch). But some of them not. For example “canvas” anti-fingerprint techniques can not be reverted (can not be catch). But even I change my canvas, fingerprint.com can catch me. How is that possible? That means it only based on some values. I mean, to get the same ID, you don’t have to have all your values same. There is a limit. If you have X,Y,Z same you get the same ID. But other values can be different.

1 Like

To Encounter5729’s answer, did you use a VPN while making your tests?

1 Like