Fingerprinting on Firefox

Or Librewolf

Librewolf offers a degree of anti-fingerprinting protection (Firefox + RFP) but isn’t at the same level as Tor Browser or Mullvad Browser when it comes to anti-fingerprinting overall.

I think Librewolf is more comparable to Firefox + Arkenfox, but probably has a larger userbase (which is a pro) doesn’t enable letterboxing (which is a con). Not saying its a bad choice overall (I think its a valid option) but when it comes to strong fingerprinting protection, I think @Valynor is correct: Mullvad Browser + VPN or Tor Browser.

No, this is unrelated. Re-read my earlier answer pls.

So I asked the Mullvad team, they confirmed what I think I saw somewhere (can’t find it again): if a VPN is used along with Mullvad Browser, it would need to be on the same IP address as other users in order for the protection to work.

What I meant is, depending on the server you connect, the “pool” would change.

For example, if there is a pool of 10 000 using Mullvad Browser.

Then there would be a split depending on where each user connect through their VPN. If we say, 80% of users use Mullvad VPN and 20% use 10 different VPNs (let’s assume they all have a sharing IP policy).

Then this 20% would get further mixed and in the end, there could be a lone user using Mullvad Browser, connected to a private trusted VPN in a location where there isn’t necessarily a lot of people and thus would make fingerprinting still possible.

Since this has been confirmed, I asked for what was the userbase, which they couldn’t or wouldn’t provide.

So to summarize this topic (thanks to everyone):

  • The statistics on user-base per browser are unreliable because those stats are based on user-tracking.
  • For any websites where you don’t need to login (regular browsing): use Mullvad Browser + a VPN with a strong user base and a shared IP policy. When connecting to the VPN, make sure the location picked has many users.
  • For any websites where you do need to login or on Android: use your preferred privacy browser.

Isn’t that obvious? That’s the same with every browser

Everyone approaches with different levels of understanding/knowledge. But in this case I think they are responding partially in reply to my earlier comment where I partially contested (still contest) the statements that:

you have to have people be on the same VPN connections for that pool of unique users to work countering fingerprinting.
if a VPN is used along with Mullvad Browser, it would need to be on the same IP address as other users in order for the protection to work.

I absolutely concur that the strongest protection will come from using the same VPN as most other people are using (which is not knowable but is almost certainly Mullvad VPN I’d assume). But it doesn’t necessarily follow that using a VPN less popular with Mullvad Browser users would render Mullvad’s anti-FP protection ineffective (assuming your FP is not unique and static, and that you vary the VPN servers you connect to, sanitize between sessions, and follow other best practices). It isnt’ as strong as having a large cohort of users you blend in with, but it is still a meaningful improvement over not using Mullvad Browser + A VPN.

At least that is my current thinking, maybe there are blindspots/misconceptions in my thinking, if you see any, point them out.

1 Like

My point was more that if you are unique on your VPN connection, it defeats the point.

Thanks for you comment, it puts things in perspective.

I am able to defeat fingerprint(.com) through the strategy I have developed and the Chameleon browser extension is a vital part of the equation. By using this extension with other key methods like a VPN and proper Firefox setup, I cannot be tracked across browsing sessions by fingerprint(.com).

The conventional approach that is mentioned in this thread and elsewhere is to try and use vanilla browser installations to completely eliminate any unique fingerprint. The problem with this is that it makes for a very inelegant browsing experience like letterboxing, changing browser window size on launch, and the lack of respecting dark/light mode on systems like macOS.

The method that I use to defeat persistent fingerprinting is by creating what I call a ‘unique ephemeral fingerprint.’ By using it, you always have an ephemeral one-time fingerprint that expires at the end of every browsing session.

I’ve published a guide to deploying Chameleon in the first part of my series on defeating fingerprinting over at my publication: Defeating Persistent Web Fingerprinting with Chameleon

1 Like