What’s the difference between the privacy.resistFingerprinting
pref and the privacy.fingerprintingProtection
pref? Can they both be enabled, or should only one?
user_pref("privacy.resistFingerprinting", true);
RFP: 3.3 Overrides [To RFP or Not] · arkenfox/user.js Wiki · GitHub
Also: Firefox's protection against fingerprinting | Firefox Help
And also: Security/Fingerprinting - MozillaWiki
user_pref("privacy.fingerprintingProtection", true);
See the amount of damage your fingerprint can cause if you leave it open to the web: Browser Fingerprinting in 2022: How to Stay Private
Your fingerprint (FP) stays with you across browsers, websites, Operating Systems and networks. It’s specific to you.
a browser fingerprinting technique that can track users not only within a single browser but also across different browsers on the same machine. Specifically, our approach utilizes many novel OS and hardware level features, such as those from graphics cards, CPU, and installed writing scripts. We extract these features by asking browsers to perform tasks that rely on corresponding OS and hardware functionalities.
- Cao, Y., Li, S. and Wijmans, E. 2017. (Cross-)Browser Fingerprinting via OS and Hardware Level Features. Proceedings 2017 Network and Distributed System Security Symposium (San Diego, CA, 2017).
Respectfully, I believe you didn’t address the question. It’s pretty safe to assume that everyone who’s here on this forum already knows what Firefox prefs are and what “fingerprinting” is. Let me rephrase the question:
Both privacy.resistFingerprinting and privacy.fingerprintingProtection appear to combat digital fingerprinting. So, what is the difference in their implementation? Is one more comprehensive than the other? Is one deprecated? Can they both be enabled at once, or should only one be enabled to avoid conflict? If so, which one?
I would never assume that, it’s why I offered documentation on the prefs and the reason why they’re necessary. That is also the same paper linked by Arkenfox in their wiki. Firefox 72 blocks third-party fingerprinting resources - Mozilla Security Blog describes Enhanced Tracking Protection (ETP): “This prevents those parties from being able to inspect properties of a user’s device using JavaScript.”
With Arkenfox, you unlock the potential of Firefox to prevent these fingerprinting techniques, but no set of prefs completely eliminates the risk. You provided little context, so I thought it’s necessary to provide my own. The privacy.resistFingerprinting
setting allows to toggle on and off Tor-like protections, but DOES NOT replace Tor. More importantly, it does introduce its own problems. The privacy.resistFingerprinting preference is part of Tor Uplift. It allows you to enable things like:
privacy.resistFingerprinting.block_mozAddonManager
,privacy.resistFingerprinting.letterboxing
,privacy.resistFingerprinting.randomDataOnCanvasExtract
Hilariously, Mozilla believes RFP to be a “footgun”.
In general, it is not a good idea to try and manage the about:config yourself to reduce fingerprinting. You will change a switch without fully appreciating the implications and stand out even more than before.
If you want the best fingerprinting protection, use Mullvad/Tor browser.
If you want fingerprinting compromise on a customisable firefox, start with the default presets in Arkenfox. The owner is highly experienced and previously worked with the Tor browser group.
If you want to learn more about the about:config settings, look at the comments in the user.js file and the Arkenfox wiki. If you are still curious, ask a question via issues in the Arkenfox GitHub. They understand the configs far better than anyone here would.
Your opinion is valid… I don’t think this post answers the OP either, instead sweeps it under the rug, and advises another method simply because of an opinion. I agree, however, that using Mullvad Browser for general browsing, as recommended by PG, is the way to go. Most people that use Firefox daily don’t want to bother with the switches, and they instead opt for Arkenfox+user.js, which is great, but adds work. Lots of work. And it requires manual upkeep, which is annoying at times, even with the updater script. Sometimes things break, that otherwise wouldn’t if you just use a simpler browser. But that’s like saying, “If you want real privacy, just use Tor.” It doesn’t provide an answer to the curious, and it doesn’t solve the problem.
Thanks Than. Not gonna lie, one of my pet peeves is when people try to respond authoritatively (and usually dismissively) to a question they simply do not know the answer to.
The question was as simple as I could possibly make it: What’s the difference between these two prefs? I already know what privacy.resistfingerprinting
does; it’s very well documented, and I’ve already read the arkenfox user.js many times.
In case anyone’s curious (perhaps because they shared links without bothering to read them first to see if they’re relevant), the Arkenfox user.js does not mention privacy.fingerprintingProtection
. At all. Nor do any of the layperson documentation about fingerprinting/privacy from Mozilla.
I posted this question here in the hopes that someone who happens to actually know what these two prefs do would share their knowledge. I’m still hoping.
Ever since the Tor Project team developed RFP (resist fingerprinting) for the Tor Browser and the Mozilla team developing Firefox ported it back into main Firefox, it was noted however that not many used this feature, as it breaks quite a few websites. Recently, the Firefox team is in the process of implementing a lighter method of anti-fingerprinting, FPP (fingerprinting protection), which attempts to keep websites from breaking, while still providing sufficient protection. Also relatively new is the exclusion of WebExtensions from RFP/FPP, the ability to “override” websites exempt from these protections, and the ability to restrict RFP/FPP to PBM (private browsing mode).
These are just a few advanced configuration settings you’ll find in about:config
in the latest standard versions of Firefox that are not documented, the reason being they’re not yet finalized and are subject to change. A cursory look at the source code shows that you can enable both RFP and FPP without a problem, although I would not touch FPP while it’s still WIP. Also, FPP is probably meant to be used instead of RFP if you value convenience over privacy. We’ll most likely hear more about these settings when the Tor Browser and Mullvad Browser are re-based on the freshly released Firefox ESR 115.
Based rebase and base-pilled.
Maybe so, but I think my comment was still noteworthy.
The reason being is that it wasn’t entirely clear me as to whether you were an experienced user or a new user trying to learn how to customise firefox to increase privacy.
The idea of a new user trying to customise the about:configs themselves to increase fingerprinting seemed quite troubling to me
So in the off chance that was the case, I offered a practical guide on increasing privacy with about:config.
Although you are familiar with Arkenfox, other new users searching this forum much later on might not be.
Thus it is possible they would get the wrong impression that editing the about:config themselves to reduce fingerprinting would be useful.
The former is part of RFP the latter of FPP. See here for more details:
Now FPP is available on Firefox 120.
Sorry I’m late to the thread but here’s a decent explanation of the differences. In short, FPP is a less aggressive form of RFP with more leniency and less breakage.
“In the future, FPP can be a choice for those who don’t like or can’t use RFP but do want some randomizing. FPP is going to very compat, to the point where webcompat will be able to override individual protections on troublesome sites. So if FB breaks webcompat silently disables the problematic protection for FB when they add that site compat rule - so clearly this is a very different threat model, but may suit some people. Over time more protections will be added to FPP. I see this as replacing the need for Canvas Blocker” - via ToDo: diffs FF111-FF112 · Issue #1661 · arkenfox/user.js · GitHub