It is generally recommended to use robust built-in browser protections (RFP/FPP), which already cover these metrics. Your IP not matching your time zone is not what most sites would use to detect whether you are using a VPN. They instead see that the IP is not a regular residential IP or is coming from a known VPN network provider.
This would be the only recommended use case.
Once you allow/spoof your location, you are already doing worse than just using the prompt.
If youâre really worried about these things, then Mullvad or Tor is the only real solution..
They instead see that the IP is not a regular residential IP or is coming from a known VPN network provider.
Yes that is correct. At the end of the day there is no way to get around server side checks like this
Once you allow/spoof your location, you are already doing worse than just using the prompt.
This isnât necessarily true. Denying the geolocation prompt on a site that requires it means you canât use the site at all. Spoofing with plausible coordinates is better than giving your real location or being locked out entirely.
Man.. thatâs such a conclusive statement that no way applies to all objectively.
I can think of so many reasons and use cases for such a tool when coupled with a VPN.
What if you want to browse a webiste, social media platform, or a specific forum where you donât the website to learn anything from you or your browsing activity including them inferring your general area - for the purposes of ensuring there is only going to be an inaccurate profile they may still build for you for advertising purposes. No PII whatsoever, or even close to it if using this tool, as I see it.
I donât think youâre getting the point of why one may still want to use such a tool. I see value in it. Itâs okay if you donât. But letâs stop going round in circles.
I said this right here.
It should probably be noted that if you are already using RFP/FPP then also using GeoSpoof would make you worse off. Same would go for installing GeoSpoof in Tor/Mullvad Browser.
Like @parkerchandler1979 I can think of a lot of reasons GeoSpoof would be useful if you arenât using RFP/FPP though.
I had another comment too but Iâll leave it on GitHub for you.
Donât allow access to your location.
I still donât know what this is and how to ensure of it without this tool. But thatâs the point. Very few or only the very tech savvy are going to know this. For the average person out there, this is very useful nonetheless.
I said inferring. It means them trying to deduce even if location is not allowed access to - through time zone or city you may have selected to set your time zone.
Use the builtin Firefox protections instead.
For the third time in this discourse⊠please explicitly explain how to do what and where within FF to ensure of this your way. ELI5 if you will.
Follow this guide. Then you can go to about:config in Firefox, search for privacy.fingerprintingProtection.overrides and add +JSDateTimeUTC into the box.
If you encounter issues because of it now having a different timezone, you can selectively turn off the protection per-site by clicking the shield icon in the search bar.
This is a good discussion, Iâm in agreement that if you use FPP then the only use case for GeoSpoof is to align your browser geolocation/timezone data to that of your public ip to get around site restrictions, or for development/QA purposes. Using it for fingerprinting with FPP would simply just be a worse version of FPP.
The only minor thing I would say is FPP sets your timezone to UTC. This is a possible inconsistency that may allow websites to detect you are using VPN. But then again there are probably many heuristics sites use that Iâm not covering in GeoSpoof either. But that is part of my longer term goal.
this is now fixed: [Feature Request] Complete Date/Time API coverage and fix output format to match native Firefox · Issue #4 · anthonysgro/geospoof · GitHub
The full overridden timezone metrics now:
| API | Behavior |
| ------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------- |
| `Date.prototype.getTimezoneOffset()` | Returns the correct offset for the spoofed timezone, including DST transitions |
| `Intl.DateTimeFormat()` constructor | Injects the spoofed IANA timezone into all format options |
| `Intl.DateTimeFormat.prototype.resolvedOptions()` | Returns the spoofed timezone identifier |
| `Date.prototype.toString()` | Outputs `{weekday} {month} {day} {year} {HH:mm:ss} GMT{±HHMM} ({timezone long name})` using the spoofed timezone |
| `Date.prototype.toDateString()` | Outputs `{weekday} {month} {day} {year}` formatted in the spoofed timezone |
| `Date.prototype.toTimeString()` | Outputs `{HH:mm:ss} GMT{±HHMM} ({timezone long name})` using the spoofed timezone |
| `Date.prototype.toLocaleString()` | Delegates to `Intl.DateTimeFormat` with the spoofed timezone injected |
| `Date.prototype.toLocaleDateString()` | Delegates to `Intl.DateTimeFormat` with the spoofed timezone injected |
| `Date.prototype.toLocaleTimeString()` | Delegates to `Intl.DateTimeFormat` with the spoofed timezone injected |
Thank you for developing this product! Really interested in trying this out!
Just got some questions regarding your software. Will there be a variant for Firefox derivatives like Librawolf and Mullvad? What about Brave?
Is it compatible with Firefox on Android? Will there be iOS and macOS support?
Do you know for sure that this will enhance our privacy in practice, or is this just theoretical in nature?
Thanks for the questions!
Will there be a variant for Firefox derivatives like Librawolf and Mullvad
Yes, so the extension is compatible for all Gecko and Chromium browsers. I have explicitly tested it on LibreWolf, Firefox, Waterfox, Brave, Google Chrome, and Firefox for Android without issues.
I do want to support Safari on iOS and macOS in the future, but today it is not supported.
There are some deeper issues with Mullvad browser. Mullvad Browser uses Firefoxâs resist fingerprinting (RFP) which forces UTC timezone at the engine level. No extension can override engine-level protections, and the two would conflict creating a detectable fingerprint.
You can see a discussion of this here: timezone problems · Issue #9 · anthonysgro/geospoof · GitHub . You can also use the arkenfox test suite to see any âliesâ detected by spoofing in your browser: TZP
Do you know for sure that this will enhance our privacy in practice, or is this just theoretical in nature?
It depends on your threat model and tolerance. Use Mullvad or Tor if you cannot allow any adversarial fingerprints from any api on your browser. The tradeoff is that you will always be stuck in UTC+0 timezone.
If you want to spoof any timezone you want, you can use my extension. The tradeoff is that advanced actors or scripts can detect your true timezone offset and that you are lying (they most likely cannot detect your true geolocation if used with VPN). Though for common use cases like avoiding georestrictions, ad-trackers, etc this is fine.
Some open questions I need to think more about:
Thanks for the questions
I am eager to try.
1) Does it automatically set your time zone to your VPNâs location or do you have to manually do it yourself by checking your chosen locationâs time zone?
It is my understanding that by default Firefox automatically offsets your time zone. However, what is unclear to me, is if the default time zone is the same for every FF user, or if FF adjusts it for each user according to their location.
From my experience, having FF change my time zone has never rung any alarm bells with websites. However, I wonder if that is because it never sets it off too far away from my actual time zone. I say this because I strongly suspect that if you live in Australia, and set your time zone to the UK, which can be 10 to 11 hours, it will almost certainly ring alarm bells with websites.
Even if you adjust your time zone to match your VPN location, I worry that some websites may lock you out if they see that one minute youâre in the UK, and the next youâre in Australia. I guess if you are already logged in, it might not be an issue, but if youâre logging in multiple times a day into the same account from different locations that are very far from each other with a matching time zone, thatâs likely a different story.
I thought Android support meant you have an app for Android, but I see that it just means your add-on works with Firefoxâs Android apps?
I really need a geo-spoofed for my phone. Iâve noticed that every geo-spoofed apps requires you change certain core settings on your Android phone, and so far it hasnât really worked for me.
An app I use frequently requires I share my location to perform certain tasks, and I donât want to, so I do those tasks on desktop which is very frustrating.
2) Do you plan to develop an Android app?
1) Does it automatically set your time zone to your VPNâs location or do you have to manually do it yourself by checking your chosen locationâs time zone?
Yes there is a convenience toggle to sync with VPN:
However, I wonder if that is because it never sets it off too far away from my actual time zone. I say this because I strongly suspect that if you live in Australia, and set your time zone to the UK, which can be 10 to 11 hours, it will almost certainly ring alarm bells with websites.
It depends on the service. Yes if you access a site under one timezone then re-access it with spoofing faster than one could physically travel to that country, then you could be detected. This is a classic speed-of-light problem. It is up to the user to consistently apply spoofing for the website of choice. I am planning an allow-list feature to help users always present a geolocation per site.
2) Do you plan to develop an Android app?
Not on my roadmap but that is an interesting idea. Right now I have only been targetting the browser. But I could do some exploratory research to see what is possible on the device level.
Very nice idea, I will give it a try.
Mullvad has an extension for Firefox where you can set a different proxy for different domains. Thereâs also more generic extensions for this functionality, like FoxyProxy. Can the VPN sync take that into account and spoof the geolocation depending on the website youâre on? I wouldnât think so, right?
Also, is âAccess your data for all websitesâ needed as a permission?
