Hello, how good privacy wise is it to use dark reader on mullvad browser? Does it do anything with fingerprintings?
The answer is on the website:
2 Likes
A good rule of thumb is anything that modifies the DOM or the actual content of websites is fingerprintable. So in this case yes dark reader is going to make you more fingerprintable.
3 Likes
thanks for pointing out, but i cant find anything mentioned about dark reader there
The points there go for all extensions, including yours.
1 Like
Hope iâm not derailing the conversation too much, but what about a built-in browser option like the âapply dark themes to sitesâ in vanadium. Does that make you more fingerprintable as well or would that be a viable alternative?
It splits Vanadium users into two groups, ones who have that setting set to dark mode and light mode. But because itâs built into the browser thereâs a lot more users that look the same. Vs dark reader which will always be a much smaller subset of users and allows for a lot of customization as well.
I assume you have made changes to the default flags?
Stick to the defaults if you dont want to stand out goes for everything.
Oh, you are absolutely right, i did and forgot about it. Disabled it again. Thanks for the hint and sorry for the confusion
1 Like
Itâs not very helpful to say âdonât install extensionsâ because a lot of extensions do not make you fingerprintable. Like for example an extension that deletes your browser history on startup or that an extension that exports the URLs from your open tabs to a text file.
Iâm not sure about Dark Reader though.
Dark Reader extension or using dark mode indeed increase your fingerprinting. Because it changes and modifying the UI. Thatâs why Mullvad browser or librewolf set it light mode. There is a difference btw dark reader and dark mode. Dark reader makes you more fingerprintable than dark mode since it is an extension decreasing the number of users you can blend in. I didnât look at its working mechanism, but it probably change css on browser.
2 Likes
Any extension interferering with the DOM or network, could potentially be adding fingerprintability. I am not aware of addons that add anhthing useful who do not do this.
Even if they do exist it does add attack factor. For people so concerned about fingerprinting this most likely is a risk too. The general advice is keep your extensions as limited as possible for the reasons mentioned.
4 Likes
The Mullvad Browser extension would be one example (according to Mullvad) but its an exception to the rule. From their FAQ:
Can I install other extensions?
Yes, but that is something we donât recommend. Extensions could make it possible to identify you through fingerprinting.
Will removing Mullvad Browser Extension alter my browser fingerprint?
It wonât change your browser fingerprint, itâs safe to remove it.
Fair but that is preinstalled with the browser. I would not recommend installing that extension in another firefox browser either.
If removing the pre-installed extension doesnât alter your browser fingerprint. Iâd assume that adding that same extension to a browser also shouldnât affect your browser fingerprint. Thatâs an unconfirmed assumption on my part, but it seems logical.
Generally speaking, I agree with the mindset of âwhen in doubt, assume a change (setting or extension) will likely impact your browser fingerprintâ. Its a good cautious rule of thumb.
2 Likes
I actually answered a similar question in another forum, here it is copy/pasted:
Basically, we need to look at the permissions an extension requires. The permissions an extension request on install through the browser user interface is not fine-grained enough to determine whether the extension is potentially fingerprintable.
An extension is just an archive you can extract packaging some HTML/CSS/JavaScript.
So if you look at the source code of an extension, you will find in it a file called the manifest, which lists resources and permissions of the extension.
This is not an exhaustive list and you should not use it to determine if an extension is fingerprintable.
Furthermore, the situation is different for Firefox and Chromium browsers! This is focusing on the Firefox side.
Here are some things we can look out for:
- Web accessible resources, this can be icons, CSS or other, which a page can view, is probably unique per extension
- Content scripts, this is basically whether the extension can inject a script and modify the webpages directly
- Network/DNS requests, extensions can intercept requests an potentially modify them
- specific URL or <all_urls>, which allow extension to make intervention in specific websites
- others I forget now most probably
To function properly, an extension will sometimes requires multiple of those permissions. To take the example of an extension adding a button to YouTube, it will require at the minimum to use a content script, and to access youtube.com.
There are cases where an extension will require more permissions than needed (the <all_urls> is a classic one), but for example uBlock Origin needs it. Sometimes an extension doesnât need that much permission technically, but the permission you can ask is not fine grained enough.
Sometimes, if your extension need to be displayed as an overlay on the page, you can only do it by modifying the page (an example would be a mouse gesture extension: since it relies on the position of the cursor, this can only happen by using a content script injected into the page. Even though, the function of the extension is not reliant on the website itself)
Now, even if an extension modifies the page content, it doesnât mean that this can be used as a stable fingerprintable indicator. For example if an extension only randomly modify a webpage, it canât be used as a reliable signal/metric.
As you can probably guess, itâs hard to reason about all of these parameters, even if you know what to look for. Which is why we recommend not to use extensions at all.
The solution I mentioned would help inform the user by indicating cases where extensions are not fingerprintable at all and show when permissions requested are potentially fingerprintable.
7 Likes
If there are specific criteria like this to know if an extension is fingerprintable or not, then there could be a tool to make a list of all extensions stating if they are fingerprintable or not.
Are you aware of such list or tool?
Iâm not aware, but we have a plan to add this to Mullvad Browser at some point in the future, weâre just limited by our current resources.
6 Likes
Can a website uses Javascript (like getComputedStyle()) to detect CSS modifications made by Dark Reader? Or will this return whatever was computed before Dark Reader changed the colours?
I donât know.
2 Likes