Question regarding arkenfox

widget · June 14, 2024, 3:27pm

Question regarding arkenfox.

ATTN: arkenfox in v128 will make RFP-etc inactive and use FPP as default #1804

What is the difference between RFP and FPP?

exaCORE · June 14, 2024, 4:01pm

github.com/arkenfox/user.js

FYI: future fingerprinting options

opened 03:05AM - 02 Sep 23 UTC

closed 03:17AM - 06 Feb 24 UTC

Thorin-Oakenpants

discussion fingerprinting FYI

oh, I should also mention that in the future we will be able to have two differe…nt mode of FP protection, and RFP will be able to have some protections disabled So the first is we will be able to use RFP in normal windows, and FPP in private windows. FPP is a work in progress (and almost ready). Initially (more will be added) will subtly randomize canvas, audio has been normalized for all users in FF118+, it returns 0 for window/screen positions (I think) and it will use font vis level 2. ~~So in effect, if something is totally fucked in normal mode, you can just flick it open in a PB window. FPP will also have compat rules - so they can ship an unbreak per site (i.e not apply e.g. canvas on site A) - but these are very basic protections so far and shouldn't break anything~~ ~~No, we cannot have FPP in normal windows and RFP in PB mode - it's not engineered to do that~~ we can only have a mix of these in this config: normal windows FPP, pbmode RFP --- For RFP itself, we can create our own set of what to apply globally - using RFPTargets. Since the main emphasis of RFP for us is fooling naive scripts, then relaxing some of the others is not as much of a concern. Personally I think it's a bit silly - RFP is an all-in or nothing approach, at best it could have three levels (like brave's FPing shield levels - off, standard, aggressive) and per site. But I get the engineering side of it, where all those RFPTargets allow crafting compat rules, and these FPing protections will slowly start to creep into FPP - **_edit_** just to be clear, compat rules are only for FPP So AF moving forward has some options with defaults and override recipes - `a` we could use FPP mode in all windows - `b` we could use FPP in normal windows and RFP in PB windows - `c` we could relax some RFP protections So for example, for RFP, if you have a monitor where the FPS !== 60 and it causes videos/animations etc dropping frames, you could modify the pref to apply all _but_ timing protections. https://searchfox.org/mozilla-central/source/toolkit/components/resistfingerprinting/RFPTargets.inc I _think_ I will go with option `a` down the track. While I do think RFP (no exceptions to targets) is best (the more metrics protected, the better the chances, plus it has timing mitigations), this really is best suited for a crowd and a different threat model - use Mullvad Browser, Tor Browser _Originally posted by @Thorin-Oakenpants in https://github.com/arkenfox/user.js/issues/1711#issuecomment-1698488246_

hxn · June 15, 2024, 2:30am

Thorin-Oakenpants really needs to create some kind of summary or TL;DR. I’m not reading that entire thread. I read the OP but I don’t get it. Is RFP still the more private option? Only reason why I’d consider disabling it is if it allows me to view dark mode on sites without having to use dark reader.

anon66791365 · June 15, 2024, 2:35am

RFP is what the Tor browser uses, it does things like change your time zone to UTC and other things like that that are intended to make Tor browser users blend in with each other. FPP doesn’t try to make users look the same as each other and instead takes the approach of randomizing certain values used for fingerprinting. Thorin is using the medium of boomer comics to communicate that it’s possible for the “blending in” effects to be detected by websites when you are not on tor browser and with randomization the value is still protected anyway, at least that’s what I could gather haha.

hxn · June 15, 2024, 2:39am

I see. I saw the comics but only the car one made sense to me. I don’t get the other two.

edit: “advanced scripts” he’s referring to fingerprinting techniques by websites, right? The ship one makes a little more sense now.

anon66791365 · June 15, 2024, 2:44am

The boat one is like, the sharks are the tracking scripts and the mannequins are the faked values and they’re “eating” the fake values.

For the horse one the chicken is like your Firefox browser and the cowboys are like Tor browser users and it’s showing that although the chicken has all the trappings of a cowboy it’s still obvious that it’s not a cowboy.

hxn · June 15, 2024, 2:48am

Makes sense, but “advanced scripts can fingerprint a fingerprint protection, spot paradoxes, get detail” is he saying that the chicken is RFP? And is he also saying that RFP is fingerprinting “protection” as opposed to “randomisation”, and what is the difference?

I’m assuming RFP is about hiding values, and FPP is about randomising them. Not entirely sure what the implications are of this.

xe3 · June 15, 2024, 3:12am

I encourage you to read the discussions of FPP / RFP in full, but if you want just a direct succinct answer, here are a couple relevant and concise bits that address your question from #1846:

jonah · June 15, 2024, 4:04am

I think they’re just kind of implying that RFP is only fully useful when used with Tor Browser (and, it should also be the case with Mullvad Browser and a VPN I’ll point out). You should first understand two definitions:

Advanced scripts are scripts that actively try to detect people using anti-fingerprinting techniques and fingerprint them anyways.

Naive scripts are scripts that fingerprint you based on reading some values from your browser.

Naive scripts account for pretty much all tracking scripts you’ll encounter on the web today, unless you’re like being hunted down or something.

Now there are 4 facts:

RFP with Tor browser can thwart even advanced scripts.
RFP with Firefox can’t really thwart advanced scripts, because there are still plenty of other factors that they can use to fingerprint you.
Both RFP and FPP provide good protection against naive scripts.
FPP is more compatible with websites than RFP.

Given all of this, they have made the choice to default to FPP, because it is more compatible, it is more flexible, and in Firefox/Arkenfox you can only realistically thwart naive scripts anyways.

If you stick with RFP you won’t be worse off, but the advantages are so small in this case with Arkenfox/Firefox that you’re also not likely to be better off either, so the trade-off of using RFP instead of FPP is probably not worth it.

Anyways, this is why we say that for people with the highest levels of risk, they need to be using Tor Browser. For people who are still concerned about these advanced threats, but can accept some tradeoff for performance (because the consequences for them might not be high, perhaps) they can use Mullvad Browser with a VPN. And for people who are only concerned about naive scripts (which is most people!) they can use Arkenfox/Firefox.

Regime6045 · June 17, 2024, 9:14am

Very insightful post, thank you. I now disabled RFP again in my browser (Librewolf). The annoyances (no dark mode, constant zoom level reset, slightly broken websites) are not worth it if you’re still fingerprintable by advanced scripts. (And naive scripts are probably taken care of by FFP + ETP + uBO.)

user12 · June 21, 2024, 8:36am

Will they maintain 2 different user.js files:

1- for RFP

2- for FFP

Because it may have depended configs… Or maybe not… I hope they will have only 1 file. Otherwise there will be a maintenance issue for us and arkenfox developers…

Anyway… Is there any detailed comparison table or something to see the differences between RFP and FFP? So we know what we are doing exactly…

Regime6045 · June 21, 2024, 8:49am

So I was told FFP with “AllTargets” enabled is the same using RFP. These are the list of targets: RFPTargets.inc - mozsearch

Here is another overview: Security/Fingerprinting - MozillaWiki
But I’m not sure if it’s up to date because for example RFP dropped the “same user agent for everyone” target but it’s still listed there.

redoomed1 · June 21, 2024, 4:06pm

No.

When arkenfox 128 is released, it will no longer have RFP enabled and users will fall back to using FPP - as long as users run prefsCleaner. The reason for this is to provide a more usable default user.js (which, again, is a template) - and those who are more tech minded can add RFP and related prefs as overrides (if it suits them)^[1]

Emphasis mine ↩︎

Topic		Replies	Views
[Solved] Arkenfox JS Privacy browsers	3	283	August 27, 2024
PSA: Changes to Firefox and Arkenfox make Canvas Blocker and Smart Referer unnecessary for Arkenfox users who previously used those extensions Privacy browsers	2	443	January 25, 2024
Firefox finally adding resistFingerprinting outside of about:config? Questions	8	2105	November 3, 2023
Is it still ok to use arkenfox which is on v112, when firefox is on v114? Questions browsers	1	466	June 19, 2023
Librewolf vs Firefox without Arkenfox Questions browsers	2	2437	October 22, 2022

Question regarding arkenfox

Related Topics