I’m glad you’re asking for verification, since coveryourtracks is flawed.
I am inclined to give the same advice to OP, but given this thread , there is a history of people asking for specifics, not generalities. It seems this thread is asking for specifics as well.
Bankable835:
Does installing the Proton VPN extension and the Proton Pass extension change your fingerprint?
What we’ve learned from that thread is that some extensions are fingerprintable, and some are not . @ruihildt says that Mullvad actually plans to “modify the extensions section [to] warn the user when an extension is fingerprintable” at some vague point in the future.
I cannot say much about the Proton VPN extension, but Proton Pass seems to change the webpage since it creates drop downs for the autofill feature, so it will certainly be fingerprintable. Someone correct me if this is wrong.
To quote @ruihildt :
ruihildt:
Basically, we need to look at the permissions an extension requires. The permissions an extension request on install through the browser user interface is not fine-grained enough to determine whether the extension is potentially fingerprintable.
An extension is just an archive you can extract packaging some HTML/CSS/JavaScript.
This is not an exhaustive list and you should not use it to determine if an extension is fingerprintable .
Here are some things we can look out for:
Web accessible resources, this can be icons, CSS or other, which a page can view, is probably unique per extension
Content scripts, this is basically whether the extension can inject a script and modify the webpages directly
Network/DNS requests, extensions can intercept requests an potentially modify them
specific URL or <all_urls>, which allow extension to make intervention in specific websites
others I forget now most probably
To function properly, an extension will sometimes requires multiple of those permissions. To take the example of an extension adding a button to YouTube, it will require at the minimum to use a content script, and to access youtube.com .
There are cases where an extension will require more permissions than needed (the <all_urls> is a classic one), but for example uBlock Origin needs it. Sometimes an extension doesn’t need that much permission technically, but the permission you can ask is not fine grained enough.
Now, even if an extension modifies the page content, it doesn’t mean that this can be used as a stable fingerprintable indicator. For example if an extension only randomly modify a webpage, it can’t be used as a reliable signal/metric.
As you can probably guess, it’s hard to reason about all of these parameters, even if you know what to look for. Which is why we recommend not to use extensions at all.
2 Likes