RFP without Canvas-Blocker(excluding RFP supported protections) ?

I really read and test too much about fingerprint. But I’m really tired about that.

I have Firefox profiles like this:

  • gmail 1
  • gmail 2
  • general surf (on this profile I delete every 2-3 minute the whole cookie, cache and all others manually and I never login anywhere from here)
  • hotmail 1
  • hotmail 2
  • bank 1
  • bank 2

There are 2 main independent topics to discuss:

  • 1- what fingerprint settings is better for general-surf profile?

  • 2- what fingerprint settings is better for all other profiles except general-surf?

For all profiles I use below configs:

  • 1- Mozilla Firefox

  • 2- Arkenfox (with my simple overrides) (most importantly resist-fingerprint is true)

  • 3- Ublock-Origin (all settings are default)

  • 4- Canvas-Blocker extension:

    • 4.1 Canvas API:

      nothing. (which means it does not manipulate anything)

    • 4.2 Audio API:

      protection enabled

    • 4.3 Window API:

      protection disabled (otherwise breaks most of website I visit)

    • 4.4 DOMRect API:

      protection enabled

    • 4.5 SVG API:

      protection enabled

    • 4.6 TextMetrics API:

      protection enabled

    • 4.7 Navigator API:

      protection disabled (otherwise breaks most of website I visit)

    • 4.7 Screen API:

      protection disabled (otherwise breaks most of website I visit)

Why different random fingerprint is not good?

I know this topic has been discussed many times before, but really I could not get answer to my below question.

Normally I do everything privacy-guides suggest. But I can not understand why we don’t use random fake fingerprints. Just for this reason, I installed Canvas-Blocker and I enabled only some protections which are not randomizing by resist-fingerprint option of Firefox. (I test them million times, from different fingerprint test pages).

If I will not install canvas-blocker, the web site I visited can simply check my fingerprint via TextMetrics-API. This would be very easy. So why I should not install Canvas-Blocker if I enabled RFP? Some people says that, canvas-blocker may conflict with RFP logic. But both of them are open source (developers know what they do) and most importantly canvas-blocker extension allows you to choose APIs to protect. For example, I disabled canvas protection of canvas-blocker extension, because RFP already manipulates canvas API. (Therefore I wrote all my settings above).

Now you can tell me, there is no %100 solution. So why you enable RFP of Firefox?

I know you can not change 100% all of these values. But in my case if I changed 80% of my unique values, without canvas-blocker this value will be decrease to 70%. There is 10% difference. Why would I give %10 of my browser data to remote web site?

1 Like

You overthink it. Also if you use Firefox you probably could benefit from https://jshelter.org/ extension, it will also show you websites trying to fingerprint, thus you will see it is not big problem actually. Anyway there are multiple other ways to track you. So yeah, after all uBo is the only extension you need. Anyway check the site, it is one of the best to read about fingerprinting.

1 Like

@KeepItSimple Thank you for your reply.

I had checked Jshelter and it’s articles before. I compared all Jsheleter’s protections one by one with CB and RFP. But I could not find any new protection of it if you already have: CB and RFP and UBO.

As you mention already, I can install Jshelter to see which website is getting fingerprint. (For now its not very critical for me)

“…thus you will see it is not big problem…” → what you mean with that?

“You overthink it.” —> It looks like yes :slight_smile: But I’m learning new things. Besides, after I check what CB protects what RFP can not protect, now I don’t do anything. I mean I have simply everything as default, only I disable 2 protections of Canvas-Blocker. Now everything is simple for me. But I want also your opinions here, in any case…

uBo eliminates many security and privacy threats. That is the only extension Arkenfox.js recommend. Fingerprinting is complex tracking. While Firefox or Brave do some work against it, their approaches are different, because anything you do against could and will break sites. Fingerprinting also could be usefull, many sites do it for security, so malicious actors trying to access your accounts could be detected. Canvas blocking is just one method, but any rare extension makes you more unique, so while CB does something it also does opposite thing at the same time. Just stick with what your browser provides and you are good. I use Jshelter only in a browser without any antifingerprinting features, my Brave and Firefox are both do not need it, neither CB, Brave even do not uBo. The less extensions you have the better it will be both to fight Fingerprinting and also security.

An informative comment from the creator of Arkenfox:

2 Likes

I read it. Thank you.

But author of that post (Thorin-Oakenpants) mentions only about canvas API. On my original post I already mention that, I disable the canvas-API-protection of CB-extension, just because RFP already protects my canvas. (otherwise they will conflict or it will be redundant).

I test it million times: RFP can not protect:

  • Audio API
  • DOMRect API
  • SVG API
  • Textmatrics API

Therefore I enable only those on CB-extension.

I’m really thankful for your comments. But I really still could not get the idea behind not using CB.

I mention also on my new comment:

RFP can not protect:

  • Audio API
  • DOMRect API
  • SVG API
  • Textmatrics API

Therefore I enable ONLY those on CB-extension.


I can ask my question shortly like below:

Our browser has fingerprints about five of them:

  • Canvas (can be protected via RFP)
  • Audio (can be protected via CB extension)
  • Fonts (There is way to protect this. So I ignore it for now…)

The question is why on above list, you do not recommend me to not install CB extension?

It does nothing usefull and probably makes you even more unique, which is probably not what you want by using it? There are so many ways to track you, the most obvious are cookies, if you do not purge them CB makes less than zero sense. Than your IP also a strong vector of tracking. Also check some interesting websites to track you other ways, no CB or uBo helps:

https://lucb1e.com/randomprojects/cookielesscookies/

If you don’t mind reading one more article about fingerprinting, I highly recommend reading the Browser Fingerprinting overview written by Jonah pending addition to Privacy Guides (pretty fortuitous timing lol).


Another comment from Thorin-Oakenpants: what is ETP>Custom>Suspected fingerprinters [A: FPP] · Issue #1729 · arkenfox/user.js · GitHub

Notable quotes from the linked comment:

And with FPP, when it’s ready, it does what we want - it subtly randomizes canvas which is good enough for now for a Firefox threat model[1], and way more compat friendly.

extensions are fucking dumb for resisting FPing - end of story


  1. Emphasis mine ↩︎

1 Like

“if you do not purge them CB makes less than zero sense.” → I purge them every 2-3 minutes and restart most of the time the Firefox completely.

“supercokie” could not fingerprint me. I tested it now.

“http.james” fingerprint me successfully. But it says %99. I did not checked how it works. But I visited many different for fingerprint and I check the results one by one. More than %95 of values are different when I restart my browser: Appendix B Test Sites [Fingerprinting] · arkenfox/user.js Wiki · GitHub

“http.james” fingerprint me successfully. But it says %99. Maybe they use a ratio (a threshold value), if you are higher on this ratio (threshold value) they write that “you are visited that page before”. But I don’t think that the advertisement (or any other identifier authority) companies are using these values. If it’s not %100 and common stable technique. They will not prefer to identify you with those ratios/values.

I think “http.james” kind of cases are very extreme cases. I’m not expert, but Audio API, DOMRect API, SVG API, Textmatrics API are simple techniques. We hear them every time. There are many test and articles about those. Therefore I use CB for them.

But most importantly, I remove all my cookies (and everything) and restart the browser every 2-3 minute. my fingerprint is unique, but it’s different after 2 minutes. That means it does not matter who is browsing. On my router which I use, there are more then 10 users with my neighbors. So to be honest, they also use brave and tor browser sometimes. To be unique for 2 minutes, in my case it’s better as far as I understand. Even the web site knows that I’m faking with values.

Thank you for your patience :heart: