I mainly use two web browsers: Mullvad and Librewolf.
On Librewolf, I activated uBlock’s medium mode, since it is advised by the devs to do it. I quite like it honestly, and I would like to activate it on Mullvad Browser as well. However, I understand that the whole point of MB is to blend with the crowd of MB users and a critical part of that involves not changing any settings in order not to stand out of that crowd.
With this rationale in mind, would it actually be better privacy-wise not to change any of uBlock’s settings and thus keep it in its default mode? Would any of the advantage gained from uBlock’s medium mode be undermined by the fact that I wouldn’t blend in the MB userbase anymore? What do you think?
[It may be obvious from the question, but I do not have technical knowledge of how browsers and extensions work, and I do not know how exactly I might stand out with uBlock’s medium mode.]
Personally I can’t get comfortable using Mullvad Browser (or any Browser with strong fingerprinting countermeasures / letterboxing). So my approach is to use a primary browser with moderate anti-fingerprinting protection (e.g. Firefox + Arkenfox w/out RFP) and then a second browser (e.g. Mullvad) w/ stronger fingerprinting countermeasures for semi-sensitive stuff where privacy is the priority. I leave Mullvad in it’s default state for this purpose. If I were to want to block javascript, I would first look into the built-in “security levels” (via settings → security → security levels) this is a feature of Tor Browser and Mullvad Browser which I believe uses noscript on the backend, its built-in so likely to make you less unique than uBO + Medium Mode.
As a general note, it seems that often there is a tradeoff between anti-fingerprinting countermeasures and other priorities (adblocking, traditional anti-tracking, etc). Its not that you can’t find a balance where you have some of both, but to some degree you can’t have your cake and eat it too. Personally I prioritize traditional anti-tracking / anti-surviellance against common widespread real world privacy threats, over anti-fingerprinting. Anti-fingerprinting is a ‘reach goal’ for me, not my top priority.
Yes indeed, if you switch to medium mode (or really change any settings in uBlock Origin except for a few) your fingerprint will vary from other users of MB. That is just a fact.
But:
whether a significant amount of websites that use fingerprinting will actually take notice of this particular change (and not just have the potential for it), and
whether changing to medium mode is better or worse than blending in with the crowd of other MB users…
… that is not something where there is any true answer. I would say that if the fingerprinting protection of MB is important to you, then obviously it’s imperative that you don’t change any settings except for the “Normal / Safe / Safer” setting, or whatever that security slider is called. But if you just like MB in general for browsing and you don’t care about really strong fingerprinting prevention, but you also quite like the medium mode of uBlock, then well go ahead, it’s your machine you can do what you want with it.
You can also always have multiple profiles in Firefox-based browsers like MB (check “about:profiles”), in case you want to compartmentalize anything in regards to extension settings. For example, because I use JShelter in my main Firefox installation, I kinda know for most sites that I actually regularly visit whether they try to do fingerprinting or not, and at least in my case most don’t seem to engage in any such behavior. So when visiting these, using MB or not probably doesn’t make a ton of a difference. But I know that when I search for random stuff with a search engine and follow links into the “wild west” of the internet or visit news sites, then regularly all hell breaks loose. Here it might make sense to use a fully stock MB profile if avoiding fingerprinting is what you’re after.
The VPNs recommended by PG all have anti-tracking countermeasures. These can be used in conjunction with Mullvad Browser. If you use Mullvad VPN+browser, you’ll get the best of both worlds since you’ll also blend into the majority of Mullvad browser users.
True but DNS based blocking is not at all comparable in concept or in the level of protection of Medium Mode in uBO or Noscript (also Mullvad Browser has adblocking built in already)
If you are not familiar with what uBO in Medium Mode does, it blocks all javascript that is not coming from the 1st party domain. This is fundamentally different than how adblockers work (whether browser or DNS based), because it applies a default deny rule (i…e block everything not on a whitelist) whereas adblockers work with a blacklist. Blacklists offer less protection but are much more convenient to use. uBO’s own testing showed that moving from the default (which is already more effective than DNS based blocking) to medium mode reduced connections to 3rd parties by roughly 80%
In terms of effectiveness: uBO Medium/Hard modes > uBO by default > DNS/VPN based blocklists. Personally I use all three layers in combination.
The shortest answer is: yes, it would be better privacy-wise to not change any of uBlock’s settings in Mullvad Browser. I can also give you a slightly longer overview:
To simplify this for you a bit, what it basically comes down to is:
Increasing uBlock Origin protections (by e.g. enabling medium mode or adding new lists) will:
Protect you from more naive trackers and mass surveillance, because your “attack surface” is reduced by virtue of running far fewer scripts.
Keeping Mullvad Browser in its default state and not changing uBlock Origin settings will:
Protect you from standing out from other Mullvad Browsers by more advanced (probably specifically targeted) trackers.
The key difference is that most trackers out there are not trying to differentiate between Mullvad Browser users in the first place, i.e. they are naive trackers looking to easily track as many people as possible, and not advanced trackers looking to differentiate you specifically from the crowd.
You have to understand your own threat model to determine whether this crowd-based protection is important to you.
If you are using both Librewolf and Mullvad Browser for different things, I would use these custom configurations like medium blocking mode in Librewolf to thwart naive trackers, and keep Mullvad Browser in its default state to better thwart more advanced trackers. Then you can choose between both as needed.
If you’re trying to switch to only using Mullvad Browser, whether you do this is up to you, but yes you are losing some of MB’s more advanced fingerprinting resistance properties by changing the browser’s behavior like this.
The whole battle against 3rd party JS always had me dumbfounded. What are you trying to achieve when a malicious website can simply host their own JS to track? Google analytics and others can be trivially blocked using the DNS anti-tracking offered by privacy VPNs. In this case, ublock’s higher mode of blocking offer no unique value.
Thanks everyone for your interesting answers! @jonah thanks for this detailed explanation. That’s essentially what I expected.
Great advice, this is essentially what I do. Good to know that I should keep this strategy.
Would you say the same about MB’s security levels using noscript? I know privacyguides.org indirectly says it’s okay to change that, but following the same logic, wouldn’t it be better to keep it in its default standard mode, since this is probably how most users will set it?
In both cases. Moving from ‘standard mode’ to ‘safer mode’ made you (somewhat) more unique. But moving from 'standard mode to ‘safest mode’ made you substantially less unique (in fact the best configuration of any that I tested was MB in ‘safest’ mode, with TBB in ‘safest’ mode coming in second).
This is most likely due to scripts being blocked in ‘safest’ mode, so while it is true that going with a non-default configuration makes you more unique, blocking scripts makes up for that and much more by blocking the server from accessing a lot of fingerprintable datapoints. (so essentially “600 steps forward, 2 steps back”)
Another thing that surprised me is that you are slightly more identifiable if you keep the browser window in its default / unmaximized state. Maximizing the browser window had a slightly positive effect in ‘standard mode’ and no effect in ‘safest mode’ (because blocking javascript also blocks sites from being able to see your browser window size apparently).
So TL;DR at least based on my unscientific testing, using “safest” mode makes you less unique than “standard” mode for both MB and TBB even though you must break from the herd in order to enable this mode.
Cover your tracks does a pretty awful job for a variety of reasons. Many things they consider to be unique are actually randomized every session in Tor like timezone so the fingerprint isn’t useful for linking multiple tor browsing sessions from the same user.
Not sure tbh, I think all these sites will face the issue that the distribution of users visiting them will be different from the general browser population. Since these sites are mostly visited by people using privacy-focused setups to begin with, they’ll get a biased sample and won’t accurately say if you’re identifiable.
Think of the different settings as additional buckets. These are the most prominent settings to change and there are only 3 levels, so if you stick to one of the levels without altering any other settings, the chance is still high there are many other users doing the same thing, basically many other users falling into the same bucket as you do.
With other settings however, the possibility of other users replicating 1:1 that exact setup becomes smaller and smaller. Not because the settings themselves are inherently bad, but because the overall behavior of your browser no longer matches that of any other browser out there in the world → that’s how you get potentially fingerprinted (assuming a sufficiently sophisticated fingerprinting script).
But we can definitely talk about which one of the settings is probably used by most people, and therefore (in regards to fingerprinting protection) the best bucket to fall into. That should be the one that MB uses by default.
As for sites like cover your tracks, I would not use them, they don’t tell you anything useful really. They are interesting to begin to understand the concept of how fingerprinting a browser might work, and that’s all. They don’t use very sophisticated methods, their statistics don’t account for enough users, but even if these were not the case, a single fingerprinting script not being able to fingerprint a certain browser does not mean another one is also not able to. The only way to holistically protect against this vector is being actually not unique and behaving the exact same as a hopefully really large crowd of other actors.
Yet if you don’t trust any of the metrics used to estimate uniqueness, how can you possibly go about assessing how unique you appear to a remote server?
We agree that a self-selecting sample size of ~200k isn’t sufficient to draw specific firm conclusions. We disagree that it doesn’t provide any useful value.
Ultimately, you can’t assess anonymity without knowing how your adversary is trying to identify you.
Personally, I feel the below is a more accurate way to say this:
Ultimately, you can’t assess[can’t assess to a high degree of confidence] anonymity without knowing how your adversary is trying to identify you.
No test will be a perfect reflection of reality (this is especially true of things like browser fingerprinting which is probably still in its adolescence and where there is a lot that is hard to know). A test can be at best a reflection of the test conditions and the input data. But dismissing testing or modeling as a concept because it falls well short of perfect seems like throwing the baby out with the bath water.
Any test like this should be assumed to be at best a rough indication of uniqueness. Getting a result of 1 in 775 doesn’t tell you that your browser actually looks identical to 1 in 775 browsers in the real world against all types of naive or advanced fingerprinting, but you can probably reasonably infer that the browser config that gets you that 1 in 775 test result is less unique than the browser config with a result of 1 in 9,500,000 result. And you can dig into the raw data see what changes made the biggest difference. Basically my point is that so long as you understand the limitations and fuzziness of this sort of testing (and understand it is a reflection of selection bias/sampling), and don’t put too much faith or weight on it, I think it has value.
The problem isn’t that it falls short of being perfect. The problem is that the sample of users of coveryourtracks is too small and biased for results to generalize for the population of internet users. Moreover, the error of their predicted uniqueness is impossible to quantify since we do not have a representative sample of internet users to make a comparison. Coveryourtracks provides a method we know is not only wrong, but can make arbitrarily large errors. Until evidence surfaces to prove its effectiveness at predicting uniqueness, it’s a worthless tool.
I agree, (and have stated as much in previous comments) but I’ve been trying to make clear in my comments that that is not the value I see in tests like this. They do not reflect the overall population (nor will they reflect the true sophistication of all forms of advanced fingerptinting. But for people who understand these large caveats, there is still a lot of potentially useful information in these types of tests. It feels that you are focusing in on a point that I am not trying to make.
generalize for the population of internet users.
The goal is not necessarily to “blend in with most internet users”, the goal is to blend in with enough internet users. Trying to blend in with most internet users would be counterproductive because what you would need to do to do this would ironically make you much easier to track and identify (use chrome, use windows, don’t use an adblocker, don’t enable anti-fingerprinting measures, don’t use TOR, don’t use a VPN).
The Approach TOR, Mullvad Browser and to a degree FF with RFP take is not to try to blend in with the most people, but to create a large enough cohort of people that blend in with one another, that it becomes harder to identify individuals within that cohort. And these groups are the ones most likely to be overrepresented in fingerprinting tests.
So while I whoreheartedly agree with you that selection bias is a limitation of the covermytracks test, and any other, I don’t agree that that makes it worthless, so long as you understand there will be bias, fuzziness, and imprecision, and how that can skew results in large and small ways.
it’s a worthless tool.
I feel this is an overly black & white take, but I respect your difference of opinion. We actually agree on almost every individual point as to the limitations of this sort of test, every flaw you’ve mentioned is something I’ve thought about as well, where we differ is only in whether we think there is still potential for value in testing despite the the shortcomings. I think there is, so long as you understand the shortcomings.
