Will it make me more fingerprint-able if I install the DuckDuckGo (just for Email Protection, I will not use any of the other features) or Qwacky extension in Mullvad Browser. I want use/access my DuckDuckGo email aliases. I would not be autofilling them, just be generating aliases and copying them, and maybe adding notes, and deleting some.
I am totally aware that it is strongly recommended to not install any additional extensions in Mullvad Browser, I just wondering/hoping these extension do not increase fingerprintability.
I am totally aware that it is strongly recommended to not install any additional extensions in Mullvad Browser period. I should have mentioned that in my post.
I was hoping/wondering if these extensions might not increase fingerprintability.
Extensions increase fingerprintability. Period. No nuance needed on this one. It doesn’t matter your browser, your VPN, what kind of extension, etc.
EDIT: Actually I take it back, there is one small piece of nuance: I would argue it’s worse in the case of Mullvad & Tor Browser because those browsers work on the philosophy of making everyone look the same. Imagine a police lineup where literally everyone is literally a different height. You stand out because you’re the only person who’s 5’9” or whatever. That’s using extensions with Chrome/Brave/Firefox/etc. Now imagine a police lineup where everyone is 5’5, except for you at 5’9”. That’s using extensions with MB/TB. I have to imagine you stand out that much more because you’re the only one being different.
As always, someone please correct me if I’m wrong.
It’s just not recommended. You can install them only if you are sure it won’t cause any leaks.
Mullvad FAQ:
Can I install other extensions?
Yes, but that is something we don’t recommend. Extensions could make it possible to identify you through fingerprinting.
They also recommend using third-party password managers:
Why is the built-in password manager disabled?
Use a external password manager, it’s more secure.
Some extensions may inject code into the page, making the browser more fingerprintable.
For example:
While this should be generally recommended, it isn’t completely true. For instance, the Mullvad Browser extension can be removed from the Mullvad Browser without changing your fingerprint.
This what I am thinking too…that there seems to be a smidgen (not much) but some ambiguity there with extensions and if all extensions will cause increased fingerprintability.
But I totally understand that is easier to just blanket recommend to not install any extension, and that it would be impossible for Mullvad to vet all extensions and provide a list of which ones are ok and which ones aren’t ok.
But maybe I have the wrong impression, maybe I am confusing some changes may be ok with some extensions may be ok, and maybe I am totally wrong and all additional/user installed extensions will cause increased fingerprintability.
Unless I hear from MB (@ruihildt) directly that the DDG or Qwacky extension is ok, I will just find another way to access my DDG email aliases.
To my knowledge, all extensions increase fingerprintability. The only “how much so” nuance is how popular the extension is. If you’re the only person in the world using a custom extension, then it’s pretty obvious you’re you. If the only extension you have is a single super popular extension like uBO or Grammarly, then you’re probably not standing out a ton.
AFAIK, websites can see what extensions you have installed. Therefore the more extensions you install, the more unlikely it is that someone else out there has that exact same combination of extensions.
If it helps, here’s a video I did over at The New Oil about browser fingerprinting that should help a lot. It covers extensions but also just fingerprinting in general.
I think there’s a difference between chromium based browsers and gecko based browsers.
In gecko browsers websites can’t see what extensions you have installed so an extension can be detected (or better inferred) if it inject code and modify the web page or expose itself in some way.
So there are actually nuances.
Mullvad browser’s developer apparently confirms
It’s worth noting that the method doesn’t work for Firefox extensions. Firefox extension IDs are unique for each browser instance, making the web-accessible resources URL impossible to detect by third parties.
Even if you could make a nuanced argument about certain extensions or browsers, I would go with the assumption that extensions will increase your fingerprint. Maybe use different browsers or profiles or virtual machines if you need to use extensions. And if you’re concerned about browser fingerprint, use a browser without extensions.
I agree but that’s not the point, doesn’t answer OP question and spread bold dubious claims.
Is that simpler for the average user to follow? Yes
Is that accurate? No
After all we are here to discuss and understand better, right?
I also think people in general obsess too much about fingerprinting, they go with Mullvad or Tor browser and then they find it difficult to daily drive for normal surfing.
So they try to go around that wanting to add extensions and modify settings.
The common sense approach is to have a sane browser with good privacy settings and extensions for everyday stuff without worrying too much about fingerprint and use a separate fingerprint hardened browser for more sensible things.
I don’t think I’m spreading dubious claims by saying one should “assume” it would increase fingerprint. Even though the OP doesn’t intend to auto-fill, does the option to auto-fill increase fingerprint on its own? Maybe it does because it slightly modifies the webpage. Or maybe not because you have to auto-fill to be fingerprinted.
Some extensions actually can’t be fingerprinted, some can only be fingerprinted in some situations or only based on some user interaction, others almost all the time. So there is some nuance needed.
The developer of Qwacky, @Omar, is a member on this forum. You could try asking them directly in the Qwacky thread.
You could also install these extensions in a secondary browser, which you only use to manage your aliases, then copy & paste the aliases into your main browser.
Since this thread has a few conflicting posts about the potential fingerprintability of extensions, I’d like to link to this thread where both @ruihildt (Mullvad) and @jonah (PG) state that extensions aren’t necessarily fingerprintable.
To quote jonah:
Generally it’s just a matter of whether the extension modifies the web page you’re looking at. If it doesn’t and it just displays information about the web page then it wouldn’t.
LibRedirect for example is an extension that isn’t fingerprintable unless you enable embeds (disabled by default).
The internet once again proving the addage that the best way to get answers is not to ask questions, but post the wrong answer and wait to be corrected
Thank you all for correcting me. I didn’t know Firefox had added this feature. Does Brave have something similar? They’re usually pretty innovative. Do other browsers?
I’ve definitely seen many proof-of-concept websites that can tell you exactly what extensions you have installed, some using CSS instead of Javascript. Fingerprinting is complex. I guess advances have been made on the privacy front since then.
