I wish browser makers themselves come out and say what’s what why and how when it comes to fingerprinting - its open source so we can even look at their claims and assessment for what and why they consider something a fingerprint and how much of that varies per website.
All this discussion while useful will still leave some folks confused as to what’s true, right , wrong, and nuanced when it comes to fingerprinting from all sides.
The thing is that AFAIK the makers aren’t the ones doing the fingerprinting. Sure, there’s some stuff they can probably come out and say “hey this makes you stand out” but since other companies are the ones doing it (and they’re not exactly forthcoming about how they do it to protect their trade secrets), there’s probably other tricks the browser makers don’t even know about. It’s like the zero day marketplace.
Okay I should have been clearer. What I meant is your second sentence. Yes, they could at-least be clear on all the ways websites can fingerprint in the browser.
Are all the means really secrets? I mean, they can only do so much that the browser allows them to do, no?
I see.. did not know this.
Its odd for me to think browser makers are not in “control” of their own creations.
Are all the means really secrets?
Not all of them, but I did a lot of digging for that video I shared earlier and I came up pretty empty other than the well-known stuff and the stuff you can derive from places like Cover Your Tracks. I quoted one company who said they use “hundreds” of data points. Even if that is marketing exaggeration, that means they’re probably using at least dozens. And as far as I can tell, so far the industry hasn’t had any kind of “whistleblower” come forward and done some kind of “tell all” interview or anything.
Assuming we take the one source’s claims in good faith, that means there’s at least 100 different data points they use to fingerprint, and I’d be pretty shocked if Mozilla or Brave could - again, in good faith - sit down and go “oh yeah, totally, here’s 100 ways you can be fingerprinted.” I’d expect them to be more like “well, maybe these ways?” and then find out “oh yeah you got like, 80% of that right, but also we do these additional things and no we don’t do that but thanks for the idea!” There’s also probably some variation in the industry - some standard things everyone does plus some unique stuff that variers between companies.
I’m just speculating here. Again, it’s a really opaque industry and there’s not a lot of verifiable information I was able to find.
Thank you for your insight.
Thanks for responding and helping with this!
I agree, I was using Firefox with the settings recommended by PG after being overwhelmed at the prospect of installing Arkenfox but…I have long been wanting to use MB and with the new persistent mode coming, and after reading these articles and being convinced Mozilla is now an AI company I made the switch.
I would love to just use FF but I do not really trust [1] much anymore and but I do trust Mullvad and Tor.
the corporate leadership of Mozilla, I think the people building FF and Thunderbird have the best intentions and are privacy focused for the most part ↩︎
Thanks everyone so much for helping with this and for the great discussion!
It aligns with my hunch - based on little bits I picked up here and there on the forum over the years, some that have been kindly linked above - that there is nuance as to whether an extension will cause more fingerprintability or not. Most probably do, some may not.
As I said above it makes sense to just have a blanket recommendation of do not install any additional extensions. Also there is no way we can obviously expect MB to vet all extensions individually but some clear general guidelines might be helpful and then user’s can vet extensions (and there permissions and manifests maybe) themselves and make the decision for themselves.
I hope @Omar , @ruihildt and @jonah can maybe chime in and help add clarity to this whole discussion.
Although this from Jonah is pretty clear I think -
Generally it’s just a matter of whether the extension modifies the web page you’re looking at. If it doesn’t and it just displays information about the web page then it wouldn’t.
Seems it comes down to if an extension modifies a web page or not (injects code, modifies the CSS or chrome), and maybe what permissions it has.
For now, until I get confirmation one way or the other, I will just find another way to access my DDG email aliases.
But… the answer is in the links in the posts above.
Modifications of the webpage or web requests are fingerprintable. There may also be different vulnerabilities and external connections. It’s impossible to say definitively - this is allowed, but that isn’t.
DDG - you can’t disable protection for all sites. This definitely cannot be used.
Qwacky - activeTab and scripting are optional permissions. Without them, the extension appears safe and requires permission only for a single site. Still, it cannot be called fully safe, as it uses the DuckDuckGo service and connects to it, so DuckDuckGo can potentially fingerprint you.
What answer and what links are you referring to?
Wow! Thanks!
I did not know or realize the answer was over on the Techlore forum.
That does answer most of my questions, gives me so much more clarity and understand of this whole extensions and fingerprintability issue, and confirms my hunch.
Still unsure if the DDG or Qwacky extension will increase fingerprintability though which was my main question so…
But @omar has joined the chat so maybe we can figure that out eventually.
That would be a great addition to the fingerprinting overview.
Hello bodin, Im glad that you found the answer for your question.
Qwacky is built on respect for privacy and freedom of choice, and open source for transparency,
I would be happy and very open to make it even more resistant to fingerprinting.
Thanks for considering Qwacky!
Thanks for joining the discussion Omar! Loving Qwacky so far.
Maybe you could get in touch with @ruihildt and/or the Mullvad Browser team, and maybe @jonah , since they seem to understand what does and what doesn’t make an extension fingerprintable or not.
Would be great to determine if having Qwacky installed leads to being more fingerprintable.
Did you read the thread from Techlore that @Hank kindly linked to. That provides a lot of details from Ruihildt and Jonah about what specifically can impact fingerprintability in an extension.
Maybe the answer is to just wait since Ruihildt said that the fingerprintability of an extension can be determined programmatically and they are wanting to add that to MB to warn users if they attempt to install an extension that will increase fingerprintability.
Thanks, I’m really glad you’re liking Qwacky!
I did read through the Techlore thread, the explanations from @ruihildt and @jonah were really helpful for understanding what actually makes an extension fingerprintable.
From what I learned there, Qwacky should be pretty safe in its default setup. It doesn’t change web pages or expose extra resources, and its permissions are strictly limited to just the DuckDuckGo API. No broad website access or automatic scripts are running.
The only time there might be any fingerprinting risk is if someone manually enables an optional scripting permission (Autofill feature), but that’s not needed for Qwacky to work normally.
So overall, it seems low risk compared to extensions that modify pages by default. But I agree it would be awesome to have Mullvad’s future tools confirm this automatically for everyone. Looking forward to when that feature rolls out!