Skip to content

3.3 Overrides [To RFP or Not]

Thorin-Oakenpants edited this page Nov 22, 2023 · 24 revisions

🟩 Previous: Overrides [Common]

🟥 SUMMARY

The best any browser can confidently do, excluding Tor Browser and Mullvad Browser, is fool naive scripts. In Firefox the best tool for that is RFP - it is performant, does not leak real values, and has timing mitigations against side channel attacks. If you can handle a few RFP side-effects, cool - otherwise, in Firefox 120+ you can fallback to using FPP (fingerprintingProtection), where FPP subtly randomizes canvas per eTLD+1, per session and per window-mode.


This is a very simple generalized short summary about non Tor Browser browsers that assumes worst case scenarios, ultimate outcomes, and real solutions - I am not interested in debating issues with non-experts.

“One of the major difficulties Thorin experienced in her relationship with the Peacock was learning to distinguish between him pretending to be stupid just to get people off their guard, pretending to be stupid because he couldn't be bothered to think and wanted someone else to do it for him, pretending to be outrageously stupid to hide the fact that he actually didn’t understand what was going on, and really being genuinely stupid." - Douglas Adams


🟪 TOR BROWSER

If your threat model calls for anonymity and advanced fingerprinting protection, then USE TOR BROWSER.


🟪 FINGERPRINTING

If you do nothing on desktop, you are already uniquely identifiable - screen, window and font metrics alone are probably enough - add timezone name, preferred languages, and several dozen other metrics and it is game over. Here is a link to the results of a study done in 2016 showing a 99.24% unique hit rate (and that is excluding IP addresses).

Changing a few prefs from default is not going to make you "more unique" - there is no such thing 1.

Here are some fingerprint protection basics

  • 🔹RULE 1
    • Protect the real value of each metric - it does not matter how it does it
  • 🔹NAIVE
    • A script that "swallows" a randomized value is a "naive" script
    • The more randomized metrics, the greater the chance a script becomes naive
    • Fooling naive scripts does not require a crowd
  • 🔹ADVANCED
    • All randomizing is detectable [this is a fact] - a script that does this is an "advanced" script
    • Advanced scripts are not all the same - i.e they have levels of sophistication
    • Defeating advanced scripts requires a crowd, the larger the better
  • 🔹RULE 2
    • Cover enough metrics
      • Optionally randomized to catch naive scripts
      • Ultimately enough that it becomes too hard or costly or impossible [because all randomizing can be detected]

Only Tor Browser can confidently address advanced scripts: enough metrics covered and a large crowd. The best any other browser can confidently do is fool naive scripts - if you're not convinced, add the loose data points from your IP/VPN.

1 Not to be confused with simple information paradoxes: such as claiming to be blink rather than gecko.


🟪 ARKENFOX

Arkenfox does not and never has, claimed to defeat advanced fingerprinting and does not care if two or three prefs with real-world tangible benefits change any stable metrics, because you are already unique - see the preceding section.

Arkenfox's primary objectives have always been security, privacy and mitigating the very real and substantial forms of tracking such as state and navigational, rather than prioritizing the potential threat of a widespread advanced fingerprinting script.

That said, arkenfox does resist stateless tracking. Do not listen to random non-experts with no knowledge of conditional entropy or surprisals:

  • 🔹 It enables ETP's Fingerprinters (and recommends uBlock Origin)
  • 🔹 It enables RFP
    • RFP is a robust, performant, built-in browser solution that does not leak (see RULE 1)
    • RFP randomizes canvas to catch naive scripts (most scripts are naive with canvas)
      • RFP doesn't require a crowd or care about Tor Browser to fool naive scripts
    • RFP contains timing mitigations as a bonus against many side channel attacks
    • RFP can't make fingerprinting worse, you are already unique if you do nothing

So if a fingerprinting script should run, it would need to be universal or widespread (i.e it uses the exact same canvas, audio and webgl tests among others - most aren't), shared by a data broker (most aren't), not be naive (most are) and not be just first party or used solely for bot detection and fraud prevention (most probably are) 1.

1 That's not to say that fingerprinting is not a threat and won't become more widespread and sophisticated.


🟪 RFP

Due to it's nature, which is effectively breaking web standards whilst protecting 100+ metrics, RFP does cause the odd issue.

  • 🔹BREAKAGE
    • canvas: you can set a site exception either temporarily or permanently 1 🥇 99% of breakage
      • Note: totally randomizing the canvas per execution is by design
        • A trained user can spot a RFP canvas by it's wavy pattern
        • Set/revoke site exceptions via the urlbar or Ctrl-I > Permissions
    • edge cases caused by e.g. http header, timing mitigations, device pixel ratio, and alt key spoofing
  • 🔹 USABILITY
    • timezone is always UTC0
    • prefers-color-scheme is always light

If you can live with that, and you should have a secondary browser for the occasional site glitch, then use RFP as the best solution possible. Otherwise, in Firefox 120+ you can fallback to using FPP (fingerprintingProtection), where FPP subtly randomizes canvas per eTLD+1, per session and per window-mode.

1 Assuming it is even fingerprinting and the exact same canvas test is widespread, this does not compromise your fingerprint - it is a single metric and only on those sites you exempt.


🟩 Next: Apply & Update & Maintain