Closed Bug 1615419 Opened 5 years ago Closed 5 years ago

Panopticlick says browser has a unique fingerprint even with privacy.resistFingerprinting = true and Content Blocking: Strict

Categories

(Core :: Privacy: Anti-Tracking, defect)

Product:
Core
Component:
Privacy: Anti-Tracking
Version:
73 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: Klaus-DieterButsch, Unassigned)

References

(Blocks 1 open bug,
URL
)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15

Steps to reproduce:

I tested with Panopticlick the security of Firefox. In Version 69 I have been save from fingerprinting.
After update to Version 7x I am not safe anymore in the Panopticlick test

Actual results:

Does your browser protect from fingerprinting? ✗ no

In the Panopticlick test.

Expected results:

Does your browser protect from fingerprinting? ✓ yes

In the Panopticlick test, which had happened in the version 69

URL: https://panopticlick.eff.org
Component: Untriaged → Privacy: Anti-Tracking
Product: Firefox → Core

Thanks for the report. Our fingerprinting blocking feature does not make the browser unfingerprintable, but rather blocks known fingerprinting scripts. We do not block any scripts involved in the Panopticlick test, and as such expect the test to say that Firefox is fingerprintable.

You can read more about the feature here: https://blog.mozilla.org/security/2020/01/07/firefox-72-fingerprinting/

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → INVALID

Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
20190520215528
Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
20200214155124

(In reply to Steven Englehardt [:englehardt] from comment #1)

Our fingerprinting blocking feature does not make the browser unfingerprintable, but rather blocks known fingerprinting scripts.

N.B.: Reporter doesn't actually specify if this is about content blocking or privacy.resistFingerprinting. I've seen other privacy.resistFingerprinting bugs in this component, and it seemed like at least a good starting place to investigate what (if any) specific steps would help in this case.

I don't see any difference between a Firefox 69 nightly and the latest. The result still says the browser has a unique fingerprint, with Screen Size and System Fonts being the most unique data points.

Blocks: uplift_tor_fingerprinting
Summary: Protect from Fingerprinting does not work anymore → Panopticlick says browser has a unique fingerprint even with privacy.resistFingerprinting = true and Content Blocking: Strict

To help further, because I would like Firefox to be able to protect from fingerprinting. I am not so sure, if it has been a version earlier or two, that I have gotten the result, that Firefox is protecting from fingerprinting in Panopticlick. I then updated also the OS, I do not know if from 10.14.5 to 10.14.6 or just a security update.
But I am disappointed, because I use Safari, Opera and Firefox und have been happy, that at least Firefox did protect from fingerprinting.
And now this feature is gone.

(In reply to Klaus-DieterButsch from comment #3)

To help further, because I would like Firefox to be able to protect from fingerprinting. I am not so sure, if it has been a version earlier or two, that I have gotten the result, that Firefox is protecting from fingerprinting in Panopticlick. I then updated also the OS, I do not know if from 10.14.5 to 10.14.6 or just a security update.
But I am disappointed, because I use Safari, Opera and Firefox und have been happy, that at least Firefox did protect from fingerprinting.
And now this feature is gone.

Thanks! If you did see a positive signal from Panopticlick in the past then you must have privacy.resistFingerprinting enabled as Gingerbread Man suggests. Would you mind to confirm by going to about:config, searching for privacy.resistFingerprinting, and verifying that it's set to True.

Tom: is this expected? Do we know how the privacy.resistFingerprinting pref impacts Panopticlick?

Flags: needinfo?(tom)

I don't. I would have expected Panopticlick to uniquely or usually-uniquely identify Firefox, even with RFP enabled - because we do not have any font protection. And alongside window dimensions (even with letterboxing) I bet that's fairly unique.

Flags: needinfo?(tom)

Thank you very much.
I did check privacy.resistFingerprinting and it has been set to false.

Now I have set privacy.resistFingerprinting to true and now I get the expected results.

It could be that I have done this in an earlier version, and the update has changed it back to false. Which I do not find a good behavior of the update.

I have one additional proposal.
How about setting the privacy.resistFingerprinting on true as a default. And all restrictions as defaults, so that Firefox is known for Privacy.

I would recommend and like that very much, so I do not have to use TOR all the time.

The fingerprint may be unique, but the user should be able to quickly and easily change the fingerprint to another at any time. Also need a list of pages that will get the unchanged fingerprint (e.g. banks).

You need to log in before you can comment on or make changes to this bug.