Q&A How anti-fingerprinting extensions tend to make fingerprinting easier

SecurityNightmares

Level 40
Verified
Jan 9, 2020
2,955
Do you have a privacy protection extension installed in your browser? There are so many around, and every security vendor is promoting their own. Typically, these will provide a feature called “anti-fingerprinting” or “fingerprint protection” which is supposed to make you less identifiable on the web. What you won’t notice: this feature is almost universally flawed, potentially allowing even better fingerprinting.

I’ve seen a number of extensions misimplement this functionality, yet I rarely bother to write a report. The effort to fully explain the problem is considerable. On the other hand, it is obvious that for most vendors privacy protection is merely a check that they can put on their feature list. Quality does not matter because no user will be able to tell whether their solution actually worked. With minimal resources available, my issue report is unlikely to cause a meaningful action.

That’s why I decided to explain the issues in a blog post, a typical extension will have at least three out of four. Next time I run across a browser extension suffering from all the same flaws I can send them a link to this post. And maybe some vendors will resolve the issues then. Or, even better, not even make these mistakes in the first place.

Contents​

How fingerprinting works​

When you browse the web, you aren’t merely interacting with the website you are visiting but also with numerous third parties. Many of these have a huge interest in recognizing you reliably across different websites, advertisers for example want to “personalize” your ads. The traditional approach is storing a cookie in your browser which contains your unique identifier. However, modern browsers have a highly recommendable setting to clear cookies at the end of the browsing session. There is private browsing mode where no cookies are stored permanently. Further technical restrictions for third-party cookies are expected to be implemented soon, and EU data protection rules also make storing cookies complicated to say the least.

So cookies are becoming increasingly unreliable. Fingerprinting is supposed to solve this issue by recognizing individual users without storing any data on their end. The idea is to look at data about user’s system that browsers make available anyway, for example display resolution. It doesn’t matter what the data is, it should be:
  • sufficiently stable, ideally stay unchanged for months
  • unique to a sufficiently small group of people
Note that no data point needs to identify a single person by itself. If each of them refer to a different group of people, with enough data points the intersection of all these groups will always be a single person.

How anti-fingerprinting is supposed to work​

The goal of anti-fingerprinting is reducing the amount and quality of data that can be used for fingerprinting. For example, CSS used to allow recognizing websites that the user visited before – a design flaw that could be used for fingerprinting among other things. It took quite some time and effort, but eventually the browsers found a fix that wouldn’t break the web. Today this data point is no longer available to websites.

Other data points remain but have been defused considerably. For example, browsers provide websites with a user agent string so that these know e.g. which browser brand and version they are dealing with. Applications installed by the users used to extend this user agent string with their own identifiers. Eventually, browser vendors recognized how this could be misused for fingerprinting and decided to remove any third-party additions. Much of the other information originally available here has been removed as well, so that today any user agent string is usually common to a large group of people.

Read more:
 
Last edited by a moderator:

Jan Willy

Level 7
Jul 5, 2019
303
Read more:
The author of the article is Wladimir Palant, the man behind the browser extension Adblock Plus. I asked him:
Isn't it a fact that every browser extension (f.i. an adblocker like Adblock Plus) makes your fingerprint (more) unique?
This is his response, that you also can find on How anti-fingerprinting extensions tend to make fingerprinting easier | Almost Secure (palant.info)

1607765825329.png
 

Cortex

Level 26
Verified
Aug 4, 2016
1,515
I only use a couple of extensions I think privatising extensions are more trouble than they are worth & probably decrease your privacy - I've come to the conclusion tracking is part of life now, I do protect my security & feel Brave helps with that - I do feel the amount of tracking that occurs that few people are aware of is OTT but while ever people get nice things for free it's not going to change - But I disagree being tracked greatly by companies I never use & dislike but it's driven by the majority, though they don't get it all their own way :):)
 

oldschool

Level 59
Verified
Mar 29, 2018
4,872
Adblocking/anti-tracking is the only method worth anything when it comes to "privacy" extensions, and I only use whatever fingerprinting protection is built into the browser. Brave, FF and Edge (which uses blocklists). All the rest is just noise, literally and figuratively.
 

plat1098

Level 24
Verified
Sep 13, 2018
1,384
Thanks for the link. Is it the AdGuard DNS that's the problem? I have Cloudflare instead and with DoH plus an imported DNS filter, things are very smooth on here. AdGuard is otherwise working very well and no IPv6 issues for me in Event Viewer (though I had some a couple weeks ago) or any probs w/webpages. IPv6 has remained enabled on here.

The final comment on the GitHub link does say an update is coming in December some time. So, presumably, they have 3 more weeks. After that update, I guess we can switch to AdGuard DNS w/better confidence.
 

SecurityNightmares

Level 40
Verified
Jan 9, 2020
2,955
Is it the AdGuard DNS that's the problem? I have Cloudflare instead and with DoH plus an imported DNS filter, things are very smooth on here. AdGuard is otherwise working very well and no IPv6 issues for me in Event Viewer (though I had some a couple weeks ago) or any probs w/webpages. IPv6 has remained enabled on here.
It's not DNS related but to their Windows program.

You can also check your IPv6 with IPv6 test - IPv6/4 connectivity and speed test (ipv6-test.com) & Testen Sie Ihre IPv6-Konnektivität. (test-ipv6.com)
 

Jan Willy

Level 7
Jul 5, 2019
303
Last edited:

Wladimir Palant

New Member
Oct 29, 2020
3
Also of course he defends his own extension.
For reference: I left Adblock Plus development three years ago. The functionality we are talking about hasn’t been developed by me, I merely happen to be aware of it.

I’m not defending anyone. I was asked a question, so I am trying to explain. For Adblock Plus, avoiding direct detection has always been an important goal, for obvious reasons. Presumably, developers of other ad blockers have this on their radar as well, but I’m not familiar with their code.

So blocking itself increase uniqueness.
That’s what I said as well. Websites can detect that their resources fail to load, and they can conclude that an ad blocker is the reason (which isn’t necessarily the case). Some websites definitely track ad blocker usage. However, as I also said, this isn’t a very reliable fingerprinting vector, and it isn’t too unique either with ad blockers being used by more than 20% of all users. So I doubt that ad blocker usage goes into any fingerprints, websites are interested in it for other reasons.

On the other hand, any extension using web_accessible_resources can be reliably detected by web pages (that’s Chrome-only, Firefox doesn’t allow this), and most extensions appear to use this functionality. So it’s a fair point that extensions generally contribute to a unique fingerprint. This sad state of affairs has much to do with the limitations of Chrome’s extension APIs.
 
Top