Fingerprinting: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
(more than 8 years since anyone touched this, mark historical)
No edit summary
 
(5 intermediate revisions by the same user not shown)
Line 1: Line 1:
{{historical}}
This page tracks the deployment of Firefox's Fingerprinting Protection (FPP) feature.


= Overview =
Other documents that may be relevant depending on the audience:


The EFF published an excellent study in May, detailing some of the various methods of fingerprinting a browser. See http://www.eff.org/deeplinks/2010/05/every-browser-unique-results-fom-panopticlick. They found that, over their study of around 1 million visits to their study website, '''83.6% of the browsers seen had a unique fingerprint; among those with Flash or Java enabled, 94.2%'''. This does '''not''' include cookies! They ranked the various bits of information in order of importance (i.e. how useful they are in uniquely identifying a browser): things like UA string, what addons are installed, and the font list of the system. We need to go through these, one by one, and do what we can to reduce the number of bits of information (entropy) it provides. In their study, they placed a lower bound on the fingerprint distribution of 18.1 bits of entropy. (This means that, choosing a browser at random, at best one in 286,777 other browsers will share its fingerprint.)
<ul>
<li> SUMO page more appropriate for end-users of Firefox https://support.mozilla.org/en-US/kb/firefox-protection-against-fingerprinting
<li> SUMO page for end users who might have (accidently or not) enabled Resist Fingerprinting https://support.mozilla.org/en-US/kb/resist-fingerprinting
<li> Firefox's Fingerprinting Protection Architecture in Gory Detail https://docs.google.com/document/d/1FywogzvkWupoUoz4PcCp9nNd6aKOwBN-c2zRu2Xof9Y/edit?tab=t.0
<li> Source Docs on the implementation: https://firefox-source-docs.mozilla.org/toolkit/components/resistfingerprinting/resistfingerprinting/implementation.html
</ul>


= Data =
== Summary ==
''As of Firefox 151 Release, last updated 5/12/26, the following protections are enabled:''


The following data is taken from the published paper, https://panopticlick.eff.org/browser-uniqueness.pdf:
{| class="wikitable"
|-
! Protection !! Desktop FPP !! Android FPP !! Desktop Baseline !! Android Baseline
|-
| CanvasRandomization || Yes || Yes || Yes || Nightly-only
|-
| EfficientCanvasRandomization || Yes || Yes || Yes || Nightly-only
|-
| FontVisibilityLangPack || Yes || Yes || ||
|-
| JSMathFdlibm || Yes || Yes || ||
|-
| MaxTouchPointsCollapse || Yes || Yes || Yes || Nightly-only
|-
| NavigatorHWConcurrencyTiered || Yes || Yes || ||
|-
| ScreenAvailToResolution || Yes || Yes || Yes || Nightly-only
|}


<center>
== Desktop ==
{| border="1" cellpadding="6"
 
|+ '''Entropy of various pieces of browser information'''
{| class="wikitable"
|-
! Protection Name !! Channel !! Version !! Bugs
|-
| rowspan="8" | ScreenAvailToResolution
| colspan="3" | '''Enabled in FPP (PBM) Release as of 143; Enabled in Baseline Release as of 151'''
|-
| Baseline Release
| 151
| {{bug|2032123}}
|-
| Baseline Beta
| 151
| {{bug|2032123}}
|-
| Baseline Nightly
| 150
| {{bug|1990514}}
|-
| FPP (PBM) Release
| 143
| {{bug|1978414}}
|-
| FPP (PBM) Beta
| 143
| {{bug|1978414}}
|-
| FPP (PBM) Nightly
| 143
| {{bug|1978414}}
|-
| colspan="3" | Regressions: {{bug|2016747}}
|-
| rowspan="8" | MaxTouchPointsCollapse
| colspan="3" | '''Enabled in FPP (PBM) Release as of 143; Enabled in Baseline Release as of 151'''
|-
| Baseline Release
| 151
| {{bug|2032123}}
|-
| Baseline Beta
| 151
| {{bug|2032123}}
|-
| Baseline Nightly
| 150
| {{bug|1990514}}
|-
| FPP (PBM) Release
| 143
| {{bug|1978414}}
|-
| FPP (PBM) Beta
| 143
| {{bug|1978414}}
|-
| FPP (PBM) Nightly
| 143
| {{bug|1978414}}
|-
| colspan="3" | Regressions: {{bug|1991701}} (Linux touch disabled by companion fix {{bug|1957658}}, re-enabled in 146/147); {{bug|2021715}} (Linux Wayland count adjusted, 150)
|-
| rowspan="8" | EfficientCanvasRandomization
| colspan="3" | '''Enabled in FPP (PBM) Release as of 145; Enabled in Baseline Release as of 151'''
|-
| Baseline Release
| 151
| {{bug|2032123}}
|-
| Baseline Beta
| 151
| {{bug|2032123}}
|-
| Baseline Nightly
| 150
| {{bug|2021606}}
|-
| FPP (PBM) Release
| 145
| {{bug|1993304}}
|-
| FPP (PBM) Beta
| 145
| {{bug|1993304}}
|-
| FPP (PBM) Nightly
| 145
| {{bug|1993304}}
|-
| colspan="3" | Regressions: {{bug|2025570}} (Google Maps highway labels broken, fixed via RemoteSettings in 150/151)
|-
| rowspan="8" | CanvasRandomization
| colspan="3" | '''Enabled in FPP (PBM) Release as of 120; Enabled in Baseline Release as of 151'''
|-
| Baseline Release
| 151
| {{bug|2032123}}
|-
| Baseline Beta
| 151
| {{bug|2032123}}
|-
| Baseline Nightly
| 150
| {{bug|2021606}}
|-
| FPP (PBM) Release
| 120
| {{bug|1858181}}
|-
| FPP (PBM) Beta
| 120
| {{bug|1858181}}
|-
| FPP (PBM) Nightly
| 115
| {{bug|1825250}} (Nightly-only in 118–119 due to {{bug|1849903}})
|-
| colspan="3" | Regressions: {{bug|1852541}} (Google Meet can't join, fixed 120); {{bug|1876149}} (onshape.com getImageData); {{bug|1882761}} (Google Maps highway symbols); {{bug|1887161}} (canvas getImageData slow in PBM on maps/Airbnb, fixed via SipHash in 134 then superseded by EfficientCanvasRandomization); {{bug|1905884}} (visual bugs on canvas-heavy sites); {{bug|1957426}} (meta); {{bug|1957427}} (wpt.fyi image comparison, fixed via overrides); {{bug|2010274}} (SoundCloud audio waveform broken in PBM/ETP Strict); {{bug|2025570}} (Google Maps Baseline, shared with EfficientCanvasRandomization)
|-
|-
| '''Variable''' || '''Entropy (bits)'''
| rowspan="5" | FontVisibilityLangPack
| colspan="3" | '''Enabled in FPP (PBM) Release as of 118'''
|-
|-
| plugins || 15.4
| FPP (PBM) Release
| 118
| {{bug|1849903}}
|-
|-
| fonts || 13.9
| FPP (PBM) Beta
| 118
| {{bug|1849903}}
|-
|-
| user agent || 10.0
| FPP (PBM) Nightly
| 118
| {{bug|1849903}}
|-
|-
| http accept || 6.09
| colspan="3" | Regressions: {{bug|1827475}} (meta); {{bug|1850672}} (localized font names not in standard list, fixed 118.0.2/119); {{bug|1854950}} (broken rendering on Linux with no native distro fonts, fixed 119/120)
|-
|-
| screen resolution || 4.83
| rowspan="4" | JSMathFdlibm
| colspan="3" | '''Enabled in FPP (PBM) Release as of 134'''
|-
|-
| timezone || 3.04
| FPP (PBM) Release
| 134
| {{bug|1887682}}
|-
|-
| supercookies || 2.12
| FPP (PBM) Beta
| 134
| {{bug|1887682}}
|-
|-
| cookies enabled || 0.353
| FPP (PBM) Nightly
| 134
| {{bug|1887682}}
|-
| rowspan="5" | NavigatorHWConcurrencyTiered
| colspan="3" | '''Enabled in FPP (PBM) Release as of 143'''
|-
| FPP (PBM) Release
| 143
| {{bug|1978414}}
|-
| FPP (PBM) Beta
| 143
| {{bug|1978414}}
|-
| FPP (PBM) Nightly
| 143
| {{bug|1978414}} (renamed and tiered in 144 via {{bug|1984333}})
|-
| colspan="3" | Regressions: {{bug|1984132}}; {{bug|1982336}}
|}
|}
</center>


In all cases, data was either collected or inferred via HTTP, or collected by JS code and posted back to the server via AJAX.
== Android ==


== Plugins ==
{| class="wikitable"
 
|-
The PluginDetect JS library was used to check for 8 common plugins on that platform, plus extra code to estimate the Acrobat Reader version. Data sent by AJAX post.
! Protection Name !! Channel !! Version !! Bugs
 
|-
IE does not allow enumeration via <code>navigator.plugins[]</code>. Starting in Firefox 28 ([https://bugzilla.mozilla.org/show_bug.cgi?id=757726 bug 757726]), Firefox restricts which plugins are visible to content enumerating <code>navigator.plugins[]</code>. This change does not disable any plugins; it just hides some plugin names from enumeration. Websites can still check whether a particular hidden plugin is installed by directly querying <code>navigator.plugins[]</code> like <code>navigator.plugins["Silverlight Plug-In"]</code>.
| rowspan="5" | ScreenAvailToResolution
 
| colspan="3" | '''Enabled in FPP (PBM) Release as of 143; Enabled in Baseline Nightly-only as of 151'''
This code change will reduce browser uniqueness by "cloaking" uncommon plugin names from <code>navigator.plugins[]</code> enumeration. If a website does not use the "Adobe Acrobat NPAPI Plug-in, Version 11.0.02" plugin, why does it need to know that the "Adobe Acrobat NPAPI Plug-in, Version 11.0.02" plugin is installed? If a website does need to know whether the plugin is installed or meets minimum version requirements, it can still check <code>navigator.plugins["Adobe Acrobat NPAPI Plug-in, Version 11.0.02"]</code> or <code>navigator.mimeTypes["application/vnd.fdf"].enabledPlugin</code> (to workaround problem plugins that short-sightedly include version numbers in their names, thus allow only individual plugin versions to be queried).
|-
 
| Baseline Nightly
For example, the following JavaScript reveals my installed plugins:
| 151
 
| {{bug|2032123}}
<pre>
|-
for (plugin of navigator.plugins) { console.log(plugin.name); }
| FPP (PBM) Release
 
| 143
"Shockwave Flash"
| {{bug|1978414}}
"QuickTime Plug-in 7.7.3"
|-
"Default Browser Helper"
| FPP (PBM) Beta
"Unity Player"
| 143
"Google Earth Plug-in"
| {{bug|1978414}}
"Silverlight Plug-In"
|-
"Java Applet Plug-in"
| FPP (PBM) Nightly
"Adobe Acrobat NPAPI Plug-in, Version 11.0.02"
| 143
"WacomTabletPlugin"
| {{bug|1978414}}
 
|-
navigator.plugins["Unity Player"].name // get cloaked plugin by name
| rowspan="5" | MaxTouchPointsCollapse
"Unity Player"
| colspan="3" | '''Enabled in FPP (PBM) Release as of 143; Enabled in Baseline Nightly-only as of 151'''
</pre>
|-
 
| Baseline Nightly
But with plugin cloaking, the same JavaScript will not reveal as much personally-identifying information about my browser because all plugin names except Flash, Shockwave (Director), Java, and QuickTime are hidden from <code>navigator.plugins[]</code> enumeration:
| 151
 
| {{bug|2032123}}
<pre>
|-
for (plugin of navigator.plugins) { console.log(plugin.name); }
| FPP (PBM) Release
 
| 143
"Shockwave Flash"
| {{bug|1978414}}
"QuickTime Plug-in 7.7.3"
|-
"Java Applet Plug-in"
| FPP (PBM) Beta
</pre>
| 143
 
| {{bug|1978414}}
In theory, all plugin names could be cloaked because web content can query navigator.plugins[] by plugin name. Unfortunately, we could not cloak all plugin names because many popular websites check for Flash or QuickTime by enumerating navigator.plugins[] and comparing plugin names one by one, instead of just asking for navigator.plugins["Shockwave Flash"] by name. These websites should be fixed.
|-
 
| FPP (PBM) Nightly
The policy of which plugin names are uncloaked can be changed in the about:config pref <code>plugins.enumerable_names</code>. The pref’s value is a comma-separated list of plugin name prefixes (so the prefix "QuickTime" will match both "QuickTime Plug-in 6.4" and "QuickTime Plug-in 7.7.3"). The default pref cloaks all plugin names except Flash, Shockwave (Director), Java, and QuickTime. To cloak all plugin names, set the pref to the empty string "" (without quotes). To cloak no plugin names, set the pref to magic value "*" (without quotes).
| 143
 
| {{bug|1978414}}
== Fonts ==
|-
 
| rowspan="5" | EfficientCanvasRandomization
System fonts collected by Flash or Java applet, if installed, and sent via AJAX post. Font list was not sorted, which provides a bit or two of additional entropy. We can ask Adobe to either limit this list by default; or ask them to implement an API such that we can provide the list to them; or (made possible by OOPP) replace the OS API calls they use to get the font list, and give them our own. None of these things are easy, but given that this is #1, we should definitely do something here. The fastest option is probably to hack the OS API calls ourselves.
| colspan="3" | '''Enabled in FPP (PBM) Release as of 145; Enabled in Baseline Nightly-only as of 151'''
 
|-
Font lists can also be determined by CSS introspection. We could perhaps reduce the available set to a smaller number of common fonts; and back off (exponentially?) if script attempts to brute-force the list. Could require that sites provide unusual fonts via WOFF?
| Baseline Nightly
 
| 151
== User Agent ==
| {{bug|2032123}}
 
|-
Detected from HTTP header. Pretty simple fix, but has the potential for breakage (as with any UA change!). For instance: <code>Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20100106
| FPP (PBM) Release
Ubuntu/9.10 (karmic) Firefox/3.5.7</code>. Remedies: remove the last point digit in the Firefox and Gecko versions, and the Gecko build date; for Linux, remove distribution and version; possibly remove CPU. Windows is actually the least unique since the OS version string only identifies the major version (e.g. XP), and by far the majority of users are on it.
| 145
 
| {{bug|1993304}}
Remove language and "Firefox" as well?
|-
 
| FPP (PBM) Beta
Boris Zbarsky points out that most parts of the UA lead to bad sniffing.  Irish "ga-IE" and "Minef'''ie'''ld" get detected as IE.  Sites incorrectly sniff based on OS.  Sites sniff for Gecko years rather than Gecko versions.  Going from 3.0.9 to 3.0.10 probably breaks things.  And quite a few sites sniff for "Firefox", which is a threat to the continued freedom of the web.  So removing things from the UA string has a long-term positive effect on compatibility as well as privacy.
| 145
 
| {{bug|1993304}}
:There is another issue with UA spoofing. For some reason, Components.classes and Components.interfaces exist in the content-window javascript namespace. Gregory Fleischer used this to test for the existence of ephemeral interfaces to [http://pseudo-flaw.net/tor/torbutton/fingerprint-firefox.html fingerprint both OS and Firefox version], down to the minor revision (FF3.5.3 was the latest release at the time). He has a [http://pseudo-flaw.net/content/defcon/dc-17-demos/ number of other fingerprinting demos] you should investigate as well. -- [[User:mikeperry|mikeperry]]
|-
 
| FPP (PBM) Nightly
 
| 145
:Filed [https://bugzilla.mozilla.org/show_bug.cgi?id=http-fingerprint bugs]. [[User:Hsivonen|Hsivonen]] 09:33, 18 June 2010 (UTC)
| {{bug|1993304}}
 
|-
== HTTP ACCEPT ==
| rowspan="6" | CanvasRandomization
 
| colspan="3" | '''Enabled in FPP (PBM) Release as of 120; Enabled in Baseline Nightly-only as of 151'''
Example: <code>text/html, */* ISO-8859-1,utf-8;q=0.7,*;q=0.7 gzip,deflate en-  
|-
us,en;q=0.5</code>. Not sure we can do much here?
| Baseline Nightly
 
| 151
== Screen resolution ==
| {{bug|2032123}}
 
|-
Example: <code>1280x800x24</code>. Can't mess with this, except perhaps to always report "24" for the color depth -- of dubious value.
| FPP (PBM) Release
 
| 120
:Mapping "32" to "24" or vice versa in the color depth would reduce entropy by ~0.9 bits.  May be worthwhile.
| {{bug|1858181}}
 
|-
:Torbutton takes two countermeasures with respect to screen resolution: quantising AvailWidth and AvailHeight, and setting Width and Height to the values of AvailWidth and AvailHeight.  Torbutton currently errs in not doing this if the window is maximised.  These measures might be appropriate in private browsing mode. -- [[User:Pde|Pde]] 03:12, 15 June 2010 (UTC)
| FPP (PBM) Beta
 
| 120
== Timezone ==
| {{bug|1858181}}
 
|-
Too useful to break.
| FPP (PBM) Nightly
 
| 115
== Supercookies ==
| {{bug|1825250}} (Nightly-only in 118–119 due to {{bug|1849903}})
 
|-
The reported entropy includes '''only''' whether the following were enabled: DOM localStorage, DOM sessionStorage, and (for IE) userData. It did '''not''' test Flash LSOs, Silverlight cookies, HTML5 databases, or DOM globalStorage. We can't do anything to prevent testing whether these are enabled, but we can lock them down for third parties, as we will with cookies.
| colspan="3" | Regressions: {{bug|1852541}} (Google Meet can't join, fixed 120); {{bug|1876149}} (onshape.com getImageData); {{bug|1882761}} (Google Maps highway symbols); {{bug|1887161}} (canvas getImageData slow in PBM, fixed via SipHash in 134 then superseded by EfficientCanvasRandomization); {{bug|1905884}} (visual bugs on canvas-heavy sites); {{bug|1957426}} (meta); {{bug|1957427}} (wpt.fyi image comparison, fixed via overrides)
 
|-
For Flash and Silverlight we need to pressure them to implement better APIs for controlling and clearing stored data. This is undoubtedly '''more important''' than anything else on this list, though it was ignored in this study since it does not fit within their definition of fingerprinting. We could be aggressive here by using the new Flash API for private browsing mode very liberally; or do something with the OS APIs as mentioned above.
| rowspan="5" | FontVisibilityLangPack
 
| colspan="3" | '''Enabled in FPP (PBM) Release as of 134 (removed 124–133 via {{bug|1826412}}, re-enabled via {{bug|1928705}})'''
== Cookies enabled ==
|-
 
| FPP (PBM) Release
Irrelevant due to low amount of entropy.
| 134
 
| {{bug|1928705}}
= Extra credit =
|-
 
| FPP (PBM) Beta
Other fingerprinting methods were mentioned, but not included, in the study. A Gartner report on fingerprinting services was referenced in the study, which will undoubtedly be interesting to read.
| 134
 
| {{bug|1928705}}
Examples:
|-
 
| FPP (PBM) Nightly
== Other data acquired via plugins ==
| 118
 
| {{bug|1849903}} (removed in 124 via {{bug|1826412}}, re-added in 134 via {{bug|1928705}})
Undoubtedly Flash and Java provide other interesting tidbits. ActiveX and Silverlight, for example, allow querying the "CPU type and many other details". More study needed here.
|-
 
| colspan="3" | Regressions: {{bug|1946625}} (Brahmic scripts broken on older Samsung Android); {{bug|1956251}} (cxcricket.co Bangla Sangam MN font missing from Android font list)
== Clock skew measurements ==
|-
 
| rowspan="4" | JSMathFdlibm
"41st Parameter looks at more than 100 parameters, and at the core of its algorithm is a time differential parameter that measures the time difference between a user’s PC (down to the millisecond) and a server’s PC." We can't break the millisecond resolution of Date.now, but we could try adding a small (< 100ms) offset to it. This would be generated per-origin, and would last for some relatively short time: life of session, life of tab, etc. Would have to be careful that it can't be reversed.
| colspan="3" | '''Enabled in FPP (PBM) Release as of 134'''
 
|-
:Clock skew measurement isn't really a browser issue; it tends to be exposed by the operating system at the TCP level.  It would be appropriate to assume that an attacker can obtain 4-6 bits of information about the identity of a host by this method.  -- [[User:Pde|Pde]] 02:55, 15 June 2010 (UTC)
| FPP (PBM) Release
 
| 134
::This is not 100% correct. According to [http://www.faqs.org/rfcs/rfc1323.html RFC 1323] sections 3.2 and 4.2.2, timestamps may only be used if the initial syn packet (not syn+ack) contains a timestamp field. This is a property of the client OS, and may be controllable on some platforms. The timestamp value is also not absolute, but is typically some arbitrary number of milliseconds with no specific reference point. TLS also has a timestamp, but this value is fully controlled by Firefox. -- [[User:mikeperry|mikeperry]]
| {{bug|1887682}}
 
|-
:::Agree that one could turn off the TCP RTTM option at the OS layer.  My naive intuition is that all modern OSes have this turned on, and turning it off would be a radical intervention bad for congestion avoidance and  possibly fingerprintable itself.  Note that clock skew is a function of how fast a clock ticks, not of what time the clock has.  An arbitrary reference point is sufficient for measuring clock skew.  -- [[User:Pde|Pde]] 08:23, 9 December 2010 (PST)
| FPP (PBM) Beta
 
| 134
:Note also that it's not just clock skew, but also clock precision that can allow for fingerprinting - both in terms of how long certain operations take on a system and in terms of user action. For example, [http://www.scoutanalytics.com/ Scout Analytics] provides software to fingerprint users based on [http://arstechnica.com/tech-policy/news/2010/02/firm-uses-typing-cadence-to-finger-unauthorized-users.ars typing cadence]. One can also imagine tight loops of timed javascript that fingerprint users based on certain resource-intensive calls. One possibility might be to quantize Date values to the second, and then add random, monotonically increasing amounts of milliseconds to subsequent calls during private browsing mode. -- [[User:mikeperry|mikeperry]]
| {{bug|1887682}}
 
|-
== TCP stack ==
| FPP (PBM) Nightly
 
| 134
"ThreatMetrix claims that it can detect irregularities in the TCP/IP stack and can pierce through proxy servers". Not sure what this means yet.
| {{bug|1887682}}
 
|-
:nmap's host fingerprinting options (and source code) are the first place to start for understanding the TCP/IP stack issues.  Again, there's not much the browser can do about that. 
| rowspan="5" | NavigatorHWConcurrencyTiered
 
| colspan="3" | '''Enabled in FPP (PBM) Release as of 143'''
:As for "pierce through proxy servers", my best guess is that they use the raw socket infrastructure provided by Flash, which does not respect the browser's proxy settings, in order to learn the client's IP.  Not sure if Java and Silverlight have similar problems. -- [[User:Pde|Pde]] 02:58, 15 June 2010 (UTC)
|-
 
| FPP (PBM) Release
== JS behavioral tests ==
| 143
 
| {{bug|1978414}}
Can be used to gather information about whether certain addons are installed, exact browser version, etc. Probably nothing we can do here.
|-
 
| FPP (PBM) Beta
== Recommend privacy-related addons and services ==
| 143
 
| {{bug|1978414}}
"TorButton has evolved to give considerable thought to fingerprint resistance [19] and may be receiving the levels of scrutiny necessary to succeed in that project [15]. NoScript is a useful privacy enhancing technology that seems to reduce fingerprintability."
|-
 
| FPP (PBM) Nightly
"We identified only three groups of browser with comparatively good resistance to fingerprinting: those that block JavaScript, those that use TorButton, and certain types of smartphone."
| 143
 
| {{bug|1978414}} (renamed and tiered in 144 via {{bug|1984333}})
We should study what TorButton does, and see if we can integrate some of its features. We can also recommend it, NoScript, and Flashblock to users. We could suggest improvements to relevant addons, such as providing options for blocking third party but not first party content. (This doesn't strictly solve anything, but makes gathering the data more difficult, since the third party now relies on the first party to collect it.)
|-
 
| colspan="3" | Regressions: {{bug|1984132}}; {{bug|1982336}}
:Unfortunately Flashblock does not appear to prevent Flash from reading and writing LSOs, so it's doubtful it can be relied upon to protect against fingerprinting.  -- [[User:Pde|Pde]] 03:00, 15 June 2010 (UTC)
|}
 
== User interface ==
 
Things like geolocation, database access and such require the user to grant permission for a given site. For geolocation, this is done with an infobar. We should do everything we can to make it clear to users what they're providing, and give them centralized control of those permissions in the privacy panel. This is what the UX privacy proposals seek to do.
 
== HTML5 Canvas ==
 
"After plugins and plugin-provided information, we believe that the HTML5 Canvas is the single largest fingerprinting threat browsers face today." - Tor Project.
Original research: [http://cseweb.ucsd.edu/~hovav/dist/canvas.pdf Pixel Perfect: Fingerprinting Canvas in HTML5], demo: [https://www.browserleaks.com/canvas HTML5 Canvas Fingerprinting].
 
= See Also =
 
* [http://www.chromium.org/Home/chromium-security/client-identification-mechanisms Chromium's list of client identification mechanisms]

Latest revision as of 18:25, 12 May 2026

This page tracks the deployment of Firefox's Fingerprinting Protection (FPP) feature.

Other documents that may be relevant depending on the audience:

Summary

As of Firefox 151 Release, last updated 5/12/26, the following protections are enabled:

Protection Desktop FPP Android FPP Desktop Baseline Android Baseline
CanvasRandomization Yes Yes Yes Nightly-only
EfficientCanvasRandomization Yes Yes Yes Nightly-only
FontVisibilityLangPack Yes Yes
JSMathFdlibm Yes Yes
MaxTouchPointsCollapse Yes Yes Yes Nightly-only
NavigatorHWConcurrencyTiered Yes Yes
ScreenAvailToResolution Yes Yes Yes Nightly-only

Desktop

Protection Name Channel Version Bugs
ScreenAvailToResolution Enabled in FPP (PBM) Release as of 143; Enabled in Baseline Release as of 151
Baseline Release 151 bug 2032123
Baseline Beta 151 bug 2032123
Baseline Nightly 150 bug 1990514
FPP (PBM) Release 143 bug 1978414
FPP (PBM) Beta 143 bug 1978414
FPP (PBM) Nightly 143 bug 1978414
Regressions: bug 2016747
MaxTouchPointsCollapse Enabled in FPP (PBM) Release as of 143; Enabled in Baseline Release as of 151
Baseline Release 151 bug 2032123
Baseline Beta 151 bug 2032123
Baseline Nightly 150 bug 1990514
FPP (PBM) Release 143 bug 1978414
FPP (PBM) Beta 143 bug 1978414
FPP (PBM) Nightly 143 bug 1978414
Regressions: bug 1991701 (Linux touch disabled by companion fix bug 1957658, re-enabled in 146/147); bug 2021715 (Linux Wayland count adjusted, 150)
EfficientCanvasRandomization Enabled in FPP (PBM) Release as of 145; Enabled in Baseline Release as of 151
Baseline Release 151 bug 2032123
Baseline Beta 151 bug 2032123
Baseline Nightly 150 bug 2021606
FPP (PBM) Release 145 bug 1993304
FPP (PBM) Beta 145 bug 1993304
FPP (PBM) Nightly 145 bug 1993304
Regressions: bug 2025570 (Google Maps highway labels broken, fixed via RemoteSettings in 150/151)
CanvasRandomization Enabled in FPP (PBM) Release as of 120; Enabled in Baseline Release as of 151
Baseline Release 151 bug 2032123
Baseline Beta 151 bug 2032123
Baseline Nightly 150 bug 2021606
FPP (PBM) Release 120 bug 1858181
FPP (PBM) Beta 120 bug 1858181
FPP (PBM) Nightly 115 bug 1825250 (Nightly-only in 118–119 due to bug 1849903)
Regressions: bug 1852541 (Google Meet can't join, fixed 120); bug 1876149 (onshape.com getImageData); bug 1882761 (Google Maps highway symbols); bug 1887161 (canvas getImageData slow in PBM on maps/Airbnb, fixed via SipHash in 134 then superseded by EfficientCanvasRandomization); bug 1905884 (visual bugs on canvas-heavy sites); bug 1957426 (meta); bug 1957427 (wpt.fyi image comparison, fixed via overrides); bug 2010274 (SoundCloud audio waveform broken in PBM/ETP Strict); bug 2025570 (Google Maps Baseline, shared with EfficientCanvasRandomization)
FontVisibilityLangPack Enabled in FPP (PBM) Release as of 118
FPP (PBM) Release 118 bug 1849903
FPP (PBM) Beta 118 bug 1849903
FPP (PBM) Nightly 118 bug 1849903
Regressions: bug 1827475 (meta); bug 1850672 (localized font names not in standard list, fixed 118.0.2/119); bug 1854950 (broken rendering on Linux with no native distro fonts, fixed 119/120)
JSMathFdlibm Enabled in FPP (PBM) Release as of 134
FPP (PBM) Release 134 bug 1887682
FPP (PBM) Beta 134 bug 1887682
FPP (PBM) Nightly 134 bug 1887682
NavigatorHWConcurrencyTiered Enabled in FPP (PBM) Release as of 143
FPP (PBM) Release 143 bug 1978414
FPP (PBM) Beta 143 bug 1978414
FPP (PBM) Nightly 143 bug 1978414 (renamed and tiered in 144 via bug 1984333)
Regressions: bug 1984132; bug 1982336

Android

Protection Name Channel Version Bugs
ScreenAvailToResolution Enabled in FPP (PBM) Release as of 143; Enabled in Baseline Nightly-only as of 151
Baseline Nightly 151 bug 2032123
FPP (PBM) Release 143 bug 1978414
FPP (PBM) Beta 143 bug 1978414
FPP (PBM) Nightly 143 bug 1978414
MaxTouchPointsCollapse Enabled in FPP (PBM) Release as of 143; Enabled in Baseline Nightly-only as of 151
Baseline Nightly 151 bug 2032123
FPP (PBM) Release 143 bug 1978414
FPP (PBM) Beta 143 bug 1978414
FPP (PBM) Nightly 143 bug 1978414
EfficientCanvasRandomization Enabled in FPP (PBM) Release as of 145; Enabled in Baseline Nightly-only as of 151
Baseline Nightly 151 bug 2032123
FPP (PBM) Release 145 bug 1993304
FPP (PBM) Beta 145 bug 1993304
FPP (PBM) Nightly 145 bug 1993304
CanvasRandomization Enabled in FPP (PBM) Release as of 120; Enabled in Baseline Nightly-only as of 151
Baseline Nightly 151 bug 2032123
FPP (PBM) Release 120 bug 1858181
FPP (PBM) Beta 120 bug 1858181
FPP (PBM) Nightly 115 bug 1825250 (Nightly-only in 118–119 due to bug 1849903)
Regressions: bug 1852541 (Google Meet can't join, fixed 120); bug 1876149 (onshape.com getImageData); bug 1882761 (Google Maps highway symbols); bug 1887161 (canvas getImageData slow in PBM, fixed via SipHash in 134 then superseded by EfficientCanvasRandomization); bug 1905884 (visual bugs on canvas-heavy sites); bug 1957426 (meta); bug 1957427 (wpt.fyi image comparison, fixed via overrides)
FontVisibilityLangPack Enabled in FPP (PBM) Release as of 134 (removed 124–133 via bug 1826412, re-enabled via bug 1928705)
FPP (PBM) Release 134 bug 1928705
FPP (PBM) Beta 134 bug 1928705
FPP (PBM) Nightly 118 bug 1849903 (removed in 124 via bug 1826412, re-added in 134 via bug 1928705)
Regressions: bug 1946625 (Brahmic scripts broken on older Samsung Android); bug 1956251 (cxcricket.co Bangla Sangam MN font missing from Android font list)
JSMathFdlibm Enabled in FPP (PBM) Release as of 134
FPP (PBM) Release 134 bug 1887682
FPP (PBM) Beta 134 bug 1887682
FPP (PBM) Nightly 134 bug 1887682
NavigatorHWConcurrencyTiered Enabled in FPP (PBM) Release as of 143
FPP (PBM) Release 143 bug 1978414
FPP (PBM) Beta 143 bug 1978414
FPP (PBM) Nightly 143 bug 1978414 (renamed and tiered in 144 via bug 1984333)
Regressions: bug 1984132; bug 1982336