mirror of
https://github.com/arkenfox/user.js.git
synced 2024-11-22 10:31:40 +01:00
Updated 4.1 Extensions (markdown)
parent
ff0cc2b2a2
commit
fd7a65e994
@ -4,7 +4,7 @@ This list covers privacy and security related extensions only. While we believe
|
|||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
🟪 EXTENSIONS
|
#### 🟪 EXTENSIONS
|
||||||
|
|
||||||
* [uBlock Origin](https://addons.mozilla.org/firefox/addon/ublock-origin/) <sup>✔ [Privacy](https://github.com/gorhill/uBlock/wiki/Privacy-policy)</sup> | [GitHub](https://github.com/gorhill/uBlock)
|
* [uBlock Origin](https://addons.mozilla.org/firefox/addon/ublock-origin/) <sup>✔ [Privacy](https://github.com/gorhill/uBlock/wiki/Privacy-policy)</sup> | [GitHub](https://github.com/gorhill/uBlock)
|
||||||
* ⭐ Setup your [blocking mode](https://github.com/gorhill/uBlock/wiki/Blocking-mode)
|
* ⭐ Setup your [blocking mode](https://github.com/gorhill/uBlock/wiki/Blocking-mode)
|
||||||
@ -14,26 +14,23 @@ This list covers privacy and security related extensions only. While we believe
|
|||||||
* Only needed if `1601` is too strict for you, and you override it to default `0` (so Smart Referer works)
|
* Only needed if `1601` is too strict for you, and you override it to default `0` (so Smart Referer works)
|
||||||
* We recommend Strict mode and adding exceptions
|
* We recommend Strict mode and adding exceptions
|
||||||
* [Skip Redirect](https://addons.mozilla.org/firefox/addon/skip-redirect/) | [GitHub](https://github.com/sblask/webextension-skip-redirect)
|
* [Skip Redirect](https://addons.mozilla.org/firefox/addon/skip-redirect/) | [GitHub](https://github.com/sblask/webextension-skip-redirect)
|
||||||
|
* [CanvasBlocker](https://addons.mozilla.org/firefox/addon/canvasblocker/) <sup>✔ [Privacy](https://addons.mozilla.org/firefox/addon/canvasblocker/privacy/)</sup> | [GitHub](https://github.com/kkapsner/CanvasBlocker)
|
||||||
|
* ⭐ non-RFP users only
|
||||||
|
- Good protection against naive scripts, detectable with advanced scripts
|
||||||
|
- Just randomize canvas and audio, maybe webgl if you use that: the rest is not needed
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
🟪 MAYBE
|
#### 🟪 MAYBE
|
||||||
|
|
||||||
* [Header Editor](https://addons.mozilla.org/firefox/addon/header-editor/) | [GitHub](https://github.com/FirefoxBar/HeaderEditor)
|
* [Header Editor](https://addons.mozilla.org/firefox/addon/header-editor/) | [GitHub](https://github.com/FirefoxBar/HeaderEditor)
|
||||||
- Allows you to run rules to modify the request header and response header, cancel a request and redirect a request. Be careful not to alter your passive fingerprint
|
- Allows you to run rules to modify the request header and response header, cancel a request and redirect a request. Be careful not to alter your passive fingerprint
|
||||||
* [Request Control](https://addons.mozilla.org/firefox/addon/requestcontrol/) | [GitHub](https://github.com/tumpio/requestcontrol) | [Manual](https://github.com/tumpio/requestcontrol/blob/master/_locales/en/manual.md) | [Testing links](https://github.com/tumpio/requestcontrol/wiki/Testing-links)
|
* [Request Control](https://addons.mozilla.org/firefox/addon/requestcontrol/) | [GitHub](https://github.com/tumpio/requestcontrol) | [Manual](https://github.com/tumpio/requestcontrol/blob/master/_locales/en/manual.md) | [Testing links](https://github.com/tumpio/requestcontrol/wiki/Testing-links)
|
||||||
* [Redirector](https://addons.mozilla.org/firefox/addon/redirector/) <sup>✔ [Privacy](https://github.com/einaregilsson/Redirector/blob/master/privacy.md)</sup> | [GitHub](https://github.com/einaregilsson/Redirector)
|
* [Redirector](https://addons.mozilla.org/firefox/addon/redirector/) <sup>✔ [Privacy](https://github.com/einaregilsson/Redirector/blob/master/privacy.md)</sup> | [GitHub](https://github.com/einaregilsson/Redirector)
|
||||||
* [CanvasBlocker](https://addons.mozilla.org/firefox/addon/canvasblocker/) <sup>✔ [Privacy](https://addons.mozilla.org/firefox/addon/canvasblocker/privacy/)</sup> | [GitHub](https://github.com/kkapsner/CanvasBlocker)
|
|
||||||
- ⭐ RFP users
|
|
||||||
- This is redundant
|
|
||||||
- Note: If you allow a site exception for canvas, this is not universal: it's one metric and one specific test for that one site: it does not fingerprint you beyond that first party, and it may not even be fingerprinting you
|
|
||||||
- Warning: Some of the APIs will interfere with RFP, as extensions are the last to modify
|
|
||||||
- ⭐ non-RFP users
|
|
||||||
- Good protection against naive scripts, detectable with advanced scripts
|
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
🟪 TOOLS
|
#### 🟪 TOOLS
|
||||||
|
|
||||||
These extensions will not mask or alter any data sent or received, but may be useful depending on your needs
|
These extensions will not mask or alter any data sent or received, but may be useful depending on your needs
|
||||||
|
|
||||||
@ -51,7 +48,7 @@ These extensions will not mask or alter any data sent or received, but may be us
|
|||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
🟪 DON'T BOTHER
|
#### 🟪 DON'T BOTHER
|
||||||
|
|
||||||
* uMatrix
|
* uMatrix
|
||||||
- ⚠️ No longer maintained, the last commit was April 2020 except for a [one-off patch](https://github.com/gorhill/uMatrix/releases/tag/1.4.2) to fix a [vulnerability](https://github.com/vtriolet/writings/blob/main/posts/2021/ublock_origin_and_umatrix_denial_of_service.adoc)
|
- ⚠️ No longer maintained, the last commit was April 2020 except for a [one-off patch](https://github.com/gorhill/uMatrix/releases/tag/1.4.2) to fix a [vulnerability](https://github.com/vtriolet/writings/blob/main/posts/2021/ublock_origin_and_umatrix_denial_of_service.adoc)
|
||||||
@ -75,40 +72,18 @@ These extensions will not mask or alter any data sent or received, but may be us
|
|||||||
- Redundant with [Total Cookie Protection](https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/) (dFPI) or FPI
|
- Redundant with [Total Cookie Protection](https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/) (dFPI) or FPI
|
||||||
- ❗️Sanitizing in-session is a false sense of privacy. They do nothing for IP tracking. Even Tor Browser does not sanitize in-session e.g. when you request a new circuit. A new ID requires _both_ full sanitizing _and_ a new IP. The same applies to Firefox
|
- ❗️Sanitizing in-session is a false sense of privacy. They do nothing for IP tracking. Even Tor Browser does not sanitize in-session e.g. when you request a new circuit. A new ID requires _both_ full sanitizing _and_ a new IP. The same applies to Firefox
|
||||||
- ❗️Cookie extensions lack [APIs](https://bugzilla.mozilla.org/1669716) to work with Total Cookie Protection which [will be the default](https://bugzilla.mozilla.org/1731713)
|
- ❗️Cookie extensions lack [APIs](https://bugzilla.mozilla.org/1669716) to work with Total Cookie Protection which [will be the default](https://bugzilla.mozilla.org/1731713)
|
||||||
|
* Anti-Fingerprinting Extensions
|
||||||
|
- Redundant with RFP: We enable RFP by default as the [best solution](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-[To-RFP-or-Not])
|
||||||
|
- Robust, built-in, performant, extra timing mitigations, and doesn't leak
|
||||||
|
- ⭐ If you don't use RFP, then we recommend Canvas Blocker (see above) as your best option
|
||||||
|
- Most extensions cannot protect what they claim:
|
||||||
|
- It's impossible (engine, OS, version)
|
||||||
|
- It's not a lie (the sites expect and use a valid value)
|
||||||
|
- It's dumb (randomizing is not very usable, and/or successfully spoofing is the same as setting that)
|
||||||
|
- It's equivalency
|
||||||
|
- It has too many methods (fonts: at least a dozen methods and counting)
|
||||||
|
- ... and more
|
||||||
|
- Web Extensions lack APIs to properly protect metrics (without breaking basic functionality)
|
||||||
|
- Web Extensions are detectable, and often uniquely fingerprintable, when they touch the DOM (and sometimes when they don't)
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
🟪 Anti-Fingerprinting Extensions... F&%K NO!
|
|
||||||
|
|
||||||
* **DON'T BOTHER** to **USE** extension features to **CHANGE** any RFP protections
|
|
||||||
* Exception: where you can whitelist a site for functionality and you know the risks
|
|
||||||
|
|
||||||
This is not about the merits of randomizing vs lowering entropy: this is about using the best options available. We support RFP (`privacy.resistFingerprinting`) as far superior (in the metrics it so far covers)
|
|
||||||
|
|
||||||
* It is trivial to detect RFP and when you change a RFP metric, you lose your "herd immunity"
|
|
||||||
* i.e.: you just **added** more entropy, very likely unique, compared to the already tiny group of RFP users
|
|
||||||
* Ask yourself why Tor Project recommends you do not change Tor Browser settings and you do not install extensions
|
|
||||||
* RFP is robust and vetted by experts (Mozilla, Tor Project, researchers)
|
|
||||||
* RFP is an enforced set where all users **should be** [1] the same: i.e. uniform, in the same "buckets", or exhibiting the same behavior
|
|
||||||
* [1] Don't fiddle with prefs unless you know what they do
|
|
||||||
* Extensions aren't robust: either lacking APIs, or are poorly designed, or miss all methods, or it's snake oil (impossible)
|
|
||||||
* e.g.: spoof OS? You can't (RFP can do what it likes as it's an enforced set of users)
|
|
||||||
* e.g.: spoof user agent, timezone, locale, or language? navigator properties leak via workers and can leak via other methods such as window.open and iframes
|
|
||||||
* e.g.: spoof screen? css leaks and matchmedia can leak
|
|
||||||
* e.g.: spoof language/locale? Practically impossible, and if (that's a massive "if") it were perfect, then it's no different to setting that as your preferred website language in options
|
|
||||||
* Extensions can often be detected
|
|
||||||
* e.g. script injection and function names
|
|
||||||
* e.g. if not uniquely, then by their behavior and characteristic patterns
|
|
||||||
* note: RFP doesn't care if it can be detected, because all users are the "same"
|
|
||||||
|
|
||||||
If you don't use RFP, then **you're on your own**. And don't rely on entropy figures from test sites. The datasets are not real world, very small, and tainted by both the type of visitors, and by their constant tweaking and re-visits which further poison the results and artificially inflate rare results:
|
|
||||||
* e.g. on Panopticlick [May 2020]
|
|
||||||
* why are 1 in 6.25 (16%) results returning a white canvas (which is statistically only an RFP solution), and 1 in 6.16 (16%) returning a Firefox 68 Windows user agent, and yet Firefox (and Tor Browser) only comprise approx 5% worldwide, **in total** - actual ESR68 users on Windows, and actual RFP users would both be a **tiny fraction** of that
|
|
||||||
* why are 1 in 1.85 (54%) results returning no plugins, when chrome (at 67% market share) and others by default reveal plugin data
|
|
||||||
* remember: very, very, very few users use anti-fingerprinting measures
|
|
||||||
* e.g. at amiunique (https://amiunique.org/stats) [current month: Nov 2020]
|
|
||||||
* over half (51%+) are Firefox .. yeah right!
|
|
||||||
* over three quarters (77%+) are primarily using `en` .. yeah right!
|
|
||||||
* almost a third (31%+) are UTC .. yeah right!
|
|
||||||
|
|
||||||
It takes large real world studies to get the number of results per metric, and it takes a controlled one (one result per browser) to get the distribution in order to get reliable entropy figures. Don't believe the BS.
|
|
||||||
|
Loading…
Reference in New Issue
Block a user