user.js
user.js copied to clipboard
arkenfox
Temporary Containers redundant with TCP / FPI?
Hey, I've noticed that you mention that TC is redundant with TCP / FPI. From my perspective that is not the case. I've written down my thoughts on that here https://github.com/stoically/temporary-containers/wiki/Comparison#total-cookie-protection and I'd be interested if I'm wrong with my claims?
You also mention that "in-session clearing is a false sense of privacy". Generally I agree, however, with TCP and FPI you get long-term storage. While with TCs the storage is gone together with the container, so I feel like that's a distinction that could still be highlighted. Also, personally, I'd say that if the bar is "everything that doesn't give you full privacy is a false sense of privacy" then that rules out everything besides Tor browser still.
Thanks for your efforts and please let me know if you spot inconsistencies in my perspectives.
If your use case is partitioning websites (which I think a lot of privacy-focused people were doing) then they are redundant in that sense. As dFPI partitions websites with ETP Strict, TC is redundant here. Arkenfox has preferences to sanitize on shutdown to prevent persistent storage and does not recommend using custom ETP settings (but setting exceptions instead). The threat model here excludes first party tracking as if you log into sites, they already know who you are. In-session sanitizing won't really do anything without changing your IP on other sites. This is why it's recommended you use Tor Browser if your threat model calls for it.
However, people still use containers for managing multiple accounts, but this doesn't really have anything to do with tracking.
Yeah, those are all fair points I agree with. But in my mind the wiki paragraph about TC doesn't reflect that properly and makes an incomplete comparison that could easily get misinterpreted if read in isolation.
The threat model here excludes first party tracking as if you log into sites, they already know who you are. In-session sanitizing won't really do anything without changing your IP on other sites.
Obviously I have no hard data to support my perspective here, but I assume that regular ad trackers do rely on storage primarily, as IPs are way too broad nowadays with all the shared ipv4 on mobile and DSL networks going on due to address room shortage. So in-session separation would give you additional protection in this case.
Also without Tor, just clearing all data on browser shutdown is not enough either, you would need to make sure that you get a new IP from your ISP as well. Tho, the TC paragraph does mention that already, yeah.
you would need to make sure that you get a new IP from your ISP as well.
Might be an idea for a little add-on actually, that blocks browsing if you still have the same ip when the browser starts. 🤔
stoically
however, with TCP and FPI you get long-term storage
that's what sanitizing on shutdown is for. There's also "forget about this site" (right click a history item), "manage data" (selectively), ctrl-shift-del (except it doesn't respect cookie/site-data exceptions yet), and "clear data" (the lot). I get that it's manual rather than done automagically
stoically
you would need to make sure that you get a new IP from your ISP as well
I have already stated IP is an issue. TC doesn't solve that. Neither does sanitizing. That's what VPNs are for. Or as we state in numerous places .. use tor browser if it suits
The point is that partitioning is MOOT, so the only benefits from TC
- partitioning multiple accounts? you can already do this with say MAC or just built in containers
- sanitizing in session (and the containers/contextID clearing API is the only one that works AFAIK)
- that's it
Sanitizing in session IS a false sense of privacy. It's the definition of insanity - doing the same thing over and over again. Is it a bad thing? Not really. Could it help? Sure, bound to somewhere - but not everywhere - it's a FALSE sense of privacy
- "look guys, I deleted the cookies (or all site data) now I am anonymous again, haha, the fools, i am so awesome"
- ^ typical user
I am not really interested in propagating this. I've said TC was redundant with FPI years ago. It's still redundant with dFPI.
remyabel2
The threat model here excludes first party tracking
That's actually not such a bad description, but not entirely accurate. For example we don't want (edit) any linkability - e.g. referrals, params, ids. And we obviously sanitize on close (which still does not address the IP problem), but it is built-in and does not require an extension.
Are there edge cases for users to use TC? Sure. If you want to use it, that's on you. But it still doesn't solve the IP problem.
Imagine if I listed it in the maybe section, then I have to add a bunch of info that people don;t read, and then don't understand. This is about the fifth issue someone has said my words are incorrect. They are not.
- TC's partitioning is moot with dFPI (I just edited the wiki to make that more clear)
- TC's sanitizing in session is a false sense of privacy, cuz IPs
- not said: sanitizing on close is also a false sense of privacy, cuz IPs
- but at least we're sanitizing once in a while
- not said: it is assumed that we are looking at worse case scenarios, and we want proper full solutions, and I don't have hard data, and IDK who would, how IPs are used to link traffic - but I would say that some platforms are pretty robust, logging everything and they would absolutely have some (benign 1st party?) FPing to assist
Anyway, I find the whole IP issue to be out of scope - we recommend Tor Browser, and there are hundreds or articles/sources for VPN info
If you want to use Firefox to protect against repeat 1st party, outside of a user.js, then go ahead and use a VPN and change it all the time and sanitize on eTLD+1 + scheme close, and don't forget to keep track of when to change your IP to be sure you aren't linked. Sounds way overkill and not something I care to constantly discuss. That's why we recommend Tor Browser
I'm not challenging any of the points made, I'm actually agreeing. I'd just appreciate if the arkenfox wiki paragraph about TC would mention that TC gives you proper storage cleaning, something TCP/FPI does not give you - and that, in this sense, TC is not redundant. Since, if you read that paragraph without having the bigger picture, it might give the impression of it being the same thing.
Whether new storage but still same IP is something to be concerned about is the question of the personal threat model. Clean storage and new IP gives you more privacy, that's for sure.
TC gives you proper storage cleaning, something TCP/FPI does not give you
sanitizing on shutdown gives you "proper storage cleaning"
TC is grouped in with "cookie cleaners" as a single entry but has two parts. The first part said "redundant" re 3rd parties are already isolated re dFPI. The second part doesn't say anything about redundancy and is about sanitizing. I mentioned I edited the wiki. I actually removed the word "redundant" in the first bullet point
Nowhere does it say dFPI sanitizes
Thanks for the edit, that solves the issue from my perspective, but of course feel free to reopen if you see the need for it.
Maybe a tiny suggestion: Calling the section "Don't bother" feels a tiny bit rude. Maybe it could be worded a bit more friendly. 💚
Random thought regarding alternative naming: Maybe the sections could be ordered and named by their type of threat model / amount of convenience?
Maybe a tiny suggestion: Calling the section "Don't bother" feels a tiny bit rude. Maybe it could be worded a bit more friendly. 💚
Maybe "Redundant"? BTW I love TC 🎩
I am not against using containers, or MAC. I'm not even against TC. Containers provide additional uses (such as multiple logins) and fallbacks/safeguards (see #1448). I'm still going to stick to my guns and say that sanitizing in session is not a valid solution on it's own (but it is if it's to reset a login for example - e.g. same as "Forget about this site" - so e.g. bypass paywall limit, fuck yeah, enjoy the popup cookie banner each time though)
Anyway, lumping TC in with don't bothers is a bit harsh. Yes the partitioning is redundant (we're already partitioned, baring bugs), yes sanitizing in session is a false sense of privacy. But contextIDs (or is it contentIDs) are a great secondary isolation feature
Also MAC + VPN support: someone correct me if I'm wrong, but I'm guessing here that the VPN only kicks in on containers you specify, and in future if not already, you can specify what VPN (or exit) to use per container? Anyway, more reasons to highlight container extensions as maybes
Anyway, @stoically .. rejoice
enjoy the popup cookie banner each time though)
You're almost never going to see cookie prompts when subscribed to one or two Annoyances filters.
But contextIDs (or is it contentIDs) are a great secondary isolation feature
FWIW it's userContextId
and in future if not already, you can specify what VPN (or exit) to use per container?
I think this was already possible since 8.0.2, but
but I'm guessing here that the VPN only kicks in on containers you specify,
is going to cause DNS leaks if you are not behind a full tunnel (e.g. pac) and forgot to manually turn off uBO's CNAME uncloaking option (also discussed on this repo).
But personally it would be nice to have random SOCKS5 proxies per temporary container when it happens.
thanks. yup, there's lots of potential with containers as a simple means to group sets of domains
@Thorin-Oakenpants Thanks for taking another look!
Regarding the "sanitizing in session" perspective: For me personally that's not why I'm using TC, nor is it something I consider particularly valuable in my day to day browsing. Instead, my threat model allows me to lean more towards the convenience side, which means that I don't delete all data when my browser shuts down. Without TC that would leave me with permanent storage in the long run – and that's what TCs solve for me: They make sure that I don't end up with long-term storage for random browsing, in addition to also isolating sites from each other properly. If I want long-term storage, I use permanent containers for that. Obviously that's not as reliable or privacy-focused as deleting all data when the session ends, but it's way more reliable and privacy-focused than traditional cookie cleaners. Hope that makes sense – otherwise please let me know!
@Jee-Hex
But personally it would be nice to have random SOCKS5 proxies per temporary container when it happens.
Something I started working on, but never finished and probably never will: "Random IPv6 per TC"
- https://github.com/stoically/temporary-containers/issues/417
- https://github.com/stoically/temporary-containers/pull/416
It was a fun experiment tho :D
I find this discussion very interesting!
But the question could be considered from the other end: If you have some temporary/ephemeral container extension enabled, what more bring TCP and dfpi to you exactly (under the hypothesis that the extension in use is properly functioning of course).
Moreover, concerning this thread's topic I read here that @ThorinOakenpants wrote:
Sanitizing in-session is a false sense of privacy. They do nothing for IP tracking. Even Tor Browser does not sanitize in-session e.g. when you request a new circuit. A new ID requires both full sanitizing and a new IP. The same applies to Firefox.
The "same ip" question seems to the basis of the argument.
So, what about using a mechanism assigning different proxies to different containers (btw such extensions appear to exist on AMO, with few users and not updated since quite a long time for sure, but we have a principle discussion here, so let's suppose they are functioning without any bug/leak)?
Edit: Some example of extensions of the "container per proxy" type (just found 3, I didn't test any of them): Container proxy, Container Socks Proxy helper, Simple Container Proxy.
Alternatively, it's probably possible to get half theses features in using a temporary/ephemeral containers extension in conjunction of a proxy PAC.
So, what about using a mechanism assigning different proxies to different containers (btw such extensions appear to exist on AMO, with few users and not updated since quite a long time, but we have a principle discussion here, so let's suppose they are functioning without any bug/leak)?
It's still inferior to Tor browser. VPNs and proxies offer dubious privacy. You are moving the traffic from your ISP to a VPN, who you have to trust not to log and to trust will not be able to provide your data to third parties (i.e, via subpoena). Even masking your IP, you are still very fingerprintable and even Arkenfox admits this. Using Tor, your fingerprint in theory should be identical to every other Tor user.
Further, Tor uses relays in order to separate the IP from the data. One relay knows who you are, the other relay does not but knows your data, so long as the two cannot be put together, you are in theory browsing anonymously. This of course is defeated if you do not change your browsing habits or if they are able to put 2 + 2 together with a correlation attack, but it is much more difficult to pull off with Tor, and trivial to do with another browser even with anti-fingerprinting measures.
So in other words, if your threat model requires anonymity, Tor is still the best solution. For all other cases, trying to emulate Tor is a false sense of security.
So, what about using a mechanism assigning different proxies to different containers (btw such extensions appear to exist on AMO, with few users and not updated since quite a long time, but we have a principle discussion here, so let's suppose they are functioning without any bug/leak)?
It's still inferior to Tor browser. VPNs and proxies offer dubious privacy. You are moving the traffic from your ISP to a VPN, who you have to trust not to log and to trust will not be able to provide your data to third parties (i.e, via subpoena). Even masking your IP, you are still very fingerprintable and even Arkenfox admits this. Using Tor, your fingerprint in theory should be identical to every other Tor user.
Further, Tor uses relays in order to separate the IP from the data. One relay knows who you are, the other relay does not but knows your data, so long as the two cannot be put together, you are in theory browsing anonymously. This of course is defeated if you do not change your browsing habits or if they are able to put 2 + 2 together with a correlation attack, but it is much more difficult to pull off with Tor, and trivial to do with another browser even with anti-fingerprinting measures.
So in other words, if your threat model requires anonymity, Tor is still the best solution. For all other cases, trying to emulate Tor is a false sense of security.
Tor is plausibly better but the topic of this thread is not x or y vs Tor but TCP & dFPI vs ephemeral/temporary containers.
No matter what, it is not entirely clear that Tor is extremely superior to the usage of rotating nested independant reputable vpns because:
- technically, less risk of ip/dns leaks (each vpn proxifies the whole network activity, not just the web one)
- the probability of a server being evil is lesser when it belongs to a reputable vpn provider than when it belong to the Tor network (particularly concerning the servers acting as exit nodes).
Tor is plausibly better but the topic of this thread is not x or y vs Tor but TCP & dFPI vs ephemeral/temporary containers.
That part was already discussed earlier. I brought up Tor to illustrate that what you're looking for probably does not offer the privacy advantages you want.
technically, less risk of ip/dns leaks (each vpn proxifies the whole network activity, not just the web one)
And how exactly does Tor leak DNS? If you use Tor with VPNs, this is possible, but should not happen on a regular setup.
the probability of a server being evil is lesser when it belongs to a reputable vpn provider than when it belong to the Tor network (particularly concerning the servers acting as exit nodes).
Based on what metric? There's been plenty of documented incidents of VPNs either being malicious or incompetent. Regardless, Tor's model is trustless in the sense that you don't NEED to trust the relays because of how it routes traffic. With VPN, you do need to trust the provider. Even with a malicious exit node, if you only visit HTTPS sites, it's not really an issue.
what more bring TCP and dfpi to you
- dFPI nothing much.
- TCP is more that strict cookie isolation (or whatever the current marketing name for it is). It has tracking-protection, query stripping, referer protection, ...
I can't find it now, but there was a thread on HN just the other day where someone (and there were other examples) blocked certain companies, ended up with a completely broken internet and devices would hang (or something)
long story short, there are six or seven companies that control such vast swathes of the backbone and services, that it's become impossible - think akaimai, cloudflare, aws, azure, alphabet, etc. And IANAE or inside trader but I bet they all log IPs (and probably monetize it) - once someone else has your information (like an IP address), then you have lost control of that info - you do not know nor have any bearing on how that info is shared or sold
The solution can only be: Tor, VPNs.
Side note: this is why LocalCDN is marked as don't bother (which really seems to upset some redditors). If you protect your IP, then it's not needed. If you don't protect your IP, then it's pointless - you are a billion times better off using alternative services than pissing around with a minuscule few libraries
I can't find it now, but there was a thread on HN just the other day where someone (and there were other examples) blocked certain companies, ended up with a completely broken internet and devices would hang (or something)
https://news.ycombinator.com/item?id=32618018 ?
My thoughts on the IP discussion from the targeted ads perspective:
- Something that became publicly known with regards to abusing IPs for ad purposes, was the fact that Facebook used them to determine the location of users and showing ads based on that: https://9to5mac.com/2018/12/18/facebook-location-privacy-ads-settings/. That kind of technique makes sense for them, given they – and other companies – sell ads, and the more targeted they can deliver the ad, the better they can sell their product.
- Given that selling ads as targeted as possible is one of their key features, it also means that they have an interest in data sets that are as precise as possible. Mixing IPs into those ad-relevant data sets that not clearly belong to logged in users – based on storage – would introduce fuzzyness into the data sets, since without being logged in it's almost impossible for regular services on the web to assign the user to their respective data set.
- People and companies using the marketing tools from companies such as Facebook never think in terms of IPs, nor do they have the ability to configure their campaigns based on them. Instead, it's always about target groups and locations.
- So, basically: Using IPs for location-purposes and logged in users makes sense, trying to identify an user by using them, not so much.
Thought from the security perspective:
- IPs are logged from services for the purpose of security and accountability. Basically: "How can I get the address of an user to sue them if they abuse my service?"
However, that leaves the question: Why does Tor exist? Why would one want to mask their IP?
- Tor was invented as tool to protect state-level actors and especially their international communication. Hence why it made sense to make it a public project, so they can get as much traffic as possible to mask them. Those communications likely still happen over the network. You really don't want to leak your IP – and with that your location – to state-level actors, which obviously do have the means to query ISP databases one way or the other to get your precise location.
- Tor is especially useful in countries where surfing on or trying to reach the wrong websites could get you actually into jail. In those situations leaking your IP to state-level actors, like the great firewall of china, makes you directly identifiable.
- Tor hidden services are unique in what they make possible. Hosting sites while keeping the hosting party anonymous. Markets and similar sites still are popular targets when using Tor.
- Since Tor masks your IP, it also prevents that ad companies can serve you ads based on your actual location. It doesn't stop them from showing you ads for the IP you appear to be coming from.
- In the case services actually try to use the IP to correlate it with you specifically, be it for ads or other purposes, that would be prevented.
- And Tor lets you circumvent IP-based security measures from services you want to use – if they not already block all exit nodes.
Just my perspective and no claim that it's complete by any means. If you spot an error or something important that's missing, let me know!
Note: This comment only concerns itself with the IP-perspective. Browser fingerprinting is a different story, even though related to some extent.
You bring up some valid points but I disagree on some fronts. First regarding ads and IP tracking. I have all Facebook domains blocked on the DNS level and ublock origin also has filter lists for this. If you use Facebook then again arkenfox’s stance is that Facebook already knows who you are. You can use multi account containers to separate accounts, but trying to use Facebook “anonymously” is going to be nearly impossible with the amount of measures they take to identify users.
With Tor, it is true that Tor is useful to protect against state actors. That doesn’t mean you should only use tor for that purpose. Does and can intelligence agencies snoop on ISPs? Yes. That’s how they do correlation attacks. It does not change anything fundamental about tors security model though. The NSA can snoop on your ISP and the exit nodes ISP, but this alone is not enough to identify you without forensics work (or if the user is browsing without TLS and/or sloppy browsing habits).
Regardless, this isn’t about Tor versus VPNs versus Temporary Containers, more that different tools are useful for different threat models. I suppose my ultimate point that got lost in the confusion is that if you are trying to be anonymous with TC and VPNs, Tor is the better solution. TC and VPNs still have their respective usecases (I personally do not care about VPNs but my thoughts on those does not affect the conversation)
On Aug 30, 2022, at 3:22 AM, stoically @.***> wrote: My thoughts on the IP discussion from the targeted ads perspective:
Something that became publicly known with regards to abusing IPs for ad purposes, was the fact that Facebook used them to determine the location of users and showing ads based on that: https://9to5mac.com/2018/12/18/facebook-location-privacy-ads-settings/. That kind of technique makes sense for them, given they – and other companies – sell ads, and the more targeted they can deliver the ad, the better they can sell their product. Given that selling ads as targeted as possible is one of their key features, it also means that they have an interest in data sets that are as precise as possible. Mixing IPs into those ad-relevant data sets that not clearly belong to logged in users – based on storage – would introduce fuzzyness into the data sets, since without being logged in it's almost impossible for regular services on the web to assign the user to their respective data set. People and companies using the marketing tools from companies such as Facebook never think in terms of IPs, nor do they have the ability to configure their campaigns based on them. Instead, it's always about target groups and locations. So, basically: Using IPs for location-purposes and logged in users makes sense, trying to identify an user by using them, not so much. Thought from the security perspective:
IPs are logged from services for the purpose of security and accountability. Basically: "How can I get the address of my user to sue them if they abuse my service?" However, that leaves the question: Why does Tor exist? Why would one want to mask their IP?
Tor was invented as tool to protect state-level actors and especially their international communication. Hence why it made sense to make it a public project, so they can get as much traffic as possible to mask them. Those communications likely still happen over the network. You really don't want to leak your IP – and with that your location – to state-level actors, which obviously do have the means to query ISP databases one way or the other to get your precise location. Tor is especially useful in countries where surfing on the wrong websites could get you actually into jail. In those situations leaking your IP to state-level actors, like the great firewall of china, makes you directly identifiable. Tor hidden services are unique in what they make possible. Hosting sites while keeping the hosting party anonymous. Markets and similar sites still are popular target when using Tor. Since Tor masks your IP, it also prevents that ad companies can serve you ads based on your actual location. It doesn't stop them from showing you ads for the IP you appear to be coming from. And Tor lets you circumvent IP-based security measure from services you want to use – if they not already block all exit nodes. Just my perspective and no claim that it's complete by any means. If you spot an error or something important that's missing, let me know!
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.
IP-perspective. Browser fingerprinting is a different story, even though related to some extent.
IP is just another fuzzy data point in FPing. e.g. is it a known tor exit node, is it a VPN, what VPN group, what ISP hub? It can used or discarded at will to help link footprints
@remyabel2
You can use multi account containers to separate accounts, but trying to use Facebook “anonymously” is going to be nearly impossible with the amount of measures they take to identify users.
I'd be interested in details, like what kind of ads and what kind of perceived identification. My assumption would be that, given an unique enough browser fingerprint, they might even correlate you to an actual user or shadow account. If not unique enough, or just IP, I'd assume the general connection to a target group in combination with the IP location. My comment was solely about IPs.
That doesn’t mean you should only use tor for that purpose.
Absolutely. I tried to cover that with my point about "If they try identification via IP, it will get harder with Tor". But you might've missed that, given I edited and you replied by E-Mail.
Regardless, this isn’t about Tor versus VPNs versus Temporary Containers, more that different tools are useful for different threat models.
Also agreed. Just wanted to give my perspective on the IP discussion. As for which tools to use and when totally depends on the threat model and desired amount of convenience.
@Thorin-Oakenpants
IP is just another fuzzy data point in FPing. e.g. is it a known tor exit node, is it a VPN, what VPN group, what ISP hub? It can used or discarded at will to help link footprints
Yep. I just wanted to highlight my focus on IP here. I'd assume that if browser fingerprints are perceived as unique enough, they might even be used to correlate with actual user accounts, not only target groups / locations.
I'd be interested in details, like what kind of ads and what kind of perceived identification. My assumption would be that, given an unique enough browser fingerprint, they might even correlate you to an actual user or shadow account. If not unique enough, or just IP, I'd assume the general connection to a target group in combination with the IP location. My comment was solely about IPs.
Not sure what you mean by unique enough browser fingerprint. It does not take that many data points to uniquely identify someone. But when you combine browsers, OS, monitor size, addons installed, etc. you start reaching hundreds of data points. IP by itself is not that useful because users behind NAT or with DHCP can have a new IP assigned regularly. Even if you change your IP regularly, data brokers are quite good at linking profiles together.
Absolutely. I tried to cover that with my point about "If they try identification via IP, it will get harder with Tor". But you might've missed that, given I edited and you replied by E-Mail.
Tor makes it look like you're browsing from a different IP and uses anti-fingerprinting. The two are required in tandem. I believe I mentioned earlier how relay A knows your IP and relay C knows your data, so long as the two cannot be tied together, the user shouldn't be identified (ignoring the usual exceptions like zero days, lack of TLS, sloppy browsing habits).
Yep. I just wanted to highlight my focus on IP here. I'd assume that if browser fingerprints are perceived as unique enough, they might even be used to correlate with actual user accounts, not only target groups / locations.
At this point I think the discussion is starting to tread into anonymity vs privacy territory. Say for the sake of example I have an online identity that is separate from my federated (government) identity. If I do all of my online browsing under that identity, even if people do not tie it to me, for all intents and purposes I am that person. So if a data broker only knows me by John Smith, all of my data can still be linked together to give me targeted advertising even if I attempt to be anonymous. If on the other hand, your goal is to decouple your federated identity from browsing habits, then again Tor is the way to go. There are way too many avenues in which someone can be identified (VPN subpoena, breaches, leaks, username/browsing history correlation, etc.) that makes any solution compared to Tor inadequate.
IP by itself is not that useful because users behind NAT or with DHCP can have a new IP assigned regularly. Even if you change your IP regularly, data brokers are quite good at linking profiles together.
That's the only point I'm challenging. Given the shortage of IPv4 and all the sharing going on, I don't think it gets used for linking to specific accounts.
Regarding everything else we're on the same page.