forget-me-not icon indicating copy to clipboard operation
forget-me-not copied to clipboard

Published 20 hours ago verified publisher icon Lusito

Bad firefox version with fingerprinting protection

Open OhSoGood opened this issue 6 years ago • 11 comments

Hi,

A side-effect of using Firefox built-in fingerprinting protection (for privacy purpose) is that Firefox reports it is version 52. This is not a bug but something voluntarily added by the Mozilla team.

A consequence of this is that forget-me-not is fooled also and its features depending on v58+ are deactivated. Any solution? Should the user be simply asked to confirm activation of these features if detected version is too low or match Firefox's fingerprinting fooled version?

OhSoGood avatar Apr 30 '18 07:04 OhSoGood

Hm, good question.. are you talking about privacy.resistFingerprinting? I'll look into it. Allowing the user to enable it manually could be harmful tho, so I'm gonna have to think about it.

Lusito avatar May 01 '18 19:05 Lusito

Yes, this is about privacy.resistFingerprinting

OhSoGood avatar May 02 '18 15:05 OhSoGood

Argh, sorry, wrong topic

Lusito avatar May 07 '18 19:05 Lusito

I have privacy.resistFingerprinting set to true, and FMN is working as expected on Firefox Developer Edition (61.0b8). I would guess that either FMN is no longer fooled by the anti-fingerprinting, or Mozilla have changed the code in pre-release so that extensions are not spoofed in addition to web sites. @OhSoGood, you may want to re-test.

rmenessec avatar May 27 '18 17:05 rmenessec

Indeed, it's fixed even in 60.0.1 if I'm not wrong. Great - nothing to do for ForgetMeNot !

Le 27/05/2018 à 19:25, rmenessec a écrit :

I have privacy.resistFingerprinting set to true, and FMN is working as expected on Firefox Developer Edition (61.0b8). I would guess that either FMN is no longer fooled by the anti-fingerprinting, or Mozilla have changed the code in pre-release so that extensions are not spoofed in addition to web sites. @OhSoGood https://github.com/OhSoGood, you may want to re-test.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Lusito/forget-me-not/issues/57#issuecomment-392349111, or mute the thread https://github.com/notifications/unsubscribe-auth/ABuayrgYgj-Ed_jweQM8yCOuS2BIbhfAks5t2uF7gaJpZM4TsNnG.

OhSoGood avatar May 27 '18 17:05 OhSoGood

Actually, I think it's part of the fingerprinting that the reported Firefox Version is the latest ESR release. Pre 60 this was 52, post 60 it is 60.. so if you keep fingerprint protection enabled, FMN will see you as 60 until the next ESR release.

I currently detect the browser version using normal browser techniques instead of reading it with the web-extensions api, as the web-extensions api is asynchronous, and it's not trivial to rewrite this.

So in conclusion, this is still a (theoretical) issue with FMN when features are added that require a higher Firefox version.. I will fix this in one of the upcoming releases. Just takes a bit more time.

Lusito avatar May 27 '18 21:05 Lusito

Here's a little history on the UA spoofing in privacy.resistFingerprinting

  • FF56: 1333651 & 1383495 & 1396468 spoof navigator API (version rounds down to a multiple of 10)
    • FF57: 1393283 spoof as ESR instead of 10s
    • FF59: 1415488 UA leaks over HTTP CONNECT method - fixed as a result of 1419771
    • FF59: 1404608 do not lie about OS (limit to Windows, OSX, Android, or Linux)
    • FF59: 1418672 due to ESR being out of whack and Aurora/Nightly sometimes being ahead of ESR releases, the value is now temporally hardcoded to 52
    • FF60: 1418162 ESR algorithm fixed for 60+7's

AFAIK, this spoofs the user agent string in headers and navigator objects in JS - i.e web pages requesting it. It does not cause incompatibility problems with extensions themselves.

If you're talking about AMO (because every website gets the spoof with privacy.resistFingerprinting)... you can still install extensions (because Firefox internally knows what it actually is)

  • 1394448 UA spoof: breaks AMO
    • drag the + Add to Firefox button to the urlbar
    • or right click the + Add to Firefox button and open in a new tab
      • may fail with a message "Firefox prevented this site from asking you to install software on your computer" in which case just refresh the new tab

this is still a (theoretical) issue with FMN when features are added that require a higher Firefox version

FMN will not break in any way. I am not a developer, so excuse my lack of terminology, but if you need to specify a minimum or maximum version in your manifest or wherever, then do so. Firefox internals know what version you are running, and extensions will install or fail based on that.

tl;dr: Hope that clears it up. RFP's UA spoofing is only about BS'ing web sites, not internally.

Thorin-Oakenpants avatar May 29 '18 11:05 Thorin-Oakenpants

Thanks. Interesting read. Doesn't change anything tho, since the way I'm currently accessing the version is the same way websites access the version, so I do get the wrong version and I do need to check if the version is good for certain features.

Lusito avatar May 29 '18 16:05 Lusito

I'll repeat: RFP's UA spoofing is only about BS'ing web sites, not internally (emphasis added)

the way I'm currently accessing the version

runtime.getBrowserInfo() is not affected by privacy.resistFingerprinting i checked with an active FF web.ext developer

Thorin-Oakenpants avatar May 30 '18 23:05 Thorin-Oakenpants

I know getBrowserInfo is not affected, but it uses a promise based API, i.e. I don't get the results instantly. That's why I've used navigator.userAgent & co to detect the browser version, which gives me the spoofed version. So I'll need to rewrite some code to make this work.

Lusito avatar May 31 '18 00:05 Lusito

OK. Up to you. I guess you could look it up on startup (or first use?) and store it as a session variable?, but I'm not a Web Ext dev

Thorin-Oakenpants avatar May 31 '18 01:05 Thorin-Oakenpants