Looking for new maintainer(s) for RAS

[dillbyrne]

Hello all

Firstly I want to say in advance that I wish to avoid a ublock/ublock origin situation so interested parties please keep that in mind.

I have stated before that I was not planning to port the project to web extensions due to various API limitations and lack of time and the fact I was spending the time I had having to fix the addon due to underlying browser changes rather than researching and adding new features (the fun stuff :smile: ). Anyway I'm not here to complain , I understand why mozilla is doing what they are doing and wish them the best of luck.

Now that that is out of the way, I would like to see the addon live on so that users can keep on using it. I have stated before that a team of people would be better suited to a project like this as it is a cat and mouse game with the fingerprinting / anti-privacy side and they have much more resources to throw at the problem.

I think @alct , @Noitidart and @Mylainos would be well suited if they are interested ? Others are of course welcome. Reply below and we can get the ball rolling.

Alct was responsible for the visual redesign of RAS and is involved with the Net Users' Rights Protection Association.

Noitidart is a member of the AMO review team and is a fellow addon dev with a lot of cool addons and a lot of addon development experience.

Mylainos took the initiative and has been working on a webextensions version of RAS for some time but it still requires the nightly version of the browser and an experimental plugin to allow modifications of preferences.

Any interested parties let me know and we'll take it from there. I will sign over the the addon on AMO so users can have a smooth transition to who ever takes over RAS.

For the record and for those who are new to the project, I intended to keep supporting it and improving it before web extensions and the unstable transition got it the way.

I will update this issue with news regarding new developers and what not.

Thanks for all the support along the way.

Dill

[Noitidart]

Thanks @dillbyrne for considering me qualified to help out. I really would love to someday. I am currently busy with a non-code/non-AMO related situation, so I can't right now, but I will definitely look back here after that settles out.

Quick question - is this message a call to put together a team which you would be apart of? Or are you looking to step out completely?

it is a cat and mouse game with the fingerprinting / anti-privacy side and they have much more resources to throw at the problem.

This is so true.

This is really a great addon. Webext has a lot of limitations that will interfere with this. Major props to @Mylainos for be courageous enough to try it out.

And major props to @dillbyrne for maintaining it and growing it to what it became.

[LimboSlam]

Hey @dillbyrne, I'm sorry to hear this. I hope development continues. So, I'll get the word out to some of my fellow add-on/extension buddies. :)

Also, whoever takes over as the new maintainer and decides to stick with the good old XUL/XPCOM, I would like you to know that there is always a place at The Pale Moon Project for this propelling technology.

[dillbyrne]

@Noitidart No problem. I hope it all works out for you :+1:

To answer your question I will be out of the picture but I would available to any person(s) who takeover if they had any questions.

For the user's sake I'm hoping to find others that would be interested in doing a webext version, either by helping Mylainos if he is still interested or building upon his work if not. Any sdk forks are a waste of time at this stage as they will be killed by the switch to web extensions.

@LimboSlam Thanks :+1: . This addon is not xul though. It is built using the addon sdk.

[Osahashi]

209,702 current users and there is no alternative to RAS. Please don't let it die guys! Over 200k people trust in you!

[Drugoy]

I'd rather see RAS officially freeze forever and let the new project have a name like RAS2, RAS+ or RAS-we (webextension).

Why?

Because not everyone is going to go along with mozilla's bullshit, many users will just stay with the older Firefox versions (that still have XUL support). And not just stay - even on new desktops they will install the same older Firefox version (again, just to have XUL support). There are also some 3rd party firefox-based browsers that appeared for the sole purpose to fight against mozilla bullshit.

In that case - those users wouldn't need to figure out what was the last version of RAS that was fully compatible with their browser and the new extension would get the new user base, even statistics would be more precise.

tl;dr: let RAS just die and let new separate extension appear.

[Drugoy]

Also, while we are at it... To whomever becomes the part of the new dev-team (I hope it will be a team):

Can we have RAS finally stop being a swiss-knife/all-in-one combine?

RAS stands for Random Agent Spoofer, one would expect it to change UserAgent of the browser randomly (following some rules, obviously).

What I really never liked about RAS is that it was more than just that and instead provided a bunch of features: some of them were very nice and some I didn't want to because I had a better add-on for that particular function.

Apart from spoofing UserAgent - it also was capable of spoofing referrer (the 'headers' tab in the extension's window). I use Referrer Control (it is abandonware too but it still [kind of] works [with some tricks]) to forge referrers in a smart way than RAS can.

And apart from that it was able to enable and disable various options of the browser, some of which are only accessible via about:config preferences (hidden or not).

Thus RAS's functionality can be decomposed into these three groups: spoof useragent, spoof referrers and tweak browser's options completely unrelated to useragent and referrer but are related to fingerprinting.

I'm asking you to please, please, please make RAS work only with user agent and nothing more. If you feel like other functions are important too - that's fine, I think so too, but they don't have to be a part of this add-on, in my opinion it would be way better if they existed as separate ones.

[RoxKilly]

Thanks @dillbyrne for making this addon. It was one of my great finds once I realized that there was more to the browser than the native experience (I don't think most people are even aware of addons), and it definitely helped sway the balance in Firefox's favor when I considered other browsers.

Best of luck with your future endeavors.

[grezovzky]

@Drugoy I think you have completely misunderstood what RAS is. It is NOT a user agent switcher/spoofer. Had you bothered reading the readme on its GitHub page you would have known that it goes beyond merely spoofing the user agent.

RAS is a privacy enhancing firefox addon which aims to hinder browser fingerprinting. It does this by changing the browser/device profile on a timer. Each browser profile has been tailored to match the actual values used by the target browser as much as possible, within the limits set by firefox.

[Drugoy]

@grezovzky

I think you have completely misunderstood what RAS is. It is NOT a user agent switcher/spoofer.

What does RAS abbreviation stand for?

[grezovzky]

@Drugoy The name is irrelevant because it's clearly stated that RAS is meant to do more than simply changing the user agent. As far as the name goes though, Random Profile Spoofer would be more accurate since what RAS does is change the complete browser profile to match another browser and/or operating system. If you want an addon that only changes the user agent then there are plenty of them for you to choice form. There's no need to cripple the functionality of RAS just for that.

Since this discussion is off-topic and it seems meaningless since you're unable to grasp the concept of RAS I won't be replying anymore.

[akwala]

I also recommend freezing the current version of RAS, like @Drugoy suggested. I am, at the moment, agnostic wrt Mozilla's addon development platform/infrastructure. The example I am thinking of is RequestPolicy, which was resurrected as RequestPolicy Continued. Since RAS would be ported to Web Extensions, this makes all the more sense, especially for those users who want to stick with the pre-Web Extensions version of Firefox.

[anatoli26]

@dillbyrne, thanks for this great add-on! This is the best privacy add-on I've found so far. Have you considered starting a crowd-funding campaign to finance the migration to WE?

@akwala, you can just fork the project and maintain it the way you wish. If there'll be use for the current non-ME version, someone would have to maintain it anyway (even for the most basic things), so if there's enough interest, IMO a fork with a new name would be the most appropriate solution.

[Atavic]

As a long time user who won't go onto the Webextensions bandwagon, I agree with @Drugoy & @akwala

[mylainos]

A lot of features won't work with WE because we can't change the settings anymore.

Should we rewrite everything to WE or should we progressively move part of the extension until being full WE?

[alct]

Hello,

RAS or, to avoid digressing about "is this a proper acronym or not ?", a "tool to help prevent browser fingerprinting" is much needed. It is needed in various aspects:

• scientific: gather scientific papers, research new fingerprinting techniques, counter-measures, document the process (there is no comprehensive knowledge base so far that achieve this goal) ;
• technical: implement these counter-measures into a cross-browser extension ; ask browser vendors to provide us with the right tools/API to achieve our goal ;
• political: raise awareness about the issue and help/encourage browser vendors to natively implement counter-measures.

I have no strong opinion about Web Extensions (WE) because I have little knowledge about this technology, I had the opportunity to discuss with Mozilla developers working on the matter on several occasions and they were always open to discussion and asking for feedback from the community about lacking API / functionalities. Before calling it bullshit or whatever, we should at least try.

On the other hand, we are not living in a bubble, there are other people out there working on this very topic and doing it in an effective way: Tor Browser devs, BrowserLeaks, Panopticlick,... We should try to gather forces.

This being said, I am willing to help for technical aspects related to UX/UI, for scientific aspects related to research and documentation, for political aspects (that's what we already do at NURPA).

To sum all this up, this is what I would suggest:

0. Given that people have shown interest to help/stay around to help, we should make some noise about the fact that RAS, an extension with around 170 000 privacy aware users, is looking for help (reddit, hn, various mailing lists,...) ;
1. We should gather a comprehensive and extensive list of functionalities needed by RAS that are not available as WE yet (@dillbyrne , I think that you are the best suited for this task) and get back to Mozilla about it ;
2. We should get in touch with Tor Browser, BrowserLeaks and Panopticlick/EFF to see how and if we can collaborate together ;
3. We should set up a new maintaining team ;
4. We should lay down a plan about the future of this "tool to help prevent browser fingerprinting".

What do you think?

Best, André

[Atavic]

André I wont say BS about Webextensions, but there are many points that stink about these 'improvements'

• a long paced effort by Mozilla to align Firefox with Google Chrome in both lack of features and stronger corporate control on browser modifications.

• added telemetry both direct and indirect through the various Safebrowsing efforts, and the appearance of entries like datareporting.sessions.current.activeTicks; 0which goes alongside with Windows 10 Telemetry OS.

[mylainos]

Here the list of features of RAS and the compatibility with WE.

When something won't work it will be marked like this:

Won't work ~~Feature~~

A tick mean it's sure and nothing mean we need to search more (what the feature does or what API or workaround can be used).

Your help is welcome :wink:

Profile

• [X] Work with webRequest

Headers (by modifying the header with webRequest)

• [X] Disable Authorization
• [X] Enable DNT (Do Not Track)
• [X] Spoof If-None-Match (ETags)
• [X] Spoof Via using a ***
• [X] Spoof X-Forwarded-For using a ***
• [X] Disable Referer (with privacy.websites.referrersEnabled - not supported in Firefox wet - but maybe with webRequest)
• [X] Spoof Source Referer
• [X] Spoof Accept
• [X] Spoof Accept-Encoding
• [X] Spoof Accept-Language as ***

Options

Script Injection Options (No need to change something from the current implementation)

• [X] script injection (with content_scripts in manifest.json)
• [X] Screen size spoofing
• [X] Protect window.name
• [X] Disable canvas support
• [X] Limit tab history to 2
• [X] Block plugins

Standard Options (Most will work with script injection, and a lot implementation are already done by dillbyrne)

• [X] Limit detectable fonts
• [X] Disable local dom storage
• [X] Disable browsing and download history
• [X] Disable memory cache
• [X] Disable disk cache
• [X] Enable geolocation (can't use a particular service *** I think)
• [X] Disable link prefetching and DNS prefetching (both or none with privacy.network.networkPredictionEnabled)
• [X] Disable webGL
• [X] Disable webRTC (possible to disable the leak of local address with privacy.network.webRTCIPHandlingPolicy)
• [X] Disable pdfjs
• [X] Disable search suggestions
• [X] Disable dom performance
• [X] Disable dom resource timing
• [X] Disable dom user timing
• [X] Disable battery api
• [X] Disable gamepad api
• [ ] Use click to play for plugins
• [X] Block active mixed content
• [X] Block display mixed content
• [X] Disable browser pings (with privacy.websites.hyperlinkAuditingEnabled)
• [X] Disable web beacons (with webRequest but it's maybe not the efficient way)
• [X] Disable clipboard events
• [X] Disable context menu events
• [ ] Enable tracking protection
• [X] Disable CSS visited links

Cookie Options (Self-Destructing Cookies might do a better job here)

• [ ] Cookie Policy:
  • [ ] Allow all
  • [ ] Block all
  • [X] Block third party (with privacy.websites.thirdPartyCookiesAllowed - not supported in Firefox wet)
  • [ ] Allow third party from visited
• [ ] Keep Until:
  • [ ] They Expire
  • [ ] Browser is closed

Reporting Options (Pretty sure addons can't access webrequest of the browser)

• [x] Won't work ~~Disable safe browsing (Google)~~
• [X] Won't work ~~Disable safe browsing downloads check (Google)~~
• [X] Won't work ~~Disable safe browsing malware check (Google)~~
• [X] Won't work ~~Disable health report uploads~~
• [X] Won't work ~~Disable telemetry reports~~

Whitelist

• [X] but not all features can be enable only for 1 website

[mylainos]

And Self-Destructing Cookies also need to be rewrite to WE.

[mylainos]

4. We should lay down a plan about the future of this "tool to help prevent browser fingerprinting".

I think the extension should be updated on AMO and we shouldn't create a new one because 170 000 users will be updated automatically and those who want to stay without WebExt can still have it, just need to set the right version in the compatibility version tag.

The cookies part should be dropped, people who want it will install an WebExt dedicated to that and people who don't want a "tool to help prevent browser fingerprinting" can still have a "tool to help manage cookies".

Look to new way or API that can help us fight browser fingerprinting, like contextualIdentities.

[dillbyrne]

@alct @Mylainos Glad to know you are both interested. My personal circumstances have changed such that I no longer have the time I used to , to devote to Addons. In essence I will be stepping away from the project but will still try to provide advice and PRs from time to time. Once things settle down I would most likely be able to contribute again more regularly as It is something I am passionate about.

To start I'll reply to @alct first

Given that people have shown interest to help/stay around to help, we should make some noise about the fact that RAS, an extension with around 170 000 privacy aware users, is looking for help (reddit, hn, various mailing lists,...)

This is a good idea. It is probably better to wait until we have discussed some issues here first and have a set plan in mind. We don't want a lot of users filling up comments with arguments for example

We should gather a comprehensive and extensive list of functionalities needed by RAS that are not available as WE yet (@dillbyrne , I think that you are the best suited for this task) and get back to Mozilla about it

The thing removing most of the functionality is the not being allowed to modify web extensions. This will not be implemented according to the links below

https://discourse.mozilla-community.org/t/webextension-read-write-access-to-about-config/12268

https://wiki.mozilla.org/WebExtensions/FAQ#Will_I_have_access_to_about:config_or_the_preferences.3F

I have not looked at WE as extensively as the (now old) addon SDK API but going forward I think we would have to write alternate API's for everything that is finger printable and inject them on every page or specific pages. Eg Canvas, WebGL, Audio, Date/Time and so on

So the bulk of the work will be the injection scripts. This approach would keep most of the functionality in the injection scripts and would then be less likely to break as long as mozilla left that particular API alone. General JS seems to be more accessible to the average web dev than addon code so that apporach might be more welcoming to devs too.

I was trying to take this approach with the current injection script with a separate scripts for each API.

We should get in touch with Tor Browser, BrowserLeaks and Panopticlick/EFF to see how and if we can collaborate together

I was aiming to implement as much of the tor browser design document as I could. Also mozilla is slowly integrating certain patches of the tor browser which we should benefit from as long as we don't need to set a preference for it.

https://wiki.mozilla.org/Security/Tor_Uplift

We should set up a new maintaining team

That is what this issue is for :)

We should lay down a plan about the future of this "tool to help prevent browser fingerprinting

I think rewriting offending APIs or at least privacy wrappers around them to strip them or randomize them of identifiable information would be the best approach,

If it is possible to use other scripts inside a content script in WE, Then have a main content script to check what addon specific options the user has chosen an apply the relevant parts of the script to that . This is how it is done now.

As for the future of the addon. I think it makes sense to use @Mylainos branch as the main one as the work has been started or we could make a RAS group and have it under that.

As I said before I would be happy to transfer the AMO account over to you both if you want to make a partial update with WE while the rest of the stuff is worked on.

From a brief read transferring preferences between Addons developed with the SDK to WE is not a straight forward process. Since most of the preferences will be lost anyway I would argue to start the preferences fresh. Normally I would argue against this as the it would mess with the user but in this case (WE) would couldn't change the preferences even if we wanted to.

As for the name It was something I came up with when I was developing it. It is a recognizable name now but if there was a better one proposed I wouldn't be against it, however I think it would be best to wait until a WE version has been released and has gained some traction before any possible re-branding or some users will think the project is dead

@Mylainos

I think the extension should be updated on AMO and we shouldn't create a new one because 170 000 users will be updated automatically and those who want to stay without WebExt can still have it, just need to set the right version in the compatibility version tag.

This makes sense although I'm not sure how we would handle reverting the now unusable about config preferences.

One approach is to put a big warning to before updating to uninstall the current version and the OnUninstall method will be triggered and reset all the preferences, the custom ones will then be removed at the next browser restart.

This would be the cleanest approach since we can't change them in a WE and since most of them will not be applicable in the new version.

The cookies part should be dropped, people who want it will install an WebExt dedicated to that and people who don't want a "tool to help prevent browser fingerprinting" can still have a "tool to help manage cookies".

I think the cookies should be considered in the future at least in a style similar to SDC. something like remove cookies for all sites that are not active on a profile change. This will allow sessions to persist and not log users out while limiting tracking via cookies.

Look to new way or API that can help us fight browser fingerprinting, like contextual Identities

Thanks for the effort you put forward with WE. :+1:

EDIT: fixed formatting

[Drugoy]

Seems like you already made your choice in favor of populism and becoming a combine. As a power user - this saddens me, that's the same approach Mozilla chose. I only hope that someone will write a better add-on to spoof UserAgents in a smarter way.

[Atavic]

People who finds these addons still useful can stay on Firefox ESR (I'll definitely do).

[Drugoy]

@Atavic what does Firefox's version have to do with add-on's version? If you stay on Firefox ESR your RAS add-on will get updated to the web-extensions version and you will lose functionality.

[anatoli26]

@Drugoy, just put the desired version of the add-on in the distribution/bundles or extensions directory where the executable is located. This way it won't be overwritten with newer versions.

[Atavic]

I mean that I don't update neither the browser nor the addons. I keep the ESR as is, in its current working state.

[Drugoy]

@anatoli26 @Atavic I know of that way to preserve the current versions, but it's not comfortable. You go to another PC and need to configure the firefox there. You install the desired ESR version and then have to guess the version that was best compatible with it.

[Drugoy]

This is what can happen to RAS on AMO if you don't let it die and update the existing add-on instead of forking it into a separate extension. Take a look at latest reviews there.

[Atavic]

@Drugoy That's the workaround (explained on top reviews from the AMO link) that I use for the addons I like.

[RdKoyoe]

so the question is who will be maintaining our great RAS?

ps: please dont let it die just like that

[danielcra]

I think the most valuable features in RAS are those based on HTML injection. Is HTML injection still possible with web extensions? If so, why not create a hybrid solution: a guideline how to do changes in about:config manually, plus a new add-on that injects HTML to randomize the return values of the various APIs? Some header spoofing on top and we are done, aren't we?