It lets you run multiple sessions in one window, where each tab belongs to a specific session with separated cookies and such.
I've got a bunch of tabs where I'm logged in to Facebook, another set where I'm logged in to Google and the rest of them where I'm not logged in to either. Of course they can still use IP matching to track me, but at least it's something...
Privacy Badger is also good for things like this: you can be logged into Facebook, but Privacy Badger will block requests to Facebook from third-party sites.
Privacy Badger is great and goes way beyond other anti-tracking and ad blockers. They also keep an eye on a lot of the CDNs to make sure they're not running sneaky stuff like canvas finger-printing or using local storage to bypass various protections.
I just wish Privacy Badger didn't force DNT to be enabled. Not only does the entire concept mean trusting the advertising companies implicitly, the header serves to differentiate your traffic.
You're worried about browser fingerprinting? Does any Firefox extension effectively counter that?
From my understanding blocking 3rd party JS is largely insufficient for accomplishing this, regardless of DNT settings.
You may be right regardless that it's better to appear as much like a stock browser as possible, in terms of privacy settings, so DNT should stay disabled. But in practical terms it might not make of a difference.
I don't know of any tools to block fingerprinting, but here's a cool tool by the EFF for testing how unique your browser is: https://panopticlick.eff.org
Panopticlick is a best guess, only. If you use exactly the same system twice, it should detect that. However, browsers and systems autoupdate frequently, and various other things that are fingerprinted are also not really fixed.
For a single browser session; this should work. Over months, it's harder. A tracker would needs to at least be quite aggressive and collect a lot of information to track you, and then be fairly clever in fuzzily matching that in the future if they want to track you over time.
Which isn't to say that short-to-medium term tracking is just fine, but it's not black and white either.
Yes, canvasblocker blocks one kind of fingerprinting. Combined with ublock (or privacybadger) + self destructing cookies and maybe decentraleyes, and a vpn, you are almost there...
Simple blockers actually do a lot of good here - because many of the things that will fingerprint you are not first party sites but 3rd party ad scripts.
None of these measures protect you against tracking, though. And if they don't, why use them? It's better to be honest with yourself and admit how effective tracking is nowadays.
Your user agent plus unique plugin installations plus fonts installed equals a unique fingerprint across IP addresses. The above isn't an exhaustive list, either. There are dozens of tricks to track you.
Is it really that effective? I admit I assumed it was hard to dodge the global advertisement apparatus, but maybe it's possible.
Example: jQuery is sometimes hosted on Google CDNs. You can't block that request without breaking the site, right? But that request sends all your info.
Yes, it's really that effective - blocking the facebook like button doesn't break most websites.
And typically a request for something like jquery from a CDN will contain little more than your IP address and cookies. You can even prevent the cookies from being sent if you want. The only way they could get away with more than this would be to modifying the resulting script to grab more info from your machine.
Yes, but they can be trivially blocked or discarded. My main point is that no advanced fingerprinting tactics can be used so the simple means work in the case of most site-breaking things. Privacy Badger eats CDN cookies - that's actually one of its main features, so it will prevent this kind of thing quite nicely without breaking websites.
Privacy badger also blocks referrers to those sites - having only a connecting IP and asking for a copy of jquery isn't exactly privacy breaching in my eyes. Could be any one of many sites that wants it. Not much they can do with that information.
I stayed for so long for that very reason. My usage went down so much, that the only time I logged on was to briefly look at the news feed (of which I hardly recognized anybody anymore. Just posts by peoples' friends of friends).
I decided to just cut it out and hope that I see those people again in real life. If not, then the road goes elsewhere. Feels a little more human.
Yeah, I occasionally go through a lot of post and click "don't see any more stuff from MYCATS" or whatever. But it's gotten to the point where you just can't stop it that way either. I think "like" now means "see more crap from here" otherwise how would so many people be viewing so much junk.
There's a large number of people on Facebook that I interact with that I don't have email / sms / whatever for. There's also a non-negligible number that I'm happy interacting with on Facebook but not on anything more personal.
That's true for me, too. But I can communicate with those people via other means and have found no downside to doing so. I've been Facebook- free for years now.
But they don't need convincing for us to leave Facebook. My friends who have Facebook also have text, email, phone, and sometimes WhatsApp, Signal, and/or Telegram. AFAIK I haven't ever convinced anyone to leave Facebook, but that hasn't been a barrier to me leaving Facebook at all.
Messenger is the default mode of social organizing among almost all my friends, because everyone has it. I barely ever touch Facebook proper these days.
Facebook is the new smoking, where many users complain about how it clearly negatively affects their lives and then when someone suggests quitting as a solution, random other users who weren't involved jump in to tell them to mind their own business.
Are you going to follow everyone who's harming themselves in any way (alcohol, drugs, food, [insert any other vice]...) to chide about their behaviors?
I'm not chiding anyone about their behaviors. brainfire was saying how they solve their problems with Facebook, and I suggested an easier solution.
Lots of people have problems with Facebook, and I was suggesting a solution to their problems which many people think is untenable, but works well for me. If you don't have problems with Facebook, my comments weren't directed at you.
There's some irony in jumping into someone else's conversation to tell them to mind their own business and stop chiding people for their behavior.
Really love this feature. Incredibly useful for sticky accounts such as google, facebook, twitter, etc. Buttons and scripts follow you everywhere these days.
But it's not just that. It let you easily open several accounts in parallel. I have 3 github accounts, and can open 3 tabs in 3 clicks with the 3 account in parallel. Before than I had to use profiles and it was a pain.
I feel like my Linux user agent is nearly trackable across IP addresses, so few people I know run Linux with Firefox version whatever... but yeah same here: cookies are a non-issue for me. I use a different solution though: self-destructing cookies. Once you closed a tab for more than X seconds (I configured 90 seconds I think), it deletes all cookies (and localstorage etc.) from that domain.
As a Firefox on Linux user I checked one of those sites that tries to estimate how many bits each public aspect of your setup reveals about you. It turned out available fonts was by far the most unique aspect of my setup.
The only surefire way is to disable javascript, extensions, cookies, etc. https://browserleaks.com has a pretty good breakdown of the different techniques you can use. There's another JS technique that probes the hardware to fingerprint a browser too.
Use Tor Browser even if your not using Tor if you're looking for better privacy. It's modified to mitigate as much as possible. Facebook is just bad. Avoid it at all costs if you value privacy. And it's not just facebook. Sites like facebook, google, etc also use several 3rd party "advertising" (i.e. data gathering) companies to gather data and build profiles on users and share that data with each other. Even on your regular use browser I would highly recommend uBlock Origin and Privacy Badger.
But with such a unique browsing situation you're basically identifiable on that basis alone. Your best bet would be to have your browser present itself as a common browser on a common platform, and block tracking and ads.
UserAgent is still top culprit (16 bits of identifying information) followed by browser plugins (12bits) then WebGl (12b), canvas (9b), language (if not english nor chinese) and then fonts at 5bits.
One thing I don't really like about that site is that it gives browsers worse scores for not unblocking third parties which promise to honor do not track. Surely you're more safe when you don't trust anyone instead of trusting that third parties which honor DNT actually honor it. It kind of reeks of pushing an agenda, which would have been okay (it's the EFF after all) if the tool didn't claim to score your browser on how well it protects you from tracking.
I think randomizing the UA might actually be worse, since it would allow services to fingerprint you across calls more precisely.
The point is to not ever be different from others. Act like the rest of the crowd. By changing your UA every now and then, you stand out, and become easier to identify.
I've been tempted to write something that goes a bit further. I'd like traffic to each site to be routed through proxies with different IP addresses. (Perhaps even to the point where my devices are automatically managing a set of nodes or Lambdas on AWS.)
Along with that, it will still be necessary to fix some browser information leaks that could be used for fingerprinting
If someone is tempted to beat me to it, go for it!
Thats going to break so many websites for you ... Pretty much any service that uses server side sessions across domains. Downloads are often whitelisted to a session, which get invalidated on ip changes.
For exactly those sorts of reasons, I don't expect to apply such a system universally any time soon. In practice I suspect it will only make sense to employ it with a modest number of problematic domains. Currently I use uBlock with javascript defaulting to disabled, manage cookies and local storage, disable referrer headers, etc., but there are still some huge privacy leaks.
On the other hand, it might be possible to devise a solution that works generally but employs white lists or other exceptions for sites that need certain IP-address behavior. That would take a fair amount of effort, but the approach has worked well in similar contexts, such as ad blockers.
The new versions of Safari in iOS 11 and High Sierra have a similar feature by default to prevent tracking. First party cookies work, but third-party cookies are put in a virtual container, so tracking networks that are on NYT and Washington Post can't correlate the cookie. It's a bit more complicated than that in practice, but that's the idea.
I do something similar with chrome users. I like it better because each 'user' is a separate window and I can color scheme which one i'm in with browser themes. The setup takes a while initially although.
Having multiple container tabs on the same window can be hard to manage & track, at least with the way brave presented it with their numbered session tabs.
Chrome has profiles for this as well. You can also use the PrivateInternetAccess addon which proxies all traffic for that profile alone, and a canvas blocker, in a dedicated Chrome profile. Font fingerprinting is still possible, but beyond that there is no way to associate that profile with anything else.
Old Opera used to have each tab being a separate environment. For some reason we are mostly back to "private windows" now, which aren't separate at all between each other.
We changed that for a reason. No use wants to be logged out that often. Actually most facebook user probably enter their password one time a month. Less if they use the mobile.
Firefox is integrating a cookie feature from Tor called first-party isolation or double-key cookies. It will separate third-party cookies for each first-party site. If a.com and b.com both load images from evilcorp.com, Firefox will send evilcorp.com different cookies for requests from a.com and b.com. Blocking third-party cookies can break some site that rely on third-party resources, but first-party isolation should allow each site to work without cookie "crosstalk".
You can test first-party isolation now by flipping the about:config pref "privacy.firstparty.isolate" to true. Beware that there are still bugs that break some sites, which is why the feature is not enabled by default yet. If you find bugs, please report them in Bugzilla! Here is the Firefox bug tracking the integration and known bugs:
Thanks for the tip, I didn't know about that. I'll play with that this weekend. (Definitely not afraid of breaking sites; that's how I learn what they're up to.)
They can also use screen resolution, fonts you have loaded, plugin versions, canvas serial number, your gpu, and a whole lot of other cross browser things.
Several private windows share the cookies. Try logging into a website in a private window and open that website in another private window and you will be logged in.
Which is a significant flaw in the way incognito windows work with Chrome. If you have a minimized or hidden incognito window, opening a new one beats the purpose of incognito windows…
At the least, you could imagine having a shared session for all the tabs in a same window. But a new incognito window should be clear of any history.
I don't think so: I'm currently logged in on HN. When I open a new private window, I'm logged in as well.
This is really annoying when you always use your web browser in private mode, but don't close it regularly. It means that e.g. youtube already builds a profile about me from my previous searches even though I'm not logged in. If I were that concerned I would close Firefox, but the usability issue is just too big for me. Having the best of both worls would be awesome.
It depends on whether all private windows have been closed. If you open a new private window when another is already open, you remain logged into sites. If you close all your private windows and then open another, it's a clean slate. (At least for me.)
I can see why they do this but it is actually not what I expected. I'd expect all windows to have their own set of cookies and credentials and for all tabs associated with a window to share them.
Are you logged in in a private window? I use the setting "Always use private browsing mode" in FF52, so all of my windows are in private mode, but whenever I open a new (private) window, I'm still logged in. I suspect you'd get the same behaviour with the default settings, and opening two new private windows.
FWIW, Chrome has the ability to do multi-user. So I have different users for different accounts. I know that's not perfect but it does more or less force me to close and reopen. PITA but worth having nearly defined browser silos.
And in a VPN and I think you get at least some chance at some privacy. Hopefully.
Not exactly. I've a "work" container that retains my work-related sessions (on gmail, issue tracker, etc). So if I come back yesterday, I open a work container and I'm back to work.
Meanwhile, my personal container won't log me with my gmail/work account when I watch cat videos on youtube.
If I used facebook, I'd have a facebook-specific container. Just open a tab in it, and I'm logged in, but no cross-container tracking.
Also, history is retained, and all in one big pool (unlike having actual separate profiles).
https://wiki.mozilla.org/Security/Contextual_Identity_Projec...
It lets you run multiple sessions in one window, where each tab belongs to a specific session with separated cookies and such.
I've got a bunch of tabs where I'm logged in to Facebook, another set where I'm logged in to Google and the rest of them where I'm not logged in to either. Of course they can still use IP matching to track me, but at least it's something...