How Firefox's new SmartBlock feature works

Mozilla introduced the privacy feature SmartBlock 2.0 in Firefox 90, which it released two weeks ago. SmartBlock is part of Firefox's Tracking Protection feature, which is designed to reduce user tracking while using the web browser.

To better understand what SmartBlock is and does, it is necessary to understand how Tracking Protection works in Firefox.

Mozilla introduced Tracking Protection in 2015 in the Firefox web browser and improved the privacy feature several times throughout the years.

All Firefox installations use the standard settings by default; it blocks certain trackers, cookies and other unwanted scripts, but balances protection and performance. Tracking content and cross-site cookies are only blocked in private windows in that mode.

firefox strict tracking protection

Firefox users may switch to strict or custom blocking modes. Strict extends the blocking to all browser windows, making it more effective in the process.

Tracking Protection is not an advertisement blocker; while it may block some ads on the Internet, its main focus is on blocking tracking scripts and elements.

Tip: select the shield icon in Firefox's address bar and then Tracking Content in the menu that opens to display all trackers that Firefox blocked on the active page.

firefox blocked tracking content

SmartBlock

One of the main issues that extensions and browsers face that block tracking scripts is that this may result in sites not working properly. Facebook is a prime example; the sites domains are on many tracking protection lists, including the list that Firefox uses to block tracking for its users.

Problem is, Facebook scripts may be necessary for certain functionality, including the ability to use the Facebook account to sign-in on third-party sites.

If you sign up for certain services, they may allow you to use accounts from popular services such as Google, Microsoft, Twitter or Facebook, to speed up the sign up process. The main benefit of the approach is that sign-up is much faster, and that you will use the credentials of the selected service to sign-in to the site or service.

One of the core disadvantages is that the company that you use to sign-in receives information about it and that its scripts or cookies may be used for tracking purposes.

With Facebook being blocked, selecting Facebook would fail if you'd select Facebook.

Firefox used strict blocking in private browsing mode, and this resulted in certain features to fail for certain sites.

Firefox 90 fixes the compatibility issue with SmartBlock 2.0. Basically, what it does is block all trackers just like before, but when a user interacts with an element, say a "continue with Facebook" button, Facebook scripts are loaded just in time to allow the feature to work as expected.

Firefox allows the script only on sites on which users have signed-in using Facebook or interacted with the "continue" button. On all other sites, Facebook and other tracking scripts continue to be blocked just like before

SmartBlock 2.0 works automatically in Private Browsing Mode; Firefox users who want the protection in regular browsing windows need to switch to Strict tracking protection or use a custom protection that enables the private browsing mode protections in all windows.

Closing Words

Firefox users who use third-party services to create new accounts will benefit from the new feature, provided that they use private browsing mode or set the protection level to strict.

Privacy-conscious users may prefer using their own email addresses, email aliases or throwaway email addresses whenever possible to reduce the amount of data that major organizations such as Facebook, Google or Microsoft collect about them.

Now You: do you use third-party sign-up options to create accounts?

Summary
How Firefox's new SmartBlock feature works
Article Name
How Firefox's new SmartBlock feature works
Description
Firefox 90 introduced an updated version of its SmartBlock tracking protection feature; this guide explains how it works, and how you benefit from it when using Firefox.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. iheartbreave said on July 31, 2021 at 2:57 pm
    Reply

    Sure beats allowing all those trackers by whitelisting them like Brave

    1. Iron Heart said on July 31, 2021 at 4:06 pm
      Reply

      No, it doesn’t. Firefox also whitelists the scripts in the end, doesn’t it? Also, those scripts aren’t, and never were, tracking scripts:

      https://nakedsecurity.sophos.com/2019/02/12/privacy-browser-braves-user-concern-over-facebook-whitelist/

      Stop the fake news if you want to be heard.

      PS: Good to know that I am still living in your head rent-free, judging by your nick.

      1. iheartbrave said on August 1, 2021 at 6:49 am
        Reply

        > Firefox also whitelists the scripts in the end, doesn’t it?

        I see you cannot read. It does not “whitelist the script in the end” – it only does that it if the user requires it, rather than allowing it on all sites like Brave

      2. Iron Heart said on August 1, 2021 at 10:19 am
        Reply

        1) I see you have no logic:

        > It does not “whitelist the script in the end” – it only does that it if the user requires it,

        So… it does whitelist it in the end, alright?

        2) Who cares. The scripts that were whitelisted are not tracking scripts. Read the link I’ve posted.

        3) Brave does it in a sane way: https://www.trishtech.com/wp/wp-content/uploads/2020/02/brave-social-media-blocking-0-1280×720.jpg If I have an account on any such platform, I can let it whitelist certain necessary scripts, while I keep excluding the other platforms. If I have deselected all options, it won’t whitelist anything, not even by accident (mistaken click).

    2. iheartbrave said on August 2, 2021 at 5:41 pm
      Reply

      I shall attribute to malice what could be explained by incompetence, because the number of times your incompetence has been on display at ghacks is almost immeasurable: I’ll leave it up to you to tell users which of the two you are: ignorant or a Firefox troll

      > Firefox also whitelists the scripts in the end, doesn’t it?
      > So… it does whitelist it in the end, alright?

      default blocked !== whitelisted in the end

      And there’s a massive difference between permanent global switches (Brave: for a couple of SSOs) and temporary per site allowances (via heuristics) (Firefox: scales to infinity and beyond)

      Keep super-spreading those big lies and twisting everything. The reality is that most of what Brave does is theater and/or inferior, because they are not browser makers, they are an advert company. Five years they’ve had and all they have to show is a few minor (but welcome) improvements

      Meanwhile, Firefox engineers real solutions, like Smart Block and Total Cookie Protection

  2. ULBoom said on July 31, 2021 at 3:02 pm
    Reply

    >do you use third-party sign-up options to create accounts?<

    Never.

    FB has reached a new low, you can only visit a page for short period of time before it kicks you out and demands you log in to continue, Pinterest (where everything goes to die) style.

    Brilliant maneuver, great way to treat businesses who gave up a website to use FB instead.

    1. Barry said on August 1, 2021 at 1:18 am
      Reply

      > businesses who gave up a website to use FB instead

      Only a shortsighted and foolish business owner would have ever considered that to be a good idea.

      1. ULBoom said on August 2, 2021 at 3:36 am
        Reply

        Some businesses just want an online presence. They offer services that can’t be done without physically contacting the business and signing contracts at their physical site. No online sales.

        Basically, they want advertising. It used to work, if you consider facebook’s idiotic format of an ever changing wall of bad photos and lame comments a good way to show who you are. I don’t.

        It’s low for facebook to suddenly do this, it affects a huge number of low profit, simple businesses that can’t build a website and everything else on that lousy platform.

        If they’re forced off, facebook did them a favor.

  3. finoderi said on July 31, 2021 at 5:51 pm
    Reply
    1. braveextortsadvertisers said on August 4, 2021 at 5:10 pm
      Reply

      it’s more relevant when you compare same months and indicate time
      – July 29 2019 (224M) to July 27 2020 (211M) is 13M or a drop of 5.8%
      – July 27 2020 (211M) to July 26 2021 (198M) is 13M or a drop of 6.2%

  4. anonymous said on July 31, 2021 at 7:01 pm
    Reply

    Facebook is a commercial surveillance tool (among other things) that should be avoided at all costs. It doesn’t matter to me if it’s “broken” as I use a browser. (And, actually, I feel the same about Google’s tracking.)

  5. ddk said on July 31, 2021 at 7:40 pm
    Reply

    I recently ditched Firefox as it’s so buggy now with a lot of sites not rendering properly and much slower than Chromium.

    Just my opinion but Ungoogled Chromium seems to be the best of the bunch.There’s a lot of other factors involved with browser performance and speed. Regarding those, I reset DNS from time to time using DNS Jumper and as of now, Sprint DNS appears to be the fastest based on tests. Another nifty tool is from Speedguide net called TCP Optimizer. This one changes some parameters involving internet connections.

    Trying to balance privacy, security & performance can be tough. Corps like Facebook, Twitter, Amazon et al are always conniving behind users backs to break stuff.

    1. ULBoom said on August 2, 2021 at 4:21 am
      Reply

      OMG, ungoogled chromium is almost unusable unless you hack the ungoogled and add extensions. It’s great for showing users how much of chromium is google since it barely works with google removed. It’s a few steps from CLI browsers. I wish it did work better, great concept.

      Try the first green one here, the second is ungoogled. Still stuck with webRTC on any chromium. AdGuard (the program, not extension) can block that externally.

      https://chromium.woolyss.com/

      You still have to go through page after page of flags and settings to disable most of chromium’s spyware. It only deletes cache/history after starting so it can reestablish all its tendrils first. Does not ever natively delete all that stuff on shutdown regardless of what it says. Three good extensions:

      Forget Button – Clean your Browser
      click before closing to clean caches
      and
      New Tab Redirect
      to set new tab pages to whatever you want
      and
      AdGuard
      without this, browsing is fairly miserable. Buy the program later, it works with any browser and is much faster than any extension.

      Set DNS in your router, not in a device and be sure you get the settings right so that your IPS isn’t first choice unknowingly. Usually, there’s an auto setting that overrides your entries for the IPS’s, disable it. DNS performance is variable and there are only a few services with privacy. Add DNSWatch (the german one) to the list here:
      https://www.privacytools.io/

      TCP Optimizer has been obsolete and fairly dangerous for years, don’t use it, all that stuff was worked out long ago. It’s OK for ancient computers, maybe. Browsing can be messed up by router settings/firmware, the OS, drivers, most anything in the chain.

      Try FF ESR, it’s smaller, faster and smoother. If you learn about:config and set it up right, FF smokes any Chromia. Find arkenfox on github for the ultimate lists. OOB, FF rather sucks, like all browsers.

      Best leak checker and speed tester I’ve found
      https://browserleaks.com/
      https://www.meter.net/

      Yeah, it’s a long journey with lots of trial and error but worth it and far better than picking a camp of complainers to join.

      1. ddk said on August 2, 2021 at 8:59 am
        Reply

        Well Thanks ULBoom, very interesting & insightful.

      2. Iron Heart said on August 2, 2021 at 9:51 am
        Reply

        @ddk

        @ULBoom doesn’t know what he is talking about. Still. After having been corrected many times.

        > It’s great for showing users how much of chromium is google since it barely works with google removed.

        Ungoogled Chromium works 100%, what are you even talking about? You only have to add the Chrome Web Store extension and even that was purely a development decision, the dev of Ungoogled Chromium could easily have kept Chrome Web Store support natively in the browser if he wanted to.

        > It’s a few steps from CLI browsers.

        LOL, no. I don’t think so.

        > Still stuck with webRTC on any chromium.

        I don’t think so:

        https://chrome.google.com/webstore/detail/webrtc-control/fjkmabmdepjfammlpliljpnbhleegehm

        I have told you this many times by now, yet you still repeat the WebRTC claim as if it was some mantra. The extension above can completely disable WebRTC in Chromium. If one only wants to eliminate the WebRTC IP address leak (instead of disabling WebRTC entirely), some Chromium-based browsers like Brave or Vivaldi offer this option natively in their settings, uBlock Origin can also do it.

        What are you smoking?

        > You still have to go through page after page of flags and settings to disable most of chromium’s spyware.

        Not in browsers like Ungoogled Chromium / Brave / Vivaldi / Bromite. Again, what are you smoking? These browsers are already degoogled, no need to go to chrome://flags.

        If you are talking about Google Chrome, chrome://flags are not enough to make it shut up. Changes at the code level (which the aforementioned Chromium forks implement) are required.

        > It only deletes cache/history after starting so it can reestablish all its tendrils first. Does not ever natively delete all that stuff on shutdown regardless of what it says.

        Ever heard of Cookie AutoDelete?

        https://chrome.google.com/webstore/detail/cookie-autodelete/fhcgjolkccmbidfldomjliifgaodjagh

        Besides, deleting cache, cookies, and history is not enough. There are also Service Workers, localStorage etc., for which Cookie AutoDelete would be needed anyways.

        > Try FF ESR, it’s smaller, faster and smoother. If you learn about:config and set it up right, FF smokes any Chromia. Find arkenfox on github for the ultimate lists. OOB, FF rather sucks, like all browsers.

        I don’t know what you mean with “smokes any Chromia”, but regardless of what you meant there, user.js files never ever fix the fingerprinting threat. In fact, they might make it worse:

        https://old.reddit.com/r/privacytoolsIO/comments/glr63n/brave_hardened/fr0to0n/

        https://old.reddit.com/r/GrapheneOS/comments/ciizae/vanadium_and_bromium_privacy/ev6m2ot/

        Fingerprinting defenses being enabled by default is essential for them to actually be effective, as otherwise you will be among the 1% of users of a 3% market share browser who have fingerprinting defenses manually enabled, and will stand out wherever you go, same as you would without any fingerprinting defenses. Not to mention that, if you take all the “this user.js is a template” talk seriously, you can forget about it even more so than before, because, since you are already among the 1% of the 3% with a user.js in general, further modifying select settings in detectable ways, departing from the user.js defaults, makes the idea crumble entirely. Because yes, congrats, you are now among the 0.1% of the 1% of the 3%. You won’t stand out at all. /s

        You don’t seem to realize that privacy.resistFingerprinting exists in Firefox solely to ease development of the Tor Browser Bundle (which has it enabled by default, fixing the “lack of a crowd to hide in” issue that Firefox will always face), and NOT to improve Firefox’s privacy. For the aforementioned reason – you having no crowd to hide in – it CANNOT effectively work in Firefox. Imitating Tor is not a solution because Firefox and Tor can be told apart at the network level, you will never be among the Tor crowd without the real deal (Tor Browser Bundle). There is no use case for a user.js file if you can’t beat today’s greatest tracking threat with it, fingerprinting.

        Also, besides, there are more factors when it comes to choosing a browser than “just” privacy. Chromium is far more secure, far more performant, and more compatible with the web than Firefox is. One would have to compromise on all of these points if one chooses Firefox. I don’t recommend Firefox for these reasons, I don’t see why taking the time to modify a shitty-by-default browser (without ever beating fingerprinting) makes sense if it still remains subpar in every possible way.

      3. Anonymous said on August 3, 2021 at 12:35 am
        Reply

        IronHeart doesn’t know what he is talking about

        > Fingerprinting defenses being enabled by default is essential for them to actually be effective

        ABSOLUTE 100% PURE UTTER BULLSHIT

        RFP in Firefox randomizes canvas and fools naive scripts. End of story. It’s default state makes no difference once it is enabled. End of story. It is at it’s worst, the equal of Brave’s anti-fingerprinting. End of story.

        The best Brave can do is ONLY fool naive scripts, despite it being on by default (it too does not need a crowd). Brave lacks so many metrics being covered, that it is trivial to bypass, and Brave cannot hide that it is Brave. There are an estimated 4.7 billion internet users, lets say at least one browser each. Brave has 25 million users. So that’s 0.53% .. lets call it 0.6% so you don’t have a fit. Now add in timezone, screen, devicePixelRatio, fonts, OS, and a hundred other metrics. You are almost guaranteed to be unique. Congrats, you are now 0.001% of 0.1% of that 0.6%. That’s worse than Firefox

        and I will quote IronHeart: see link below
        > Against naive scripts, both Firefox and Brave can defend

        IronHeart needs to STOP PEDDLING BULLSHIT and acting as if he knows what he is talking about.

        Here’s what IronHeart has said in the past: https://staging-ghacksnet.kinsta.cloud/2021/04/19/here-is-what-is-new-and-changed-in-firefox-88-0/ (the whole comments section is littered with his ignorance, one of many many such articles)

        > Fingerprinting can only be fought when you have a large enough crowd to hide in
        > RFP is a valid implementation but is IMHO ineffective as long as it’s not the default

        and here was my reply

        > ABSOLUTE BULLSHIT man. This is about the 50th time you have you claimed this. Brave is not hiding in a fucking crowd, it’s randomizing. So by your logic, Brave’s fingerprinting protection does not work. Do you get it now?
        >
        > RFP (even if only one person in the world uses it): naive script fooled
        > Brave (even if only one person in the world uses it): naive script fooled
        >
        > What is the difference? Why is RFP useless, but Brave works? You’re confusing why Brave has a default on. It was never to hide in a crowd, it was to give all its users protection.

        IronHeart needs to STOP PEDDLING his runny FLoC-loads of ignorant BS

        People can read IronHeart’s ignorance in many ghacks comments. Every time he comments about fingerprinting, he is wrong. In the past he has claimed so many stupid things, such as

        – randomizing is superior (REALITY: one poison pill or two is all you need for naive scripts, after that they do nothing)
        – Brave’s farbling couldn’t be rendered to static results (FALSE)
        – lowering entropy does not work (FALSE: everything is lowered entropy)
        – randomized output would prevent most breakage (FALSE: on MOST metrics nothing breaks with a static value. FALSE, as randomizing on many metrics would cause weird side effects. TRUE: that a very FEW metrics (canvas and webgl is about it) can benefit from randomizing for breakage)
        – quote “Brave users form a crowd because all of them are randomizing” (FALSE: naive scripts do not see a crowd, against advanced scripts Brave is not a crowd)
        – Tor and FF return blank canvas, he claimed this 3 months ago (FALSE for almost a year)
        – that “gibberish” such as Brave’s plugins is superior as a solution (FALSE: returning nonsense in most APIs results in breakage)
        – that a single Tor Browser user who visits a site means their traffic on that site is linkable because they are the only Tor user to visit that site (FALSE: the site cannot know that when hundreds of thousands of users have the same fingerprint)
        – dozens more examples of “the stupid it burns” variety

        He even had to have it spoon-fed to him that all randomizing = lowered entropy, because all randomizing can be detected

        IronHeart has been over-hyping “farbling” since Brave’s first attempt with canvas (which leaked for over a year) and been continuously rubbishing RFP ever since (despite it also randomizing) in his zealous attempt to attack Firefox at every turn

        Arkenfox doesn’t claim to defeat fingerprinting – read what it says: https://github.com/arkenfox/user.js#readme

        > The arkenfox user.js is a template which aims to provide as much privacy and enhanced security as possible, and to reduce tracking and fingerprinting as much as possible – while minimizing any loss of functionality and breakage (but it will happen).

        And it does exactly that: it reduces fingerprinting with RFP the same as Brave reduces fingerprinting.

        IronHeart clearly has an inferiority complex about Pants, because she has repeatedly shown up his ignorance and lies. Even after showing proof of her credentials on fingerprinting to Martin, after he demanded them incessantly as an off-topic personal attack, and Martin confirmed them, he simply said (paraphrasing) “big deal, doesn’t matter, she’s wrong”, and continued his BS – he just discards experts and proof when it doesn’t fit his twisted narrative. He even pooh-poohed Pants for independently reporting and getting a canvas leak fixed in Brave. That’s how much he hates her.

        He is in a state of ever-worsening spiraling confirmation bias, driven by a hatred of all things Mozilla, diving down a Dunning–Kruger hole of epic proportions. He is out of his league, and any mention of arkenfox seems to set him off. I for one am glad Pants is living in his head rent free.

      4. CompatWombat said on August 3, 2021 at 6:32 am
        Reply

        Well said Anonymous. It’s strange how randomizing works for Brave but not Firefox, but only in Iron Heart’s head

      5. Anonymous said on August 3, 2021 at 4:34 pm
        Reply

        Thanks CompatWombat. I see from his rant below that IronHeart is obsessed with people’s identities, rather than the discussion at hand. He sees conspiracies everywhere and misses facts e.g. all ghacks comments are public domain. Why is he so obsessed with Pants? Why does he want her real ID and credentials when they are not needed? Why does arkenfox trigger him?

        Let’s look at some more of his runny FLoC-loads of excrement

        > I wasn’t up to date about Firefox back then [3 months ago]

        https://staging-ghacksnet.kinsta.cloud/2020/06/10/initial-price-of-firefox-private-network-browser-extension-service-announced/#comment-4467298

        He was told over a year ago that RFP randomizes canvas: “in FF78+ it randomizes some Canvas APIs and spoofs the rest as static”. He has been told this dozens of times since, as it is central to debunking his whole year+ long BS argument that RFP does not work in Firefox and that Brave is superior because it “farbles”

        > “advanced scripts” (meaning: scripts that check more than for a few entries, you call this “advanced” already)
        > “naive” scripts don’t see a crowd because they are only checking for a few values

        newbie alert: GET THE DIAPERS: naive/advanced have nothing to do with the number of metrics gathered. More made up nonsense no one else has ever said. Naive refers to swallowing a poison pill

        > the randomizing can be detected because it produces implausible gibberish results

        cleanup in aisle IronHeart! That’s not how detection of randomizing works, ever! Randomizing has nothing to do with what types of values are returned

        > The results are NOT STATIC

        We’re going to some BIGGER DIAPERS! IronHeart keeps arguing that detection of randomized values doesn’t result in being able to return the same static value time and time again, which is just utter diaper material

        Go to coveryourtracks with Brave’s Shields on, and every time it will return canvas as “randomized” – this is a static value, and proves that everything comes down to lowered entropy. IronHeart has shown time and time again that he does not understand entropy. Raising entropy is not a magic bullet and only works for naive scripts

        > Brave is just not a static crowd because it doesn’t constantly produce the SAME, STATIC false value for each metric but rather a RANDOMIZED false value for each metric

        OK, hon, get the super-absorbent triple-thick JUMBO pack of DIAPERS!

        Naive script = no crowd
        Advanced script = crowd (and randomizing is irrelevant) = STATIC FINGERPRINT

        I’ll say it again: a detected randomizing = a static value. Of course the fingerprint between Brave and Firefox will differ. But both will be static. When randomizing is neutralized, then you need a crowd, I have never said otherwise, ever. Brave has no crowd because it lacks hundreds of metrics coverage. Firefox has no default crowd because it isn’t used by default (and lacks a couple of metrics coverage). I have never claimed anything else.

        > No, it [lowering entropy] doesn’t work

        So IronHeart is claiming Tor Browser doesn’t work either then, even against advanced scripts where randomizing is rendered useless to a static value. Hold on while I inform tens of thousands of researchers and experts and documented proofs and real world studies, that they all fucked up and are wrong, and that IronHeart the DIAPER KING is a genius

        > Lie by omission again (it gets tiresome). I said back then that Tor users blow their cover when they have to allow stuff like Canvas

        IronHeart never said it had anything to do with canvas: but on that BS LIE:
        – allowing canvas on a site does not compromise linkability – see what Pants says https://github.com/arkenfox/user.js/issues/1218#issue-952790238
        – this is exactly what Brave does when toggling between strict/standard – it relaxes some metrics per site
        – so it’s OK for Brave, but not RFP? Does Brave operate in an alternative universe?

        We are talking about Tor Browser here, which lowers entropy and has numbers of substantial users in each fingerprint. There is no confusion here about a Tor Browser user having a unique fingerprint out of all Tor Browser users

        https://staging-ghacksnet.kinsta.cloud/2020/12/28/are-you-protected-against-online-tracking-the-effs-cover-your-tracks-site-has-the-answer/#comment-4481851

        Pants: “as evidenced by your previous claims that a site can correctly, 100% guaranteed, correlate or linkify traffic on their site to a single user just because, **unknown** to them, there was only ever one person with that FP who repeatedly visits them. e.g. there are a million (potentially tens/hundreds of millions) of Tor Browser users with fingerprint X. User with fingerprint X visits site Y several times a month. Site Y sees 10 visits from fingerprint X and claims it is the same user. That’s not how it works.

        IronHeart’s reply: “if there is only ever one person with e.g. your setup visiting a website, then the website can 100% it is the same user”

        Also read Pant’s summary here
        https://staging-ghacksnet.kinsta.cloud/2020/12/28/are-you-protected-against-online-tracking-the-effs-cover-your-tracks-site-has-the-answer/#comment-4481985

        To summarize (note: randomizing is detected and returns a static value for those metrics)
        – site X: ten Brave users with fingerprint B visit once each
        – site X: one Tor Browser user with fingerprint T visits ten times
        What does the site see?: it sees 10 visits each from fingerprints B and T. It cannot tell any other differences between them.

        IronHeart claims Tor Browser fails and you are linkfied. But if you flip it (1 brave user visits 10 times), apparently Brave is safe.

        This wasn’t even the first time (of many) IronHeart keeps claiming that lowering entropy only works in an alternative reality with Brave

        IRRELEVANT, strawmen, off-topic ranting, and the rest isn’t worth it even discussing

        > rant webgl rant advanced scripts rant off-topic MAC addresses rant off-topic IP addresses

        Brave has all these same issues (substitute dozens of other metrics for webgl)

        > Micay

        Micay is not a fingerprinting expert. No-one has disputed what Micay said, in fact I have agreed with Micay, numerous times. I have only disputed what IronHeart says when he twists Micay’s words. IronHeart once again trying to hide behide someone else

        > Brave’s FP defenses are young and a work in progress

        Irrelevant

        > compat

        Irrelevant to the effectiveness of defeating a fingerprint – i.e not leaking the real value. All nonsense about compat has been debunked numerous times – mainly at https://staging-ghacksnet.kinsta.cloud/2021/04/19/here-is-what-is-new-and-changed-in-firefox-88-0/

        > Because you are suggesting that reducing the attack surface = lowering entropy does work

        Heard of surprisals? And it does, but needs qualification, is not pertinent to this discussion, and would take far too long to explain yet again, only it to be twisted and ignored

        > So you admit here that RFP can improve web compatibility in some cases

        I’ve never said otherwise. IronHeart confuses the issue of why RFP went with their current canvas solution four years, instead of subtle randomizing. Brave’s randomizing per-eTLD+1 per-session actually creates a unique tracking id (per-eTLD+1 per-session), which Tor Browser does not want, not to mention that the subtlety carries risks: such as averaged bypasses or flat out being too subtle and completely bypassed (which is what Pant’s bug was, which you will not find in a test suite, which she stated – and yes, IronHeart pooh poohed her because he has a BlackHeart)

        > It was never meant to improve Firefox’s privacy

        IronHeart just pulls DIAPER FILLING out of his ass and makes things up to suit his narrative

        It is absolutely designed for Firefox as well. There are many RFP patches that Tor Browser does not even use – wow, that’s strange then, isn’t it. It was invested in by Mozilla, added by Mozilla engineers, re-engineered from earlier Tor patches, and new metrics added – not just for Tor Browser. Yes it has a dual purpose (i.e for Tor Browser itself), but it has always been the intention to make this part of Firefox: as an option in settings, for Private Mode windows, and for “Tor Mode” windows. There are bugzillas going back years stating this – in fact since Tor Uplift started

        It is not super high priority because Mozilla understand that without Tor, it’s not a complete solution (see IP which also affects Brave). And that ETP and fingerprinters blocking, and Total Cookie Protection, and comprehensive network partitioning, and SmartBlock and other items have a much bigger and more immediate impact on privacy. But that is not to say that RFP won’t become enabled in some form that creates large crowds

      6. CompatWombat said on August 3, 2021 at 6:03 pm
        Reply

        Thanks again Anon, this is very informative

      7. Iron Heart said on August 3, 2021 at 9:51 am
        Reply

        @”Anonymous”

        First things first, why do you have a complete protocol of my discussions with Pants, if you aren’t Pants? Care to explain? How stupid do you think we are, dear “Anonymous”? Secondly, stop constantly misrepresenting what was said, this is morally repulsive to the utmost and might even harm others who are trying to get an actual, technical picture of what is possible / recommendable and what is not. That you care more to “score a point” with deceptions and lies by omission here than to be truthful and helpful and provide good discussion is sad but expected. Indeed, almost every single line of your post has altered the meaning of what was said by me in prior conversations with you. Shame on you. Here we go:

        > RFP in Firefox randomizes canvas and fools naive scripts. End of story. It’s default state makes no difference once it is enabled.

        RFP in Firefox exists to ease Tor development, so that the maintenance burden shifts from the small Tor Project to Mozilla. End of story. It was never meant to improve Firefox’s privacy and fails for, what you call, “advanced scripts” (meaning: scripts that check more than for a few entries, you call this “advanced” already). Firefox leaks WebGL with RFP on, leaks the IP address (remember that RFP is actually for Tor, which never has this problem as it randomizes the IP address by choosing a different route at every restart), possibly the MAC address, has extension leaks based on the installed extensions (which Tor encourages users not to install as they break anonymity, while arkenfox encourages it) etc.

        You claim that RFP is so much better than Brave’s FP defenses when it isn’t, because there is no crowd to hide in, but a crowd is required to beat what you call “advanced scripts”. Experts like Micay understand this, maintainers of some random user.js who need to defend their pointless project don’t want to understand it.

        > The best Brave can do is ONLY fool naive scripts

        For now. I have pointed this out multiple times already, but you maliciously leave it out here to alter the meaning of what was said: Brave’s FP defenses are young and a work in progress, they will cover more metrics and it will eventually be able to beat so-called “advanced scripts”. For now, because certain metrics are missing, it can only beat so-called “naive scripts” checking for a few entries. However, Brave does exactly this by default and protects ALL of its users, while in Firefox you need to enable some obscure setting which only Brave is not hiding in a fucking crowd, it’s randomizing.

        That is not correct. Brave forms a behavioral crowd because all of its users are randomizing, and the randomizing can be detected because it produces implausible gibberish results. So, e.g. three randomized metrics:

        M1: RANDOMIZED FALSE VALUE
        M2: RANDOMIZED FALSE VALUE
        M3: RANDOMIZED FALSE VALUE

        Compare this to Firefox (which does randomize some values, but for the sake of argument the default behavior for most metrics will be discussed here):

        M1: STATIC FALSE VALUE
        M2: STATIC FALSE VALUE
        M3: STATIC FALSE VALUE

        Both of these are crowds, Brave is just not a static crowd because it doesn’t constantly produce the SAME, STATIC false value for each metric but rather a RANDOMIZED false value for each metric, but there can be no doubt that both form a behavioral group.

        > FLoC-loads

        This is disabled in Brave. :D Inform yourself.

        > randomizing is superior

        Lie by omission, again. Where did I say this outside of web compatibility? Randomizing (random gibberish results) can help web compatibility when the only other alternative is disabling the related API. Example? Brave randomizes WebGL by default, so if WebGL values are requested, it can produce some. Any animation requiring WebGL will run in Brave, the vast majority without issue. Firefox? By default, it just reveals all the real values(!) of WebGL, but for the sake of argument, because I am at least trying fair here, let’s say you are among the 1% of users of FF who have disabled it (because FF has no other mitigation for these high entropy values other than totally disabling WebGL), now what? Disabling this breaks any and all 3D animations using WebGL, and you still claim that randomizing is not superior here? Wow.

        Also, the idea of a static fingerprint crumbles if it causes web compatibility issues that force users to ease some of the associated settings. Example? Canvas has issues with RFP enabled, so users have to disable the protection for it, either globally or per-site. Canvas high entropy values not being protected (along with the WebGL, extension IDs, and IP address leaks) renders the whole concept absurd.

        > Brave’s farbling couldn’t be rendered to static results (FALSE)

        That’s not false. The results are NOT STATIC, that is why it’s called “randomizing” in the first place. The only thing that is STATIC is observed crowd behavior, Brave users form a behavioral crowd because all of them can be observed randomizing. Get your facts straight, and stop the lies by omission.

        > lowering entropy does not work

        No, it doesn’t work… If the goal is to protect yourself against fingerprinting, and if you lack a crowd to hide in. I’ll let Daniel Micay (Developer of GrapheneOS, who, contrary to you, has written this type of FP defense himself):

        “Providing the offer to disable features to reduce attack surface can be useful. Doing it to prevent fingerprinting is utter nonsense since by changing any settings that sites can detect you have made yourself far more easily fingerprinted. Disabling WebRTC and WebGL would make you far easier to fingerprint, not harder. These sites encouraging things like that is a problem. (…) Each feature needs to have a clear threat model and a rigorous approach. Firefox is entirely focused on theatre / branding / marketing. So is that fingerprinting service you’re using.”

        source: https://old.reddit.com/r/GrapheneOS/comments/ciizae/vanadium_and_bromium_privacy/ev6m2ot/

        Do you like being called a “problem” by a seasoned developer who has loads of experience in the field of privacy and security? Because you are suggesting that reducing the attack surface = lowering entropy does work, when it is clear that randomized output would prevent most breakage (FALSE: on MOST metrics nothing breaks with a static value. FALSE, as randomizing on many metrics would cause weird side effects. TRUE: that a very FEW metrics (canvas and webgl is about it) can benefit from randomizing for breakage)

        So you admit here that RFP can improve web compatibility in some cases? I thought so.

        > FALSE, as randomizing on many metrics would cause weird side effects.

        This is a rubbish argument. A false STATIC value would cause the same random side effect in these cases as a false RANDOMIZED value would.

        > quote “Brave users form a crowd because all of them are randomizing” (FALSE: naive scripts do not see a crowd, against advanced scripts Brave is not a crowd)

        Same old rubbish, again. Of course what you call “naive” scripts don’t see a crowd because they are only checking for a few values, they can never observe the bigger picture by collecting more metrics which would make it clear that crowds exist. Brave beats those “naive scripts” by default, as does Firefox (not by default). Brave users are a behavioral crowd, and you admit that when you say that “randomized values can be rendered static” (as said above, this is false for the random values themselves, I assume you mean that a static pattern of behavior can be observed, which is true). Yeah, Brave does not yet protect all values, this is why I call it “a work in progress”, and it is also true that the REAL unique values that it doesn’t protect yet hinder the behavioral crowd building, but this will obviously be resolved as the FP defenses mature. Not sure why you berate Brave for not protecting certain values just yet when Firefox, after all these years, also doesn’t protect certain values (WebGL), still leaks extension IDs, and oftentimes has defenses that users have to disable occasionally because they are causing too much havoc (Canvas) – those defenses having to be disabled on a regular basis also renders them fairly useless in practice.

        > Tor and FF return blank canvas, he claimed this 3 months ago (FALSE for almost a year)

        Fair enough, I wasn’t up to date about Firefox back then, as it is not my main browser. It DID return blank Canvas for a significant amount of time before they changed the output to randomized values. You maliciously leave out the fact that Firefox returned blank Canvas for years and maliciously take advantage of me having not been up to date for one(!) value in order to make me look worse than I am. Sadly, the character rot is real.

        > that “gibberish” such as Brave’s plugins is superior as a solution (FALSE: returning nonsense in most APIs results in breakage)

        Same as above, returning a STATIC false value also would cause the same “breakage” you describe, so what’s the matter? Oh and yes, plugins do work correctly in Brave despite the applied randomization, if you claim otherwise, you have never used it.

        > that a single Tor Browser user who visits a site means their traffic on that site is linkable because they are the only Tor user to visit that site (FALSE: the site cannot know that when hundreds of thousands of users have the same fingerprint)

        Lie by omission again (it gets tiresome). I said back then that Tor users blow their cover when they have to allow stuff like Canvas to circumvent experienced website breakage. A defense is no good if it has to be disabled all the time because of usability issues. Also, even if the user never relaxes any setting, don’t believe Tor is unbeatable, not even the Tor devs claim this, so why do you?

        > dozens more examples of “the stupid it burns” variety

        No doubt about it, you can maliciously alter the meaning of even more quotes and lie by omission some more to score a point here.

        > IronHeart has been over-hyping “farbling”

        No. I have discussed its advantages and disadvantages matter of factly and it is clear that, as far as usability in practice is concerned, it comes out on top so far. It is also acknowledged as a valid fingerprinting defense by various experts who are capable to look at this topic without fanboy glasses. I have also said repeatedly that Brave’s FP defenses are not yet complete because some values are not YET protected, a fact you continuously leave out when talking about me to paint a more villainous picture of “the ignorant”.

        > since Brave’s first attempt with canvas (which leaked for over a year)

        And? Shall I also ride historical Firefox bugs that are now fixed to death? What’s the point? Firefox still leaks WebGL to this day and it’s not even a bug, they seem to be incapable of tackling this value short of giving users a setting to disable it entirely (which causes web compat issues, not a good solution).

        > and been continuously rubbishing RFP ever since (despite it also randomizing)

        I am not “rubbishing” RFP, I am rubbishing people like you, who make it out to be more than it actually is, presumably to defend their user.js garbage projects or something. It can never beat advanced scripts because it will never be enabled by default in Firefox (so there will never be a sizable crowd of Firefox users using it), how is that better than what Brave provides? Answer: It isn’t, at least with Brave, there is a possibility of a wide range of metrics being protected by default(!) in the future, I don’t see it happening for Firefox unless they can fix the Canvas breakage and figure out WebGL and fix various other leaks, e.g. extensions.

        > (despite it also randomizing)

        I have also said repeatedly that the lines between the two concepts are blurred, and that the decision of “STATIC FALSE VALUE” vs. “RANDOMIZED FALSE VALUE” is made on a per-metric basis, whichever solution is deemed best and provides better web compatibility. Of course you alter the meaning to paint a more villainous picture of me, *yawn*.

        > Arkenfox doesn’t claim to defeat fingerprinting

        It does, look at the actual setting recommendations. But it can’t for what you call “advanced scripts”, yet you make it appear as if it can. Regularly. This is disingenuous.

        > And it does exactly that: it reduces fingerprinting with RFP the same as Brave reduces fingerprinting.

        Stop implying that RFP does more than beating naive scripts across your comments then, stop deceiving people.

        > IronHeart clearly has an inferiority complex about Pants, because she has repeatedly shown up his ignorance and lies.

        Why should I have a supposed “inferiority complex”about someone who promotes concepts that don’t work beyond use against naive scripts (which currently the browser I am using, Brave, also does protect against!?), yet implies that it does more than that and is superior throughout when it actually isn’t, and is therefore rightfully called a “problem” by seasoned experts like Daniel Micay who have actual relevant coding experience, have actually WRITTEN such defenses and don’t just talk about them? Why should I envy a shitty little project that has far too long now tried to appear as something that it isn’t, and never will be? Give me a good reason to care about that crap and I will.

        > Even after showing proof of her credentials on fingerprinting to Martin, after he demanded them incessantly as an off-topic personal attack, and Martin confirmed them, he simply said (paraphrasing) “big deal, doesn’t matter, she’s wrong”, and continued his BS – he just discards experts and proof when it doesn’t fit his twisted narrative.

        First, I have never seen any kind of “credentials” myself (Feel free to provide them! Now is the time! Perhaps “you” can convince “her”…), I have never seen any coding work of her that would confirm a level of understanding of the defenses that is otherwise just stated / implied, but never actually proven. And even if there are some of these rather mysterious “credentials” that have never actually surfaced so far, this doesn’t mean that she can’t promote idiotic concepts in some areas all the same.

        Again, actual experts call projects like arkenfox “a problem” because the concept doesn’t work (at least not beyond what Brave also does, and even then only if people took the time to dig out some obscure Firefox about:config settings, by default Firefox doesn’t do anything to protect its users) despite what is always claimed.

        > He even pooh-poohed Pants for independently reporting and getting a canvas leak fixed in Brave. That’s how much he hates her.

        False. I never trashed her or anyone else for reporting issues. That would be a stupid thing to do, and you are stupid for maliciously implying that anyone in their right mind would do that.

        What I did say though, and I stand by that, is that ANYONE, yes, ANYONE could have operated some testing suite and could have found out about this Brave bug. Uncovering this bug did NOT require coding skills, and when this bug report is shown to me as evidence of coding skill, when in actuality the ability to operate a testing suite was more than enough, I can only heartily laugh about this attempt to deceive the public, at this pathetic instance of trying to be appear as more than she actually is. The bug report itself can be helpful of course, the attempt to deceptively use it as evidence for expertise that wasn’t actually proven there is not.

        > He is in a state of ever-worsening spiraling confirmation bias, driven by a hatred of all things Mozilla, diving down a Dunning–Kruger hole of epic proportions. He is out of his league, and any mention of arkenfox seems to set him off. I for one am glad Pants is living in his head rent free.

        Whatever you say, some more lies and personal attacks won’t even make a difference considering that you have already accumulated mountains of it.

      8. Yash said on August 3, 2021 at 9:47 pm
        Reply

        @Iron Heart

        I see you have now started to shitload a new article, “leaks the IP address (remember that RFP is actually for Tor, which never has this problem as it randomizes the IP address by choosing a different route at every restart), possibly the MAC address,” Yeah you’re quite right, infact Chromium has built-in protections for those, right? Even Brave has protections for those? That is idiotic and laughable. All your nonsense can be cast aside as nonsense, but that is just stupidity. I assume I might have to use Brave – the only browser or the only software in the world which doesn’t reveal IP addresses. Seriously mixing IP addresses and browser fingerprinting, and MAC addresses, I guess you’re the first person who said that Firefox leaks MAC when it is an OS issue. That is really funny.

        “You claim that RFP is so much better than Brave’s FP defenses when it isn’t, because there is no crowd to hide in, but a crowd is required to beat what you call “advanced scripts”. Experts like Micay understand this, maintainers of some random user.js who need to defend their pointless project don’t want to understand it.”
        Even Brave team denies this part, and they would be flattered to know their browser does some things which they themselves deny. Good quotes there.

        “That is not correct. Brave forms a behavioral crowd because all of its users are randomizing, and the randomizing can be detected because it produces implausible gibberish results. So, e.g. three randomized metrics:

        M1: RANDOMIZED FALSE VALUE
        M2: RANDOMIZED FALSE VALUE
        M3: RANDOMIZED FALSE VALUE

        Compare this to Firefox (which does randomize some values, but for the sake of argument the default behavior for most metrics will be discussed here):

        M1: STATIC FALSE VALUE
        M2: STATIC FALSE VALUE
        M3: STATIC FALSE VALUE

        Both of these are crowds, Brave is just not a static crowd because it doesn’t constantly produce the SAME, STATIC false value for each metric but rather a RANDOMIZED false value for each metric, but there can be no doubt that both form a behavioral group.”
        Stop it right there, you haven’t got a clue, and by writing that you have embarassed yourself. Visit Tor website and get some good info.

        “I said back then that Tor users blow their cover when they have to allow stuff like Canvas to circumvent experienced website breakage. A defense is no good if it has to be disabled all the time because of usability issues. Also, even if the user never relaxes any setting, don’t believe Tor is unbeatable, not even the Tor devs claim this, so why do you?”
        “Allow Canvas” – any real world examples, any links to some sites for which that needs to be done, onion or regular net websites?
        Its clear by your words you haven’t Tor, so stop lying or better give an example.

        “WebGL webcompat issues in Firefox” – for your kind information, Brave doesn’t allow users to disable WebGL and even then in its strict settings, it has WebCompat issues as well, to verify this visit Brave GitHub issues. You really made a fool of yourself there.

        “It does, look at the actual setting recommendations. But it can’t for what you call “advanced scripts”, yet you make it appear as if it can. Regularly. This is disingenuous.”
        Any links which can verify your quotes about where Arkenfox claimed this?

        This time if you can, better provide some evidence for your stupid claims and theories, I’m waiting to prove them false ;-)

      9. Iron Heart said on August 4, 2021 at 12:02 am
        Reply

        @Yash

        See, I know that our relations have recently soured after I have proven to you that you *again* put your trust in the wrong people, but this is not a reason for you to add more bullshit to the tons of bullshit that were already written by @ULBoom and @”Anonymous” (not so anonymous for me, you see).

        > Yeah you’re quite right, infact Chromium has built-in protections for those, right? Even Brave has protections for those?

        Brave does. It’s called “Tor mode”.

        That is not the point I tried to convey though. The point is that, if the network level is still leaking, praising some random user.js that gives a totally false sense of privacy on the web is even more laughable than it was before. Firefox is a general use browser, if you add VPN to protect the network level + user.js to fix Firefox’s sorry defaults + various privacy add-ons, you might as well just use Tor, this will also fix the “lack of a crod to hide in” issue automatically. There is no actual use case for what is proposed here.

        > I assume I might have to use Brave – the only browser or the only software in the world which doesn’t reveal IP addresses.

        Well, there is also Tor. Even Opera has a built-in VPN (no comparison to Tor implied, but for hiding the real IP address it is enough). You act as if hiding the IP address is some rocket science and extremely hard to implement. Are you kidding me here, or just trolling again?

        > Seriously mixing IP addresses and browser fingerprinting, and MAC addresses, I guess you’re the first person who said that Firefox leaks MAC when it is an OS issue. That is really funny.

        Of course I do, those are identifiers and so called “anonymity tools” like Tor actually do cover all of these. That Firefox gets the MAC address from the operating system is totally irrelevant to my argument. No matter where it is generated from, it does leak via the browser in the end, doesn’t it? And yes, if Mozilla wanted to mitigate this at the browser level, there is network.dns.disableIPv6, in case you are unaware. I shouldn’t have to tell you this as someone who doesn’t even use Firefox as a main tool of work, but here we are.

        > Even Brave team denies this part, and they would be flattered to know their browser does some things which they themselves deny. Good quotes there.

        What do you even mean by this? The Brave team doesn’t deny that their browser is effective against “naive scripts”, and in order to be be effective against more “advanced scripts”, further metrics would have to be covered first. Their claims are consistent with mine.

        > Stop it right there, you haven’t got a clue, and by writing that you have embarassed yourself. Visit Tor website and get some good info.

        Why should I stop? What I said is accurate. The values Brave generates are not static, they are randomized. What is static are Brave’s behavioral patterns, it can certainly be observed that all Brave users consistently randomize, but this is not the same thing, on the one hand are the values, on the other behavioral patterns. Firefox using RFP can also be observed, by the way, and just because the behavioral patterns of RFP are known, doesn’t mean that it is ineffective because of that!

        I am not sure if you perhaps mean “normalization”, that is if randomization is applied in an insufficient manner, sufficiently advanced adversaries might be able to figure out that you are the same user by calculating (approximate) real values, perhaps you mean this by “randomized values can be rendered static”, but even if so, you are still wrong. I don’t think this can be successfully done in the wild without effort, and I think that Brave’s “Aggressive” Anti-FP mode would fix this even if it were possible.

        You are using unclear terminology here but you are most likely mistaken in either case.

        > “Allow Canvas” – any real world examples, any links to some sites for which that needs to be done, onion or regular net websites?

        https://old.reddit.com/r/firefox/comments/hr5jc6/images_showing_up_as_colored_vertical_lines_only/

        https://old.reddit.com/r/firefox/comments/ldagyd/firefox_not_rendering_images_properly/

        https://old.reddit.com/r/firefox/comments/k494u6/bad_image_rendering/

        Search and you will find, this is a regular occurrence on Tor for Canvas image data. There is more examples, I won’t spoon feed you any further.

        > Its clear by your words you haven’t Tor, so stop lying or better give an example.

        It rather seems like you have never used Tor, or if you did, only sporadically without entering websites that used Canvas. The issue is a logical result of the Canvas FP defenses and is admitted to by the Tor devs, it is also far more widespread than you think. This is already identified as a rather serious web compatibility issue at the Tor Project, so I don’t even know what you want to hear from me!? Is the Tor team confirming the issue not enough for you?

        > for your kind information, Brave doesn’t allow users to disable WebGL and even then in its strict settings, it has WebCompat issues as well, to verify this visit Brave GitHub issues. You really made a fool of yourself there.

        False once again. Brave’s “Aggressive” FP defenses completely disable WebGL so far, but they are looking at other options like stronger randomization because disabling it should be the very last resort for web compat reasons.

        Also – this should be obvious from my prior post, yet I will point it out to you again: I said that randomization of WebGL causes COMPARATIVELY less issues when you pit it against outright disabling WebGL (the only solution Firefox has for this metric). This should be self-explanatory really; with randomization, at least the majority (not quite all!) 3D graphics that use WebGL work correctly, while in Firefox with WebGL disabled none of them work by definition of the word “disabled”. Is Brave’s randomization perfect for web compat? Of course not. Is it better than outright disabling it? Yes, obviously.

        > Any links which can verify your quotes about where Arkenfox claimed this?

        Look at the user.js file you have presumably downloaded if you are a user of that type of snake oil, it does enable privacy.resistFingerprinting, webgl.disabled and toggles off media.peerconnection.enabled etc. pp. – the clear intention here is to combat advanced scripts, but this will never ever be successful without crowd building akin to Tor, and this crowd building is just not possible as long as those are not the defaults of Firefox.

        Plus, if you are into pointless back and forth bickerings, you can dig out any of Pants’ posts (“Anonymous” seems to have them all, I wonder why) directed against Brave, where it was repeatedly yet falsely claimed that RFP has a chance against advanced scripts, which is illusory, as actual experts will readily tell you.

        > This time if you can, better provide some evidence for your stupid claims and theories, I’m waiting to prove them false ;-)

        Dude, all you are doing here is wasting my time with nonsense. Again. Have you nothing else to do?

      10. Yash said on August 4, 2021 at 8:42 am
        Reply

        @Iron Heart

        First I put trust in wrong people, HAHAHAHA.

        “That is not the point I tried to convey though. The point is that, if the network level is still leaking, praising some random user.js that gives a totally false sense of privacy on the web is even more laughable than it was before. Firefox is a general use browser, if you add VPN to protect the network level + user.js to fix Firefox’s sorry defaults + various privacy add-ons, you might as well just use Tor, this will also fix the “lack of a crod to hide in” issue automatically. There is no actual use case for what is proposed here.”
        Network level always leaks or IOW revealed in every software. “You might as well use Tor” – that is true but that is not always possible, stream a live sports match, watch high quality video, use P2P. Those things can be done on Tor(apart from P2P) but why limit bandwidth of a service which is used by for some important reasons to find who is the owner of ExpressVPN on YouTube or when all you need to do is some regular net streaming like movies, Web Series.
        About various privacy add-ons and about that setup, since you haven’t used it, no comments. Those who use it though can confirm there are many benefits in that approach and that approach is better than what Brave has to offer. End of story.

        “Well, there is also Tor. Even Opera has a built-in VPN (no comparison to Tor implied, but for hiding the real IP address it is enough). You act as if hiding the IP address is some rocket science and extremely hard to implement. Are you kidding me here, or just trolling again?”
        Its not trolling, its sarcasm, you’re welcome. In your comments in this thread you’ve said Brave fingerprinting protections are not complete and you’re saying to use Tor in Brave. Mentioning Opera VPN, good job there, do you know something about their owners? You have embarassed yourself there.

        “Of course I do, those are identifiers and so called “anonymity tools” like Tor actually do cover all of these. That Firefox gets the MAC address from the operating system is totally irrelevant to my argument. No matter where it is generated from, it does leak via the browser in the end, doesn’t it? And yes, if Mozilla wanted to mitigate this at the browser level, there is network.dns.disableIPv6, in case you are unaware. I shouldn’t have to tell you this as someone who doesn’t even use Firefox as a main tool of work, but here we are.”
        I don’t know whether to correct you or laugh but okay, both.
        IPV6 doesn’t leak just through browsers but through every app, software. In Firefox there is option to disable it for users who for some reason doesn’t want to disable IPV6 on router/device level. Does Brave have option for that? Does Brave have protection against that?

        “What do you even mean by this? The Brave team doesn’t deny that their browser is effective against “naive scripts”, and in order to be be effective against more “advanced scripts”, further metrics would have to be covered first. Their claims are consistent with mine.”
        The crowd part when dealing with browser fingerprinting, that was what I was pointing, you’re welcome.

        “Why should I stop? What I said is accurate. The values Brave generates are not static, they are randomized. What is static are Brave’s behavioral patterns, it can certainly be observed that all Brave users consistently randomize, but this is not the same thing, on the one hand are the values, on the other behavioral patterns. Firefox using RFP can also be observed, by the way, and just because the behavioral patterns of RFP are known, doesn’t mean that it is ineffective because of that!

        I am not sure if you perhaps mean “normalization”, that is if randomization is applied in an insufficient manner, sufficiently advanced adversaries might be able to figure out that you are the same user by calculating (approximate) real values, perhaps you mean this by “randomized values can be rendered static”, but even if so, you are still wrong. I don’t think this can be successfully done in the wild without effort, and I think that Brave’s “Aggressive” Anti-FP mode would fix this even if it were possible.

        You are using unclear terminology here but you are most likely mistaken in either case.”
        No idea what you’re trying to say there.

        “> “Allow Canvas” – any real world examples, any links to some sites for which that needs to be done, onion or regular net websites?

        https://old.reddit.com/r/firefox/comments/hr5jc6/images_showing_up_as_colored_vertical_lines_only/

        https://old.reddit.com/r/firefox/comments/ldagyd/firefox_not_rendering_images_properly/

        https://old.reddit.com/r/firefox/comments/k494u6/bad_image_rendering/

        Search and you will find, this is a regular occurrence on Tor for Canvas image data. There is more examples, I won’t spoon feed you any further.”
        I clearly meant Tor browser when I said that, but unfortunately your one line copy paste or one word copy paste in this case failed in that regard. Plus who the hell would be allowing Canvas on Tor when To team clearly advise against that. Again any Canvas allow examples in Tor?

        “It rather seems like you have never used Tor, or if you did, only sporadically without entering websites that used Canvas. The issue is a logical result of the Canvas FP defenses and is admitted to by the Tor devs, it is also far more widespread than you think. This is already identified as a rather serious web compatibility issue at the Tor Project, so I don’t even know what you want to hear from me!? Is the Tor team confirming the issue not enough for you”
        Examples? Tor team also says other words when mentioning being anonymous. Never heard of them, eh?

        “False once again. Brave’s “Aggressive” FP defenses completely disable WebGL so far, but they are looking at other options like stronger randomization because disabling it should be the very last resort for web compat reasons.

        Also – this should be obvious from my prior post, yet I will point it out to you again: I said that randomization of WebGL causes COMPARATIVELY less issues when you pit it against outright disabling WebGL (the only solution Firefox has for this metric). This should be self-explanatory really; with randomization, at least the majority (not quite all!) 3D graphics that use WebGL work correctly, while in Firefox with WebGL disabled none of them work by definition of the word “disabled”. Is Brave’s randomization perfect for web compat? Of course not. Is it better than outright disabling it? Yes, obviously.”
        Comparatively less issues? Any examples? Before further comments on this topic, visit Brave Github issues.

        “> Any links which can verify your quotes about where Arkenfox claimed this?

        Look at the user.js file you have presumably downloaded if you are a user of that type of snake oil, it does enable privacy.resistFingerprinting, webgl.disabled and toggles off media.peerconnection.enabled etc. pp. – the clear intention here is to combat advanced scripts, but this will never ever be successful without crowd building akin to Tor, and this crowd building is just not possible as long as those are not the defaults of Firefox.

        Plus, if you are into pointless back and forth bickerings, you can dig out any of Pants’ posts (“Anonymous” seems to have them all, I wonder why) directed against Brave, where it was repeatedly yet falsely claimed that RFP has a chance against advanced scripts, which is illusory, as actual experts will readily tell you.”
        First when I asked where user.js claimed to completely defeat fingerprinting? You didn’t provide any links. And second even Arkenfox guide says to use Tor and not consider user.js as its replacement to use it on Tor network. User.js file is meant for something else which I’m sure Brave team will catch up in 30th century.

        Have you nothing else to do besides lying over and over again?

      11. Iron Heart said on August 4, 2021 at 1:44 pm
        Reply

        @Yash

        > First I put trust in wrong people, HAHAHAHA.

        Well, yes. You put your faith in Googlezilla Firefox, and the Proton Technologies AG a.k.a. Tesonet. You also listen to people promoting user.js files and similar snake oil. If that is not “putting one’s trust in the wrong people”, then I don’t know what is.

        > important reasons to find who is the owner of ExpressVPN on YouTube

        Still not over the fact that this VPN operates from Hong Kong under unclear ownership? You’ll eventually get used to it.

        > About various privacy add-ons and about that setup, since you haven’t used it, no comments.

        How do you know?

        > Those who use it though can confirm there are many benefits in that approach and that approach is better than what Brave has to offer. End of story.

        OK, which benefits exactly? All you end up doing is making Firefox do the same things Brave does by default already, fingerprinting yourself in the process because hardly any other Firefox user shares your setup. Your approach is faulty at best.

        > In your comments in this thread you’ve said Brave fingerprinting protections are not complete and you’re saying to use Tor in Brave.

        Your question was whether or not Brave protects the IP address, not how good its fingerprinting defenses are. I have answered your original question, don’t pretend that it wasn’t so. Brave does protect the IP address when in Tor mode.

        I have also commented on Brave’s FP defenses already, and what work still needs to be done. No surprises there, you can find all of that in my prior comments.

        > Mentioning Opera VPN, good job there, do you know something about their owners? You have embarassed yourself there.

        Learn to read, seriously. I have in no way endorsed Opera VPN. I merely cited as an example of a browser protecting the IP address, without commenting on whether or not anyone should use this particular service. You were acting as if a browser protecting the IP address is rocket science, which is ridiculous. Of course it’s possible.

        > IPV6 doesn’t leak just through browsers but through every app, software.

        I am aware. And? Does it matter that your MAC address leaks on some Fire TV Stick or something? It doesn’t. Where it matters is when you do your browsing online, and when online trackers take note of it. I only care about things that matter, your sentence is totally irrelevant to what I am trying to convey.

        > In Firefox there is option to disable it for users who for some reason doesn’t want to disable IPV6 on router/device level. Does Brave have option for that? Does Brave have protection against that?

        Counter-question: Does it matter where you disable IPv6, either in the OS or in the browser? Answer: It doesn’t, both settings do the same thing for your online browsing. Brave strictly adheres to the OS setting.

        > The crowd part when dealing with browser fingerprinting, that was what I was pointing, you’re welcome.

        I don’t even know what you want from me here. Brave users form a behavioral crowd, they have no issue as far as crowd building is concerned. Anti-FP behavior is consistent across browser installations there, can’t say the same about Firefox.

        > No idea what you’re trying to say there.

        It’s not very hard to understand, at all. I won’t repeat it again.

        > I clearly meant Tor browser when I said that, but unfortunately your one line copy paste or one word copy paste in this case failed in that regard. Plus who the hell would be allowing Canvas on Tor when To team clearly advise against that. Again any Canvas allow examples in Tor? (…) Examples? Tor team also says other words when mentioning being anonymous. Never heard of them, eh?

        You allow Canvas when you experience breakage, e.g. when pictures can’t be rendered correctly. Of course, from a privacy perspective only, allowing Canvas is not advised, but it can be necessary to “unbreak” pages. I have already showed you examples of this, I won’t add any further ones because they always describe the same issue anyway. It also doesn’t matter if we talk about Tor or Firefox in this case, in both cases RFP causes the issue, there is no difference.

        > Comparatively less issues? Any examples? Before further comments on this topic, visit Brave Github issues.

        How am I supposed to cite examples of things that work? If the 3D animations work, there is no need to write a report. It should be self-explanatory that randomizing causes lesser issues when compared to disabling WebGL, disabling it means that those 3D animations can’t run in the first place. Brave only breaks 3D animations occasionally via randomization, and those issues get reported on their GitHub then. Occasional breakage > can’t run the animation at all, obviously.

        > First when I asked where user.js claimed to completely defeat fingerprinting?

        Their settings recommendations tell you this already. They are aimed at advanced scripts. It doesn’t, and will never actually work without serious crowd building.

        > You didn’t provide any links.

        https://github.com/arkenfox/user.js/blob/master/user.js

        Look at the settings recommendations I have cited before, RFP, disable WebGL, disable WebRTC, you can find all those recommendations in it. This is aimed at advanced scripts, against which this can never actually work without a large group of like-minded user to hide in.

        > And second even Arkenfox guide says to use Tor and not consider user.js as its replacement to use it on Tor network.

        It’s a Tor imitation even, LOL. But will never work same as the real Tor because of the aforementioned crowd building deficit and because a lack of protection of the network level, which is an integral part of Tor, but which such a user.js file logically can’t provide.

        > User.js file is meant for something else which I’m sure Brave team will catch up in 30th century.

        Nah. You seem to be aware of the Brave Browser’s GitHub, go to the privacy section and you’ll find out that it does more or less the same thing as some user.js file for Firefox.

        > Have you nothing else to do besides lying over and over again?

        You are being insolent again, you have never conclusively proven that I have lied anywhere, because I haven’t. I am consistent with the facts and with myself, you are a troll with fanboy glasses on who has serious deficits in learning / understanding and likes throwing tantrums at me. That’s the truth, and yes, I am very tired of it by now.

      12. Yash said on August 4, 2021 at 5:52 pm
        Reply

        @Iron Heart

        “Well, yes. You put your faith in Googlezilla Firefox, and the Proton Technologies AG a.k.a. Tesonet. You also listen to people promoting user.js files and similar snake oil. If that is not “putting one’s trust in the wrong people”, then I don’t know what is.”
        At the end of the day you’re nothing but another certain products as*licking fanboy. GoogleZilla Firefox – how about Brave shill? Mentioning Proton again – well you didn’t read the last comment in VPN thread which revealed all the dirty tricks of your trash links back in 2019, but then you are a troll. user.js as snake oil – in Brave latest updates, even Brave browser is a part of that, so they’re also snake oil. You wrote all this to again humiliate yourself and you did a good job at that.

        “> important reasons to find who is the owner of ExpressVPN on YouTube

        Still not over the fact that this VPN operates from Hong Kong under unclear ownership? You’ll eventually get used to it.”
        Unfortunately you don’t understand sarcasm, bad for you.

        “How do you know?”
        Well one copy line paste can not only create stupid questions but can also make a paragraph redundant, like I did there with your line, wait a minute it was already a single line!

        “OK, which benefits exactly? All you end up doing is making Firefox do the same things Brave does by default already, fingerprinting yourself in the process because hardly any other Firefox user shares your setup. Your approach is faulty at best.”
        Brave doesn’t do the same thing from default, even Brave team denies that. Lying as if your life depends on it, eh? Can you mention all the metrics Brave protects in default state? Spoiler alert – not many if any compared to user.js, of course as asked some examples would be nice than lying again.

        “Learn to read, seriously. I have in no way endorsed Opera VPN. I merely cited as an example of a browser protecting the IP address, without commenting on whether or not anyone should use this particular service. You were acting as if a browser protecting the IP address is rocket science, which is ridiculous. Of course it’s possible.”
        I didn’t even said you endorsed Opera, but Irony Heart common sense has reached its limit. However you did mentioned Opera VPN even though it has serious privacy issues, and that in itself is laughable.

        “> IPV6 doesn’t leak just through browsers but through every app, software.

        I am aware. And? Does it matter that your MAC address leaks on some Fire TV Stick or something? It doesn’t. Where it matters is when you do your browsing online, and when online trackers take note of it. I only care about things that matter, your sentence is totally irrelevant to what I am trying to convey.

        > In Firefox there is option to disable it for users who for some reason doesn’t want to disable IPV6 on router/device level. Does Brave have option for that? Does Brave have protection against that?

        Counter-question: Does it matter where you disable IPv6, either in the OS or in the browser? Answer: It doesn’t, both settings do the same thing for your online browsing. Brave strictly adheres to the OS setting.”
        I quite liked what you did there. Contradicting yourself on the same topic in different lines. Way to go shill. As for my original question – ‘does Brave have protection against that’ You revealed – it doesn’t have, which in itself is a serious issue but then I didn’t expected a solution from Brave, so end of story. Seriously you really did make a fool of yourself there by contradicting in most embarassing way.

        “> The crowd part when dealing with browser fingerprinting, that was what I was pointing, you’re welcome.

        I don’t even know what you want from me here. Brave users form a behavioral crowd, they have no issue as far as crowd building is concerned. Anti-FP behavior is consistent across browser installations there, can’t say the same about Firefox.

        > No idea what you’re trying to say there.

        It’s not very hard to understand, at all. I won’t repeat it again.”
        You’re right its not hard to understand, Brave users doesn’t form a crowd because of connection info, timezone, Canvas leak, OS info etc etc- differences which by the way are real leaked values and doesn’t allow it to form a crowd.

        “You allow Canvas when you experience breakage, e.g. when pictures can’t be rendered correctly. Of course, from a privacy perspective only, allowing Canvas is not advised, but it can be necessary to “unbreak” pages. I have already showed you examples of this, I won’t add any further ones because they always describe the same issue anyway. It also doesn’t matter if we talk about Tor or Firefox in this case, in both cases RFP causes the issue, there is no difference.”
        Tor team clearly advises against that, so your point is of no value. Its the same like crying over non-availability of microG in GrapheneOS when clearly GrapheneOS is for something else. So next time take care or maybe don’t mention Canvas breakage in Tor, when it clearly doesn’t make any sense.

        Mentioning WebGL in Brave, for once visit their GitHub and find issues about it in strict mode.

        “> First when I asked where user.js claimed to completely defeat fingerprinting?

        Their settings recommendations tell you this already. They are aimed at advanced scripts. It doesn’t, and will never actually work without serious crowd building.

        > You didn’t provide any links.

        https://github.com/arkenfox/user.js/blob/master/user.js

        Look at the settings recommendations I have cited before, RFP, disable WebGL, disable WebRTC, you can find all those recommendations in it. This is aimed at advanced scripts, against which this can never actually work without a large group of like-minded user to hide in.”
        And does this answer the question – where user.js guide claimed this like you said? And this time don’t deflect the question? Either answer it or don’t write about it, that’s the way to go in binary world.

        “It’s a Tor imitation even, LOL. But will never work same as the real Tor because of the aforementioned crowd building deficit and because a lack of protection of the network level, which is an integral part of Tor, but which such a user.js file logically can’t provide.”
        First you didn’t addressed the point raised. Plus there are differences between Tor and Arkenfox apart from network level, which is why Arkenfox have some instructions – I guess they need to be titled as ‘Some instructions for beginners who think Arkenfox is same as Tor, for more info read point 1.’ So stop repeating your lie of network level and all that stuff. Get yourself updated and if not, stop lying.

        “Nah. You seem to be aware of the Brave Browser’s GitHub, go to the privacy section and you’ll find out that it does more or less the same thing as some user.js file for Firefox.”
        I’m not a fanboy, so yeah I am aware of Brave Browser’s GitHub, but more importantly I don’t lie about user.js like you’re doing there, as Brave browser’s protections are not the same. Again I’m saying this – to find more about this visit Brave Browser GitHub page.

        “You are being insolent again, you have never conclusively proven that I have lied anywhere, because I haven’t. I am consistent with the facts and with myself, you are a troll with fanboy glasses on who has serious deficits in learning / understanding and likes throwing tantrums at me. That’s the truth, and yes, I am very tired of it by now.”
        You stole my line there – I am very tired of dealing with your lies, your incomplete knowledge about stuff you don’t properly understand. As for “consistent with the fact” – you lied in your last few comments again, even about Brave browser. And I can confirm this is coming from someone with Fanboy glasses on.

      13. Iron Heart said on August 4, 2021 at 9:43 pm
        Reply

        @Yash

        > At the end of the day you’re nothing but another certain products as*licking fanboy. GoogleZilla Firefox – how about Brave shill?

        I don’t think that I am a “Brave shill”. You have to understand several things: First, my choices should be respected just like any other choice, especially when you can’t prove to me that my choices are actively harmful to my privacy. Secondly, Brave is the most lied about browser here, by a long shot. They are called an ad company which is not accurate, they are a browser company trying to reform the ad business by providing privacy-respecting locally chosen ads where users can earn their fair share. That the browser optionally shows ads and rewards the user with BAT doesn’t mean that it is disrespectful of user privacy, but it is always portrayed in that manner. Brave is being trashed for using affiliate links which every other browser also uses, in Firefox’s case this happens with every single Google search even. I don’t like these malicious lies, especially those coming from fanboys of competing products which do zilch for user privacy by default. And last but not least, that I have to defend myself here all the time has something to do with the toxic community here, sadly especially the Firefox community. Look at this triple diaper fool above and you will understand.

        Respect my choices, don’t spread lies, and try to look beyond your own toxic little community, and we should get along.

        > Mentioning Proton again – well you didn’t read the last comment in VPN thread which revealed all the dirty tricks of your trash links back in 2019, but then you are a troll.

        OK. Let’s say if I were the CEO of some data mining company running an ostensibly private service… The reveal that a data mining company operates a supposed privacy service should end that service right then and there, correct? Wrong, hehe. I can still rely on people like you after all, people who are dismissing what is right in front of their very noses, and believe the refutations written by my employees that are not even close to believable when you look at them in an unbiased way.

        I am not expecting that you admit that you have been fooled by a data mining company, I know that your pride is in your way here (although this is silly really, one can readily admit that one was wrong when writing under some pseudonym, this isn’t real life)… But what you should be doing in the interest of others, is to put your pride aside for a moment and stop promoting services that have very shady business connections that point to them not being entirely honest about their privacy protection promises. If you can’t admit your error, please don’t harm others at least by further promoting the error.

        > user.js as snake oil – in Brave latest updates, even Brave browser is a part of that, so they’re also snake oil.

        No idea where you see the relationship between a user.js file and Brave, apart from the fact that they are largely protecting the same thing. Brave does it by default which means that every single one of its users profit from it. It also has consequences for the effectiveness of these settings against fingerprinting.

        > Unfortunately you don’t understand sarcasm, bad for you.

        With all due respect, you are defending wrong ideas with such vigor and endurance at times, that it is hard to tell when you are using sarcasm and when you do not. At times I thought “This has to be sarcasm.” but then you promote what I previously thought of as sarcasm in such an aggressive and strongly convinced manner, that I have given up on the differentiation when it comes to you. Yes, really.

        > Brave doesn’t do the same thing from default, even Brave team denies that.

        I have never seen them discuss random user.js files, I don’t know what you are referring to. But for the sake of argument, let’s turn this ship around: Which settings in your user.js file do you think Brave doesn’t tackle?

        > Can you mention all the metrics Brave protects in default state? Spoiler alert – not many if any compared to user.js, of course as asked some examples would be nice than lying again.

        Would you care to use your brain here? Firstly, have you ever checked which metrics the vast majority of fingerprinting scripts check for? Spoiler alert – not many, and those are covered by Brave already. Tackling further metrics, while planned, always comes at a web compatibility cost and since Brave aims to have fingerprinting defenses on by default, this needs to be done in a reasonable manner, always weighed against usability.

        Secondly, at least Brave tackles all these metrics by default, Firefox by default does absolutely nothing and reveals the real values. As you belong to I didn’t even said you endorsed Opera,

        You: “Mentioning Opera VPN, good job there, do you know something about their owners? You have embarassed yourself there.”

        Opera’s ownership would only matter to me if I used their service myself or promoted it to others, neither of which is the case.

        > However you did mentioned Opera VPN even though it has serious privacy issues, and that in itself is laughable.

        I cited it as an example of the browser protecting the IP address without further judging it.

        > I quite liked what you did there. Contradicting yourself on the same topic in different lines.

        Aha, OK? Where do you see the contradiction in these two statements?

        1) I don’t care whether or not my MAC address leaks in applications or devices unrelated to my browsing. It only really matters when online trackers take note of it.
        2) Whether you disable the MAC address leak in the browser or in the OS makes no difference for your browsing, for the leak in the browser.

        Both statements are true and do not contradict each other. Both statements also summarize what I said above.

        > You revealed – it doesn’t have, which in itself is a serious issue but then I didn’t expected a solution from Brave, so end of story.

        Firefox’s setting duplicates the OS setting as far as your browsing is concerned. It doesn’t matter whether you disable IPv6 in the browser or in the OS. Whether or not it leaks in other apps – who the fuck cares? What matters is that it doesn’t leak while you browse because that’s when you are being tracked. Chromium or Brave have no reason to duplicate settings of operating systems, there is no benefit to this.

        > You’re right its not hard to understand, Brave users doesn’t form a crowd because of connection info, timezone, Canvas leak, OS info etc etc- differences which by the way are real leaked values and doesn’t allow it to form a crowd.

        Dude, what do you want from me? Brave enables FP defenses by default, it is the only browser apart from Tor and more minor ones like Bromite which does that. Only the browsers who have FP defenses enabled by default have a shot at crowd building. You are correct that Brave does not yet protect certain values, but the explanation is that a) the FP defenses are still young and b) if they mean to keep the FP defenses enabled by default in the future, they need to tackle those values in a way that does not destroy web compatibility too much.

        You can criticize the current state of Brave’s FP defenses (although I think this is dumb, it can efficiently protect against what most FP scripts check for), but this is not a criticism of Brave’s concept which is having the FP defenses enabled by default. Conceptual criticism is not the same as criticism of the current state, even though you seem to think that it is the same thing.

        > Tor team clearly advises against that, so your point is of no value.

        I am aware and I have already agreed that disabling Canvas protections is detrimental to privacy. But what are you going to do when things break? You either resign yourself to the fact that you can’t browse the website where the breakage occurred or you disable the Canvas protections to unbreak it. Which do you think is more likely for most users? Also, given how common Canvas use is across the web, this is also an issue that needs to be tackled, as the Tor devs readily admit, if you ever asked them. I don’t see how the discussion of web compatibility issues is of “no value” especially when they are widespread.

        > Mentioning WebGL in Brave, for once visit their GitHub and find issues about it in strict mode.

        I don’t know what you mean. Brave in strict mode disables WebGL, this comes with all the issues disabling WebGL entails and they are currently looking at other options, e.g. stronger randomization.

        > And does this answer the question – where user.js guide claimed this like you said? And this time don’t deflect the question? Either answer it or don’t write about it, that’s the way to go in binary world.

        OK, you have two options here:

        1) You can look at the settings recommendations of these user.js files and then think that those are given just for fun, and don’t actually aim at advanced scripts.
        OR
        2) You can look at the settings recommendations of these user.js files and acknowledge that some recommendations only make sense if the user.js aims to tackle advanced scripts.

        Hmm, I wonder which it is… Guess it is 1), because that is what you just said, alright? Plus, if logically looking at the recommended settings is not enough for you, if you like to have a confirmation straight from the horse’s mouth, I invite you to look at all those links the diaper-loving anonymous moron has posted above, there you will see Pants claiming that the user.js setup has a shot at beating advanced scripts, which is, without serious crowd building and without the network level being tackled, nothing more than a day dream.

        > First you didn’t addressed the point raised. Plus there are differences between Tor and Arkenfox apart from network level, which is why Arkenfox have some instructions – I guess they need to be titled as ‘Some instructions for beginners who think Arkenfox is same as Tor, for more info read point 1.’ So stop repeating your lie of network level and all that stuff. Get yourself updated and if not, stop lying.

        I already told you why the sad Tor imitation (which is, in fact, almost a 1:1 copy) can never work as intended, no need to rinse and repeat. It tries to transfer concepts that only work in Tor to Firefox, this is about the dumbest thing I have ever seen. There is a reason why Tor has to do these things by default without you touching its settings, there is a reason why Tor ships with network protection. Sorry to say, but I am tired of discussing random snake oil.

        > Again I’m saying this – to find more about this visit Brave Browser GitHub page.

        Yeah, well, what I see there is the equal of a user.js file, this time implemented correctly (= by default), what I see is miles ahead of default Firefox, and ultimately validates my choice upon closer inspection.

        > You stole my line there – I am very tired of dealing with your lies, your incomplete knowledge about stuff you don’t properly understand. As for “consistent with the fact” – you lied in your last few comments again, even about Brave browser. And I can confirm this is coming from someone with Fanboy glasses on.

        I’ll take you seriously once you show that I have contradicted myself in a meaningful way that is obvious to anyone else here other than the little bird in your head making up stuff. You and the diaper loving idiot above, are the only people constantly hating on me here, trying to proof that I am a “liar”, “ignorant”, “fanboy” and many ridiculous things more… While I myself and the many people I have supported on this blog already seemingly never had any serious problem with me. Strange thing, eh? I hope you are OK, because frantically shouting “LIAR!” at other people without conclusive evidence of lies is not.

      14. Yash said on August 5, 2021 at 9:39 am
        Reply

        @Iron Heart

        “I don’t think that I am a “Brave shill”. You have to understand several things: First, my choices should be respected just like any other choice, especially when you can’t prove to me that my choices are actively harmful to my privacy. Secondly, Brave is the most lied about browser here, by a long shot. They are called an ad company which is not accurate, they are a browser company trying to reform the ad business by providing privacy-respecting locally chosen ads where users can earn their fair share. That the browser optionally shows ads and rewards the user with BAT doesn’t mean that it is disrespectful of user privacy, but it is always portrayed in that manner. Brave is being trashed for using affiliate links which every other browser also uses, in Firefox’s case this happens with every single Google search even. I don’t like these malicious lies, especially those coming from fanboys of competing products which do zilch for user privacy by default. And last but not least, that I have to defend myself here all the time has something to do with the toxic community here, sadly especially the Firefox community. Look at this triple diaper fool above and you will understand.

        Respect my choices, don’t spread lies, and try to look beyond your own toxic little community, and we should get along.”
        In this thread no one mentioned Brave and yet you have to show your face, shitloading another article thread again. Plus certain users use some products but you’re the one who question them without providing any proof. And then you had to write all this after that. Irony has reached its limit.

        “OK. Let’s say if I were the CEO of some data mining company running an ostensibly private service… The reveal that a data mining company operates a supposed privacy service should end that service right then and there, correct? Wrong, hehe. I can still rely on people like you after all, people who are dismissing what is right in front of their very noses, and believe the refutations written by my employees that are not even close to believable when you look at them in an unbiased way.

        I am not expecting that you admit that you have been fooled by a data mining company, I know that your pride is in your way here (although this is silly really, one can readily admit that one was wrong when writing under some pseudonym, this isn’t real life)… But what you should be doing in the interest of others, is to put your pride aside for a moment and stop promoting services that have very shady business connections that point to them not being entirely honest about their privacy protection promises. If you can’t admit your error, please don’t harm others at least by further promoting the error.”
        Again no proof or anything like that, same old shit. Read Github thread back from 2019. You’re humiliating yourself by writing same old nonsense and your false claimes have already been proved false. Again Irony has reached its limit.

        “No idea where you see the relationship between a user.js file and Brave, apart from the fact that they are largely protecting the same thing. Brave does it by default which means that every single one of its users profit from it. It also has consequences for the effectiveness of these settings against fingerprinting.”
        I didn’t even said there is a relationship between user.js and Brave. Plus they are not protecting same things, visit Brave Github issues befoe lying again.

        “With all due respect, you are defending wrong ideas with such vigor and endurance at times, that it is hard to tell when you are using sarcasm and when you do not. At times I thought “This has to be sarcasm.” but then you promote what I previously thought of as sarcasm in such an aggressive and strongly convinced manner, that I have given up on the differentiation when it comes to you. Yes, really.”
        Dude I don’t use Express and that part about its owners was meant as a joke. To understand jokes and sarcasm, first put on some irony diapers, also put them on when talking about Proton without any proof.

        “I have never seen them discuss random user.js files, I don’t know what you are referring to. But for the sake of argument, let’s turn this ship around: Which settings in your user.js file do you think Brave doesn’t tackle?”
        Did I said Brave team discuss user.js file? No, then why are you lying? Plus no ship turning around, in my previous comment I mentioned some metrics Brave doesn’t protect, read that first. Again Irony has reached its limit.

        “Would you care to use your brain here? Firstly, have you ever checked which metrics the vast majority of fingerprinting scripts check for? Spoiler alert – not many, and those are covered by Brave already. Tackling further metrics, while planned, always comes at a web compatibility cost and since Brave aims to have fingerprinting defenses on by default, this needs to be done in a reasonable manner, always weighed against usability.

        Secondly, at least Brave tackles all these metrics by default, Firefox by default does absolutely nothing and reveals the real values.”
        I asked the name of some metrics, you didn’t provide, so discussion ends there. No usual Irony lies are accepted here. Either mention the name of some metrics to back your claim or STFU.

        “You: “Mentioning Opera VPN, good job there, do you know something about their owners? You have embarassed yourself there.”

        Opera’s ownership would only matter to me if I used their service myself or promoted it to others, neither of which is the case.

        > However you did mentioned Opera VPN even though it has serious privacy issues, and that in itself is laughable.

        I cited it as an example of the browser protecting the IP address without further judging it.”
        If someone else mention something, its endorsement. For you its not, even though you mentioned a joke service. Irony logic has reached its limit.

        “Aha, OK? Where do you see the contradiction in these two statements?

        1) I don’t care whether or not my MAC address leaks in applications or devices unrelated to my browsing. It only really matters when online trackers take note of it.
        2) Whether you disable the MAC address leak in the browser or in the OS makes no difference for your browsing, for the leak in the browser.

        Both statements are true and do not contradict each other. Both statements also summarize what I said above. ”
        You even contradicted on your contradiction, you questioned Firefox for having an option to disable IPV6, then said it matters in browser, fair enough. Then in Brave’s case it doesn’t matter and now online tracking has come in. Irony contradictions are in full swing.

        “Firefox’s setting duplicates the OS setting as far as your browsing is concerned. It doesn’t matter whether you disable IPv6 in the browser or in the OS. Whether or not it leaks in other apps – who the fuck cares? What matters is that it doesn’t leak while you browse because that’s when you are being tracked. Chromium or Brave have no reason to duplicate settings of operating systems, there is no benefit to this.”
        Again another contradiction.

        “Dude, what do you want from me? Brave enables FP defenses by default, it is the only browser apart from Tor and more minor ones like Bromite which does that. Only the browsers who have FP defenses enabled by default have a shot at crowd building. You are correct that Brave does not yet protect certain values, but the explanation is that a) the FP defenses are still young and b) if they mean to keep the FP defenses enabled by default in the future, they need to tackle those values in a way that does not destroy web compatibility too much.

        You can criticize the current state of Brave’s FP defenses (although I think this is dumb, it can efficiently protect against what most FP scripts check for), but this is not a criticism of Brave’s concept which is having the FP defenses enabled by default. Conceptual criticism is not the same as criticism of the current state, even though you seem to think that it is the same thing.”
        You didn’t addressed the point raised. Brave’s fingerprinting protections are useless and FYI Bromite is better at them than Brave in smartphones. Of course some examples are always nice than pure lying which you did there
        As I asked in previous comment and this comment too earlier – mention some metrics Brave covers and compare them to say Bromite. Even Bromite does better job than Brave.

        “I am aware and I have already agreed that disabling Canvas protections is detrimental to privacy. But what are you going to do when things break? You either resign yourself to the fact that you can’t browse the website where the breakage occurred or you disable the Canvas protections to unbreak it. Which do you think is more likely for most users? Also, given how common Canvas use is across the web, this is also an issue that needs to be tackled, as the Tor devs readily admit, if you ever asked them. I don’t see how the discussion of web compatibility issues is of “no value” especially when they are widespread.”
        Nonsense stuff, you use Tor as intended, period. Plus in Tor’s safest settings, there are more breakage than Canvas, even in its lower security settings Canvas breakage is the least worrying as there are many other, so your point is pure trash. Of course some examples are nice, by the way this time mention Tor specific ones than Firefox like you did before foolishly.

        “I don’t know what you mean. Brave in strict mode disables WebGL, this comes with all the issues disabling WebGL entails and they are currently looking at other options, e.g. stronger randomization.”
        In this thread you said Brave randomize WebGL which is better than Firefox in terms of web breakage as Firefox disables it. And here you’re saying Brave disables it which then brings it level to Firefox, beep beep another contradiction. Plus Brave team has something else to say in all this. So the main question is what on earth are you smoking contradicting yourself in same thread?

        “OK, you have two options here:

        1) You can look at the settings recommendations of these user.js files and then think that those are given just for fun, and don’t actually aim at advanced scripts.
        OR
        2) You can look at the settings recommendations of these user.js files and acknowledge that some recommendations only make sense if the user.js aims to tackle advanced scripts.

        Hmm, I wonder which it is… Guess it is 1), because that is what you just said, alright? Plus, if logically looking at the recommended settings is not enough for you, if you like to have a confirmation straight from the horse’s mouth, I invite you to look at all those links the diaper-loving anonymous moron has posted above, there you will see Pants claiming that the user.js setup has a shot at beating advanced scripts, which is, without serious crowd building and without the network level being tackled, nothing more than a day dream.”
        The point of user.js is to prevent fingerprinting and since Firefox is a superior browser, for the most part it can do it, but then user.js never claimed its effective 100% and says to use Tor depending on threat model, but you lied about user.js and when asked to back your claim you didn’t addressed your own point. Way to go Fanboy? Plus Tor and Arkenfox are two different projects and there are differences apart from network level. To find them put on some jumbo diapers and stop using your pathetic logic.

        “I already told you why the sad Tor imitation (which is, in fact, almost a 1:1 copy) can never work as intended, no need to rinse and repeat. It tries to transfer concepts that only work in Tor to Firefox, this is about the dumbest thing I have ever seen. There is a reason why Tor has to do these things by default without you touching its settings, there is a reason why Tor ships with network protection. Sorry to say, but I am tired of discussing random snake oil.”
        You’re lying here by saying both are nearly same or 1:1 copy, here’s one difference – media.navigator which is already covered by RFP. In Tor it is disabled for obvious reasons, in Arkenfox it is handled by RFP. Lying as if your life depends on it, eh? Plus no more discussion on this topic if you have to lie again. Use your brain and provide some evidence to prove Arkenfox is a copy of Tor apart from network level, if you can.
        Since you wrote all this lie and proved you’ve never used Arkenfox file, then don’t question some aspects. I question Brave coz I have used it and try it sometimes than lying as you do all the time.

        “Yeah, well, what I see there is the equal of a user.js file, this time implemented correctly (= by default), what I see is miles ahead of default Firefox, and ultimately validates my choice upon closer inspection.”
        For the third time in this comment and multiple times before, mention some names of metrics?

        “I’ll take you seriously once you show that I have contradicted myself in a meaningful way that is obvious to anyone else here other than the little bird in your head making up stuff.”
        Once when you start reading properly, you’ll see your contradictions. First step towards that path would be big sized jumbo dipers and read your own comments in this thread.

        Plus its you who shout liar, fanboy at other folks without using your brain, so good irony there.

      15. Iron Heart said on August 5, 2021 at 5:20 pm
        Reply

        @”Anonymous”

        > Thanks CompatWombat. I see from his rant below that IronHeart is obsessed with people’s identities, rather than the discussion at hand. He sees conspiracies everywhere and misses facts e.g. all ghacks comments are public domain. Why is he so obsessed with Pants? Why does he want her real ID and credentials when they are not needed? Why does arkenfox trigger him?

        I never wanted the real identity of anyone (What would I do with it anyway? Entirely uninteresting.), it would suffice if known posters wouldn’t hide behind “Anonymous” all of a sudden, it’s called nickname hopping. You seem to have a protocol of my conversations with Pants (albeit maliciously altered, to fit the narrative)? Why? I don’t know. You are either unhealthily obsessed about these conversations or there is something else to it. Hmm…

        If I ever asked for what you call “credentials” (I simply call it proof of work experience, LOL), then solely because a certain level of expertise was outright stated to be held by a certain someone. I see no coding history anywhere and of course I can call that certain someone out on it.

        I am not obsessed with “arkenfox” or similar random projects at all, @ULBoom brought up user.js files as a supposed way of improving user privacy, and I pointed out that this is a faulty concept at best. Anyone who has the ability to read can see this here, you are not fooling anyone.

        > FLoC-loads

        You think it’s funny creating memes out of FLoC, which is disabled in Brave!? Are you this retarded?

        > He was told over a year ago that RFP randomizes canvas: “in FF78+ it randomizes some Canvas APIs and spoofs the rest as static”. He has been told this dozens of times since, as it is central to debunking his whole year+ long BS argument that RFP does not work in Firefox and that Brave is superior because it “farbles”

        Still the same shit coming from you. RFP doesn’t work against advanced scripts as it lacks the crowd, it may also fail even against naive scripts because the Canvas protection is a broken mess that regularly needs to be disabled for a somewhat OK web experience, and WebGL isn’t covered by RFP in the first place. If you disable WebGL as these random user.js files recommend, web compat issues will emerge very rapidly. So two high value entries (which are sometimes the only values scripts check for, because they are such strong identifiers) leak, the IP address leaks, and extensions possibly leak. In no realm of imagination can this be called effective.

        > naive/advanced have nothing to do with the number of metrics gathered. More made up nonsense no one else has ever said. Naive refers to swallowing a poison pill

        You again omitted something deliberately: WHY does it swallow the poison pill? Answer: Because its outlook on other metrics isn’t extensive. If it looked on a great number of other metrics, the poison pill wouldn’t save you anymore because users can be identified at near 100% accuracy WITHOUT the poison pill then, meaning that the (Canvas) poison pill can be totally excluded and high accuracy can still be achieved regardless. Scripts looking for more than a few entries are thus called “advanced”, this logically includes not swallowing the poison pill and I have just explained why. My terminology is factually correct, as you well know. Stop lying here.

        > Go to coveryourtracks with Brave’s Shields on, and every time it will return canvas as “randomized” – this is a static value, and proves that everything comes down to lowered entropy.

        Incorrect. Brave returns different Canvas hashes across different sessions, these hashes are not static because they are changing. What can be observed though is that Brave always randomizes, its behavioral patterns are certainly static, but not the very hashes themselves. Not sure if you are willfully ignorant or malicious here, or just lacking in terminology, it is not hard to understand at all.

        > When randomizing is neutralized, then you need a crowd, I have never said otherwise, ever.

        It’s not getting neutralized. That you see all Brave users randomizing doesn’t mean that you can suddenly identify any of them. An accurate identification would require the leak of real values (or a normalization of randomized values, which I don’t think is possible depending on how the randomization is implemented). Observing randomness doesn’t tell you anything, in fact, it might even be helpful for Brave users, since it creates consistency of behavior across installations and makes identifying specific users harder, not easier as you falsely claim.

        > Brave has no crowd because it lacks hundreds of metrics coverage.

        Yet. It’s still a work in progress, the FP defenses are just one year old. More on your unfairness regarding this point below.

        > Firefox has no default crowd because it isn’t used by default (and lacks a couple of metrics coverage). I have never claimed anything else.

        You claim that RFP can work against advanced scripts in Firefox, outside of Tor. It can’t, for reasons already laid out. Stop lying.

        > So IronHeart is claiming Tor Browser doesn’t work either then, even against advanced scripts where randomizing is rendered useless to a static value.

        Huh? Where did I claim this? Tor works against advanced scripts because it has a crowd, a crowd that Firefox will never have. Tor does suffer from Canvas breakage, breakage caused by WebGL being disabled etc., which might make users “blow their cover” to alleviate experienced breakage. In this respect, Tor’s defenses don’t work in practice at times because these users won’t maintain discipline if their websites don’t work, but that doesn’t mean that the concept, the basic idea is a total failure, as you imply I’ve said (surprise: I haven’t, not even in the links you’ve posted) – it just means that a good idea can have (serious) issues in practice. Tor’s concept also can’t just be transferred to Firefox, it simply doesn’t work as intended (crowd building implications) and RFP is a Tor thing, more on that below.

        > Hold on while I inform tens of thousands of researchers and experts and documented proofs and real world studies, that they all fucked up and are wrong, and that IronHeart the DIAPER KING is a genius

        Your childish insolence aside, that WebGL and Canvas etc. are issues is ADMITTED TO by the very Tor devs, experts, real world studies that you are trying to throw at me here. None of them claim perfection, or are as ignorant towards issues as you are. Your Iron Heart vs. “the experts” made up conflict is getting old by now, people will be able to find similar BS, the same contrived, totally fabricated conflicts in other discussions if they actually care to click on your links. Listen, this rhetorical trick you are attempting here would only work if I was in disagreement with those experts, but I am not. These issues are public and admitted to, nobody except nutters like you claims that Tor is perfection. They all would tell you that it is a best effort and that there is room for improvement, with certain areas of possible improvement already identified, if you would only ever ask them.

        > allowing canvas on a site does not compromise linkability – see what Pants says

        Bullshit. Canvas has extremely high entropy, so much so that a leak there, combined with WebGL, can already identify a user almost 100%, without having to check for any other value. Again, simple scripts sometimes only check for these two values, apparently they are enough to identify users with extremely high accuracy, otherwise they would have to check for more by now.

        > this is exactly what Brave does when toggling between strict/standard

        That’s incorrect, and you know it.

        > it relaxes some metrics per site

        Yes, but not all of them. That is the entire point of having a Standard and an Aggressive mode.

        > so it’s OK for Brave, but not RFP? Does Brave operate in an alternative universe?

        Where did I say this? Both browsers randomize Canvas, Firefox has more web compat issues with its implementation so far, but the general idea is the same. It would not make sense for me to differentiate them for this value, and surprise surprise, I didn’t, even though you maliciously imply I did. It gets old.

        > site X: ten Brave users with fingerprint B visit once each
        ?> site X: one Tor Browser user with fingerprint T visits ten times
        ?> What does the site see?: it sees 10 visits each from fingerprints B and T. It cannot tell any other differences between them.

        Not done fooling people just yet? Brave has randomized fingerprints, meaning that it doesn’t return static values for the most part (as I said, this is decided on a per-metric basis). The only thing “static” here is the observation that Brave randomizes.
        Firefox may return what you call “Fingerprint T” in your example because it doesn’t produce randomized fingerprints, but rather a static one (select poison pills like Canvas aside). As for how realistic it is to maintain “Fingerprint T” in Firefox, seeing how breakage-inducing their Canvas defenses are, seeing how WebGL leaks and can only be completely disabled as a remedy etc. is anyone’s guess.

        > IronHeart claims Tor Browser fails and you are linkfied. But if you flip it (1 brave user visits 10 times), apparently Brave is safe.

        Tor Browser, as a concept / idea, does not inherently and necessarily fail. In practice, it fails oftentimes, because users can’t use a browser this broken, at least not as a general use browser (which Tor wasn’t meant to be, either). Canvas and WebGL are the main issues, but there is more. The idea of a common Tor fingerprint requires strict discipline from the user when it comes to sticking with the defaults, and for practical web compat reasons, I don’t see it happening in the real world. If you do, check out the reality of the Tor Browser Bundle by actually using it.

        Also, you need to decide whether we talk about Tor or Firefox here, these software products are not quite the same. You are trying to deliberately deflect and confuse here, I feel.

        > This wasn’t even the first time (of many) IronHeart keeps claiming that lowering entropy only works in an alternative reality with Brave

        Correction: This wasn’t the first time that you maliciously implied I said that. Do you think putting idiotic arguments in my mouth that everyone who actually clicks on these links you’ve posted will see were never actually uttered by me, will help you here? This just shows your stupidity and moral bankruptcy, nothing else.

        > Brave has all these same issues (substitute dozens of other metrics for webgl)

        WebGL is higher entropy than many values that Brave does not yet protect. Care to explain why Firefox fails to protect WebGL for once, is there some time for that amid your anti-Brave rants?

        > Micay is not a fingerprinting expert. No-one has disputed what Micay said, in fact I have agreed with Micay, numerous times.

        And yet arkengem which you are an “anonymous fan of”, of course, recommends disabling WebRTC and WebGL as a defense measure against fingerprinting, directly opposed to what Micay says:

        “Providing the offer to disable features to reduce attack surface can be useful. Doing it to prevent fingerprinting is utter nonsense since by changing any settings that sites can detect you have made yourself far more easily fingerprinted. Disabling WebRTC and WebGL would make you far easier to fingerprint, not harder. These sites encouraging things like that is a problem.”

        source: https://old.reddit.com/r/GrapheneOS/comments/ciizae/vanadium_and_bromium_privacy/ev6m2ot/

        Also, Micay has implemented fingerprinting defenses in Vanadium, which is the Chromium fork used in GrapheneOS. He is a developer with years of experience in the field of software security and privacy, and he calls useless user.js projects, stomped out of the ground by random nobodies with no public coding history, and don’t understand these defenses in depth, “a problem”.

        > I have only disputed what IronHeart says when he twists Micay’s words.

        How am I twisting them? I have quoted him unaltered and linked to the post, you can hear straight from the horse’s mouth that user.js garbage doesn’t actually work as intended, if you wish. I also challenge you, dear “Anonymous”, to publicly debate him or other developers.

        > Irrelevant

        I don’t think so. I am constantly stating that Brave’s FP defenses are a work in progress, which is a fair assessment of the current state. You don’t acknowledge this admittance of mine, preferring to maliciously imply that I ever said that Brave was already perfect. I didn’t, as anyone who cares can read in the links you yourself posted. A fair comparison would have to take into account that Brave’s defenses are still young and receive constant updates, but you are not quite fair, are you?
        You are heavily biased towards Firefox because a certain favorite GitHub project of yours relies on its continued existence. How long did it take Firefox to implement certain defenses? Answer: Years and years, serious work started in 2017, 4 years ago (and still, the WebGL metrics aren’t even covered, good graces…). Brave’s defenses are 1 year old. Way to go. I admit that it is a work in progress, you don’t want to acknowledge it because that would require a degree of good faith towards me and the Brave Browser, a degree of fairness that you just don’t possess.

        > IronHeart confuses the issue of why RFP went with their current canvas solution four years, instead of subtle randomizing.

        Yeah and look at the results, alright? Firefox can’t enable their fingerprinting protections by default, for all users, because they break too many things. Canvas? Completely broken, will never get enabled by default in its current state.?In the end, Firefox users remain totally unprotected by default, and those who do enable the FP defenses can’t really defend against advanced scripts because there is a pronounced lack of a crowd of FP-resistant Firefox installations.?
        This brings me to another point I have repeatedly stated, which you either don’t understand or maliciously ignore: Brave is a general use browser. It can only break so much, and yet at the same time, it aims to have FP defenses on by default. Meaning there will be necessarily be compromises, which IMHO is OK because it is still not as bad as having no defenses enabled at all (the Firefox default) or having defenses that break websites left and right, yet only end up defending against “naive scripts” same as Brave, because there will never be a sizable crowd of like-minded users (moidified Firefox).
        Even Firefox’s best case scenario, a tiny amount of users going out of their way to enable RFP, thus has a skewed web compat cost / de facto privacy benefit ratio.?Face it, the anti-fingerprinting defenses of Firefox solely exist in the browser to ease Tor development. Tor enables them by default, and a certain amount of associated breakage is acceptable there because Tor is a special purpose browser where privacy will always be prioritized over usability. That this is not transferable to a general use browser like Firefox seems to escape you entirely.
        Even if one tries to transfer it, no benefit vs. Brave (both beat naive scripts) comes at a heavy, Tor-like web compat cost here. I understand that you feel like you have to defend a concept of which you are a proponent (user.js files), but ignorance of reality will only carry you so far.

        > Brave’s randomizing per-eTLD+1 per-session actually creates a unique tracking id (per-eTLD+1 per-session), which Tor Browser does not want, not to mention that the subtlety carries risks: such as averaged bypasses or flat out being too subtle and completely bypassed

        See the paragraph above, Brave is a general use browser, only a certain amount of breakage is acceptable here. Still better than no defense at all (Firefox default) or accepting breakage left and right yet still only being able to defend against “naive scripts” (modified Firefox).

        > (which is what Pant’s bug was, which you will not find in a test suite, which she stated – and yes, IronHeart pooh poohed her because he has a BlackHeart)

        Eww. First things first, of course you can find out with a test suite that Brave produces the same Canvas hash per site per session, you can also find out that it changes to a new Canvas hash for the same site after a restart (new session established). You can also find out about possible deficits about these hashes in the process. Whom are you trying to fool? Such test websites lend themselves very well to this and you could have 100% found out about the historical Canvas bug this way, no coding skill required at all. Also, I have taken so much shit from Pants and from you by now that I do not care if she gets offended. I have arrived at “An eye for an eye.” and am content with it unless the permanent insults and false allegations from the opposite party stop for good.

        > It is absolutely designed for Firefox as well. It was invested in by Mozilla, added by Mozilla engineers, re-engineered from earlier Tor patches, and new metrics added – not just for Tor Browser.

        It was obviously not designed for Firefox. Tor uses RFP to defend against advanced scripts, and for this it is essential that RFP is enabled by default. Breakage is more acceptable in Tor because privacy is the sole priority and trumps usability there, but this is not the case for the general use browser Firefox, which is why it is contained in the code but not enabled there. Mozilla has agreed to maintain the associated patches (which came from Tor originally, again showing that it was not designed with use in Firefox in mind) to alleviate the development burden of the small Tor team. End of story.?
        It cannot work as intended in Firefox because Firefox has to keep general usability in mind, hence why it will never be enabled by default, hence why there is no crowd, hence why it will never work against advanced scripts that check for more than just the “poison pill”.

        > Yes it has a dual purpose (i.e for Tor Browser itself), but it has always been the intention to make this part of Firefox: as an option in settings, for Private Mode windows, and for “Tor Mode” windows.

        Option in the settings? Discarded. No crowd building, only works against naive scripts that way.

        Private windows? Tor mode? Firefox doesn’t use RFP in private windows and has no Tor mode right now! I don’t think either implementation is still planned, either. Since I am not allowed to point at the good intentions of the Brave devs to add more metrics to the fingerprinting defenses in the future, why should you suddenly be allowed to point to possible future Firefox initiatives? Neither of the things you mentioned exist in Firefox today, so: Discarded.

        > It is not super high priority because Mozilla understand that without Tor, it’s not a complete solution (see IP which also affects Brave).

        And with “not a complete solution” you mean that it can actually only defend against “naive scripts” same as Brave… Straight from the horse’s mouth at last. Took you long enough. Not that defending against naive scripts is not an honorable goal mind you, but please, stop acting as if it was anything more. You yourself admit that it fails beyond that.

        > And that ETP and fingerprinters blocking, and Total Cookie Protection, and comprehensive network partitioning, and SmartBlock and other items have a much bigger and more immediate impact on privacy.

        Blah blah… BORING. You do realize that fingerprinters don’t need to put local data on the user’s PC, right? FP data can be stored entirely server-side, so all this partitioning talk of said local data is increasingly a dinosaur. Even Google wants to get rid of the cookie (and presumably similar local data) because they realize that they no longer need it.

        > But that is not to say that RFP won’t become enabled in some form that creates large crowds

        Outside of Tor, where privacy is strongly prioritized over usability? No chance in hell, lol.

        > IronHeart just pulls DIAPER FILLING out of his ass?
        > IronHeart the DIAPER KING?
        > OK, hon, get the super-absorbent triple-thick JUMBO pack of DIAPERS!?
        > We’re going to some BIGGER DIAPERS!?
        > newbie alert: GET THE DIAPERS:

        I won’t even react to that, except to express my astonishment that you seem to be very preoccupied with excrements. Rather concerning that this is coming from an adult (Does it?). This would be funny if it weren’t so sad.
        Look, it is understandable that you are frustrated that I am not a believer in user.js snake oil, or that I laugh at certain “proof of expertise” that fails to show any expertise. But I won’t take shit from either nickname hoppers or random anonymous cowards who have insulted me for way too long now. You should ask your conscience (Does it even exist?) if continuously berating, insulting, and lying about another person is an OK thing to do. You are not only doing this at my expense, your posts might also end up deceiving others if they are looking for technical guidance here, which is an even greater shame.
        But hey, I mean, whatever you do now, I think people have already gotten a lovely introduction into the cosy cult of Firefox by you. If the community is as toxic as you are, it’s really unsurprising to me that nobody wants to join anymore. With evangelists like you around, who needs enemies?

        @CompatWombat

        I never said that Firefox’s Canvas randomization doesn’t work, or that it solely works in Brave but doesn’t work in Firefox. This is simply not true, stop spreading (pathetically easy to debunk) lies.?What is also true though is that Firefox’s Canvas randomization causes web compatibility issues that are, so far, avoided by Brave.? But as a concept (web compatibility considerations aside), the same thing as to work in both browsers, anything else is made up nonsense.

      16. Alex said on August 4, 2021 at 9:57 pm
        Reply

        Ungoogled Chromium works pretty well with extensions once you install this.

  6. Zelda said on July 31, 2021 at 7:53 pm
    Reply

    Be careful with this these “privacy” promises coming from Mozilla CORPORATION. While they add new useless “privacy” things to Firefox, they’ve been adding new AUTO CONNECTIONS in newer versions of the web browser THAT ARE HARD TO DISABLE AND THAT VIOLATE THE USER’S PRIVACY!

    A web browser doesn’t need any auto connections to do its main function. Forced auto-updates (which means user cannot disable it) is a SPY function too, because they may install new bugs, intentional vulnerabilities, backdoors in our system and we, the users, must accept it without having the choice of keeping our current and stable web browser which is already running fine.

    ALWAYS AUDIT your web browsers by using Wireshark or tcpdump before running it:

    sudo tcpdump -t -Q out port 53
    The above command will monitor any conns that your desktop application opens without or with your consent.

    You’re allowed to disable many of Firefox SPY connections, but some of them you cannot disable anymore with the “modern” versions of this web browser.

    Finally, remember this: any kind of auto connections openned by a web browser or any other desktop application, kernel, drivers and firmwares IS a spying function, if the user cannot completely disable it! Spread the word before it’s too late!

    1. #RESIST said on August 1, 2021 at 11:04 am
      Reply

      @Zelda said on July 31, 2021 at 7:53 pm

      Are you saying those “hard to disable” phone home features can’t be disabled in about:config alone?

      What can we do then?

    2. ULBoom said on August 2, 2021 at 4:23 am
      Reply

      All of that can be blocked or disabled. What should we use instead?

      (crickets?)

  7. Shadow Banning said on August 1, 2021 at 8:39 am
    Reply

    There’s a massive auto-delete campaign of comments on YouTube affecting many people, don’t know if it’s the new privacy features in recent browser versions or YouTube stepping up censorship but currently with some glitches as it auto-deletes also innocent comments.
    Usually comment vanishes withing 10 seconds, at least with Firefox, having tried Brave and comments stay up to 30 mins to couple of hours.
    https://support.google.com/youtube/thread/116351041/recent-reports-of-missing-comments?hl=en

    not sure if this is some type of new shadow ban in development where ones comment after posting is only visible to the commenter itself but nobody else, following video explains shadow banning for those not aware what it is:
    https://www.youtube.com/watch?v=EpcRDPaFSiA

    1. ULBoom said on August 2, 2021 at 4:30 am
      Reply

      Not sure what to make of that. Similar thing happens here. Comments appear, then disappear for hours (moderation, maybe?) until reappearing. With google properties, no telling what’s going on, they’re a wet rug over the web lately.

      There are always attacks being mitigated everywhere online, many disruptions lately for no apparent reason. I just go with the flow mostly.

      Look at my comment about facebook above. Same general idea. Weird stuff.

  8. ShintoPlasm said on August 1, 2021 at 8:48 am
    Reply

    Has anyone experienced any compatibility issues between this SmartBlock functionality and the Facebook Container extension?

  9. What has happened? said on August 4, 2021 at 9:57 pm
    Reply

    Where are all Firefox news? Latest post, popular post, and Firefox addons???

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.