Firefox 72.0.1 fixes a security vulnerability that is actively exploited

[Arlen Holder]

Firefox 72.0.1 fixes a security vulnerability that is actively exploited
<https://www.ghacks.net/2020/01/08/firefox-72-0-1-fixes-a-security-vulnerability-that-is-actively-exploited/>

"It is rare that an update is released just days after a release."

"Mozilla's Security Advisories hub lists a single vulnerability that has
been patched in Firefox 72.0.1."

"CVE-2019-17026: IonMonkey type confusion with StoreElementHole and
FallibleStoreElement"
<https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/>

The 72.0 release has two nice privacy features...
o The browser now blocks fingerprinting scripts by default for all users.
o A new way of managing websites' requests to send you notifications.
o Enables the picture-in-picture video feature on Mac and Linux machines.
<https://arstechnica.com/gadgets/2020/01/firefox-72-blocks-fingerprinting-scripts-by-default-rethinks-notification-pop-ups/>

--
Usenet allows purposefully helpful adults to share items of common value.

[Arlen Holder]

BTW, if you haven't updated Firefox yet, it might be useful to run this
experiment _before_ you update to Firefox 72.0 (or later).

1. Test your browser fingerprint at Panopticlick:
<https://panopticlick.eff.org/>
2. Update Firefox to the latest version
3. Re-run the fingerprint test.

*Presumably you'll have a lower score with fingerprinting blocked.*

See also:
o Firefox 72 blocks third-party fingerprinting resources
<https://blog.mozilla.org/security/2020/01/07/firefox-72-fingerprinting/>
"Firefox 72 protects users against fingerprinting by blocking all
third-party requests to companies that are known to participate
in fingerprinting."

"We've partnered with Disconnect to provide this protection.
Disconnect maintains a list of companies that participate in
cross-site tracking, as well a list as those that fingerprint users."

[John C.]

Great. So yet another reason for Firefox to connect to another remote
server at program startup.

--
John Corliss BS206. No ad, CD, commercial, cripple, demo, nag, pirated,
share, spy, time-limited, trial or web wares for me please. I filter out
posts made from Google Groups and recommend you do likewise. I also
filter out all posts from »Q« (a consummate troll) and Kasey, who
doesn't believe in two-way firewalls.

[JJ]

On Thu, 9 Jan 2020 02:50:25 -0000 (UTC), Arlen Holder wrote:
> o The browser now blocks fingerprinting scripts by default for all users.

Beware though... not every information which are used for fingerprinting,
can be blocked without breaking other functionalities. IOTW, you can block
fingerprinting scripts, but you can't block all of them. Because as long as
there's retrievable information which can be used to distinguish one with
another, fingerprinting can not be blocked.

[Shadow]

On Thu, 9 Jan 2020 19:35:28 -0800, "John C." <r9j...@yahoo.com> wrote:

>> "We've partnered with Disconnect to provide this protection.
>> Disconnect maintains a list of companies that participate in
>> cross-site tracking, as well a list as those that fingerprint users."
>
>Great. So yet another reason for Firefox to connect to another remote
>server at program startup.

Worse, they admit they're blocking bona-fide
fingerprint-detection sites.
Let's see if Panopticlick manages to bypass the censorship.
[]'s
--
Don't be evil - Google 2004
We have a new policy - Google 2012

[Mayayana]

"JJ" <jj4p...@vfemail.net> wrote

| Beware though... not every information which are used for fingerprinting,
| can be blocked without breaking other functionalities. IOTW, you can block
| fingerprinting scripts, but you can't block all of them. Because as long
as
| there's retrievable information which can be used to distinguish one with
| another, fingerprinting can not be blocked.

It really is a mess. The only real solution is laws.
And what is FF doing about Google, their sugardaddy,
which has turned into a kind of trojan horse? The analytics,
fonts, ads, maps, etc are used by nearly every website.
Who needs fingerprinting when people can be followed
everywhere they go by the likes of Google, Facebook and
a dozen other companies?

Anyone who really cares about this kind of thing should
not be trusting Mozilla. (How about publishing the block list
with a public shaming, Mozilla, instead of trying to control
people yet again?)

Anyone who cares *really* has to prevent most script.
And have a good HOSTS file. I also use the Secret Agent
extension. Though I'm not sure any equivalent is possible
in the post-v.58 crippled version of FF.

Yesterday I was helping a friend who I'd set up with
a HOSTS equivalent in Unbound DNS resolver. It gets
very frustrating trying to help people who just use the
Internet normally. First, Google's captcha didn't work.
And of course, nearly every commercial website uses it.
So I had to unblock some Google things like gstatic.com.
But then images were not showing up. The site was
vermontcountrystore.com. Like many sites these days,
there are really no webpages. Just piles of javascript.
No image links. Just piles of javascript. Without script
it's a blank white field. When I enabled just their own script
using NoScript, the white field showed only a tan bar
across the bottom.
Could it be possible to make more of a mess out of a basic
webpage than these sites are doing? And I expect most
of the webmasters don't even know what they're doing.
They're just plugging in free widgets to jazz up their pages.
And sleazeballs like Google are handing them those widgets
for free. The people building the Web don't even understand
that they're in the hands of Google! I'm surprised Google
hasn't started charging for the maps, recaptcha, fonts, and
so on. Most webmasters would be helpless without all
that stuff.

Where were the images coming from that weren't showing
at Vermont Country Store? I couldn't find any external links
that I might be blocking. The HOSTS was mostly just blocking
ad companies. But the script and CSS on the page were an
endless system of tentacles and I gave up trying to trace
them all back. My friend finally decided that she really wasn't
all that interested in a "seafoam" sun hat after all. :)

[Arlen Holder]

On Fri, 10 Jan 2020 08:24:15 -0500, Mayayana wrote:

> Anyone who really cares about this kind of thing should
> not be trusting Mozilla. (How about publishing the block list
> with a public shaming, Mozilla, instead of trying to control
> people yet again?)

Luckily there are plenty of Mozilla alternatives here:
o Actionable links for (full offline network installer) web browsers
<https://groups.google.com/d/msg/alt.comp.freeware/krNaXA-YEbw/ujUXbqqjBwAJ>

> Anyone who cares *really* has to prevent most script.
> And have a good HOSTS file. I also use the Secret Agent
> extension. Though I'm not sure any equivalent is possible
> in the post-v.58 crippled version of FF.

Personally, I don't recommend extensions simply because I don't recommend
the single-browser-does-all-things swiss-army-knife browser approach.

The hosts file (or similar, like Acrylic or whatever) is better (IMHO).

In addition, my philosophically rational suggestion is to tailor each
browser to the specific task, where that task dictates how strictly you can
set the script blocking.
o Discussion of two different privacy-related browser philosophies
<https://groups.google.com/d/msg/alt.comp.freeware/H4694--5znY/LOOCa11RBgAJ>

It's a minor addition, but I recommend adding this to the start tabs:
o Chrome-based browsers: chrome://settings/clearBrowserData
o Mozilla-based browsers: about:preferences#privacy (is there better?)
<https://groups.google.com/d/msg/alt.comp.freeware/jxtXrrjmWVE/P_aTEDsgBAAJ>

[Arlen Holder]

On Thu, 9 Jan 2020 19:35:28 -0800, John C. wrote:

>> "We've partnered with Disconnect to provide this protection.
>> Disconnect maintains a list of companies that participate in
>> cross-site tracking, as well a list as those that fingerprint users."
>
> Great. So yet another reason for Firefox to connect to another remote
> server at program startup.

That's a good point about privacy that we don't want to connect to _any_
server upon startup.

Luckily, we can turn off the checks for known fingerprinters.

Best, of course, would be, as Mayayana suggested, to have that Disconnect
list published openly so we can put it in our hosts file (maybe MVP Hosts
already does that?).

[Spamblk]

Arlen Holder <arlen.geo...@is.invalid> wrote in
<news:qva9d5$hcs$5...@news.mixmin.net>:

> On Thu, 9 Jan 2020 19:35:28 -0800, John C. wrote:
>
>>> "We've partnered with Disconnect to provide this protection.
>>> Disconnect maintains a list of companies that participate in
>>> cross-site tracking, as well a list as those that fingerprint users."
>>
>> Great. So yet another reason for Firefox to connect to another remote
>> server at program startup.
>
> That's a good point about privacy that we don't want to connect to _any_
> server upon startup.
>
> Luckily, we can turn off the checks for known fingerprinters.
>

In other words, the checks are enabled by default and have to be turned off.

Thanks for the heads up about the latest but not greatest Firefox gimmick.

[Arlen Holder]

On Fri, 10 Jan 2020 18:50:47 +0000 (UTC), Spamblk wrote:

> In other words, the checks are enabled by default and have to be turned off.
>
> Thanks for the heads up about the latest but not greatest Firefox gimmick.

I'm not sure if the Disconnect fingerprint blocking blacklist is enabled or
disabled by default <https://disconnect.me/trackerprotection>; but I prefer
Mozilla to simply block the APIs that allow for fingerprinting.

In their blog, they say there are two methods to block fingerprinting:
<https://blog.mozilla.org/security/2020/01/07/firefox-72-fingerprinting/>
"There are two primary ways to protect against fingerprinting:
to block parties that participate in fingerprinting,
or to change or remove APIs that can be used to fingerprint users."

For me, after running a panopticlick test, it seems my fonts give me away,
where I can't imagine why Firefox can't just use the fonts that are known
to be on all systems instead of their ad hoc search of the users' system to
find all possible fonts.

Potentially, we can add known trackers to our hosts file for blocking.
o <https://disconnect.me/trackerprotection/blocked>
But the current list above is 2,568 lines, one domain per line.

Where this is a description of each of the known trackers, apparently:
<https://github.com/disconnectme/disconnect-tracking-protection/blob/master/descriptions.md>

I prefer Mozilla to block the APIs that allow tracking,
e.g., font tracking.

[nospam]

In article <qvcqfe$k7n$2...@news.mixmin.net>, Arlen Holder

<arlen.geo...@is.invalid> wrote:

>
> For me, after running a panopticlick test, it seems my fonts give me away,

more than just that.

[Spamblk]

Arlen Holder <arlen.geo...@is.invalid> wrote in <news:qvcqfe$k7n$2...@news.mixmin.net>:

>> Thanks for the heads up about the latest but not greatest Firefox gimmick.
>
> I'm not sure if the Disconnect fingerprint blocking blacklist is enabled or
> disabled by default <https://disconnect.me/trackerprotection>; but I prefer
> Mozilla to simply block the APIs that allow for fingerprinting.

I have no intention of downloading FFx 72, so I will take the word of ghacks:

https://www.ghacks.net/2019/06/04/mozilla-enables-tracking-protection-by-default-in-firefox/

> In their blog, they say there are two methods to block fingerprinting:
> <https://blog.mozilla.org/security/2020/01/07/firefox-72-fingerprinting/>
> "There are two primary ways to protect against fingerprinting:
> to block parties that participate in fingerprinting,
> or to change or remove APIs that can be used to fingerprint users."
>
> For me, after running a panopticlick test, it seems my fonts give me away,
> where I can't imagine why Firefox can't just use the fonts that are known
> to be on all systems instead of their ad hoc search of the users' system to
> find all possible fonts.

Fonts, screen resolution, the contents of the navigator object., ...
Even with JS turned off and the most standard set of fonts installed
the mozilla extensions to CSS ensures that a Mozilla browser cannot
fool a datamining site that it is for example a Trident or Webkit
based browser. The fingerprinting is built in to last. Accept that
and move on.

[Arlen Holder]

On Sat, 11 Jan 2020 18:03:22 +0000 (UTC), Spamblk wrote:

> Fonts, screen resolution, the contents of the navigator object., ...
> Even with JS turned off and the most standard set of fonts installed
> the mozilla extensions to CSS ensures that a Mozilla browser cannot
> fool a datamining site that it is for example a Trident or Webkit
> based browser. The fingerprinting is built in to last. Accept that
> and move on.

Doesn't the Tor Browser Bundle, even outside of Tor, block much of that?

[Spamblk]

Arlen Holder <arlen.geo...@is.invalid> wrote in

<news:qvfab6$bi2$2...@news.mixmin.net>:

Never having used TOR I cant comment with much experience. But it is a
fairly clear fact that the Webkit, Trident and Gecko HTML rendering engines
each have reams of unique features that any decent datamining site can
detect. If the TOR browser blocks all unique engine related features, that
would set the TOR browser apart from mainstream browsers and would itself
amount to fingerprinting bits of information. To minimize the fingerprinting
the TOR browser could possibly do this by adapting a common browser
useragent string and all of its engines features. I suspect, however, the
TOR project has no plans for example to pretend to be a Trident or Webkit
browser by adopting all of those engines features whilst disabling all
unique Gecko engine features.

Browser fingerprinting is here to stay.

[Melzzzzz]

Yep. It is really difficult to hide browser info, while still wanting
sites to work properly. But question is: how usefull is that info?
I mean screen res and all that?


--
press any key to continue or any other to quit...
U ničemu ja ne uživam kao u svom statusu INVALIDA -- Zli Zec
Svi smo svedoci - oko 3 godine intenzivne propagande je dovoljno da jedan narod poludi -- Zli Zec
Na divljem zapadu i nije bilo tako puno nasilja, upravo zato jer su svi
bili naoruzani. -- Mladen Gogala

[Arlen Holder]

On Mon, 13 Jan 2020 00:57:35 +0000 (UTC), Spamblk wrote:

> To minimize the fingerprinting
> the TOR browser could possibly do this by adapting a common browser
> useragent string and all of its engines features.

I appreciate the purposefully helpful conversation on browser privacy.

Thanks for the information about the web kit where it's my understanding,
from what I recall, that at least the Firefox-based Tor browser bundle (aka
TBB, or tbb) anonymizes certain fingerprinting things.
o 9/2019: Browser Fingerprinting: An Introduction and the Challenges Ahead
<https://blog.torproject.org/browser-fingerprinting-introduction-and-challenges-ahead>

Here are more test sites which I found while searching for details:
o <https://www.deviceinfo.me>
o <https://amiunique.org>
o <https://panopticlick.eff.org>
Where all say I have "partial" fingerprinting protection under the tbb.

What we'd care about is "what fingerprinting things" the tbb anonyizes:
o <https://www.torproject.org/>
"Tor Browser aims to make all users look the same,
making it difficultfor you to be fingerprinted
based on your browser and device information."

But it gets complex fast, as this font question attests to:
<https://tor.stackexchange.com/questions/1619/fingerprint-effect-of-changing-tbb-default-font-size>

To better understand how the tbb resists fingerprinting, we'd have to look
individually, one by one, at how it resists each fingerprinting technique:
o User agent header
o Accept header
o Connection header
o Encoding header
o Language header
o list of plugins
o platform
o cookies preferences (allowed or not)
o Do Not Track preferences (yes, no or not communicated)
o timezone
o screen resolution and its color depth
o use of local storage
o use of session storage
o a picture rendered with the HTML Canvas element
o a picture rendered with WebGL
o the presence of AdBlock
o the list of fonts
<https://restoreprivacy.com/browser-fingerprinting/>

But there's more, which I found by running the tests in three separate tabs
of the tbb, where fingerprinting includes things in each test not in the
other tests, e.g.,
o Upgrade Insecure Requests header
o Referer header
o Cache-Control header
o BuildId of the browser
o Supported Audio formats
o Supported Video formats
<https://amiunique.org/faq>

But there's more than that, e.g., even your "previous tab name" and your
"battery status" can be fingerprinted (both useful in the short term).

My main question is why does a browser _need_ all that information?

[Arlen Holder]

On Mon, 13 Jan 2020 01:02:06 GMT, Melzzzzz wrote:

> Yep. It is really difficult to hide browser info, while still wanting
> sites to work properly. But question is: how usefull is that info?
> I mean screen res and all that?

I agree with you, Melzzzzz that a browser seems to "ask for" way more
information than it should ever _need_ to know.

For example, you bring up screen resolution, which, at least, the TBB
anonymizes (AFAIK) to 1000x1000x24 which works just fine as long as you
don't resize your browser window (AFAIK).

So why can't _all_ browsers simply use 1000x1000x24 by default?

Likewise, why does a browser _need_ your timezone?
o What other program you own (besides the clock) need a timezone?

While I don't know how to anonymize the screen resolution, at least you can
anonymize the timezone on Windows & Linux with a simple script, e.g.,
o tzutil.exe /g
o tzutil.exe /s "Pacific Standard Time"

Where you then need a freeware clock that works outside machine settings:
o <http://www.clocx.net/download.php>
o <https://www.dualitysoft.com/dsclock/index.html>
etc.

In short, I echo your sentiment asking "Why" a browser needs this stuff?

[Melzzzzz]

On 2020-01-13, Arlen Holder <arlen.geo...@is.invalid> wrote:
> On Mon, 13 Jan 2020 01:02:06 GMT, Melzzzzz wrote:
>
>> Yep. It is really difficult to hide browser info, while still wanting
>> sites to work properly. But question is: how usefull is that info?
>> I mean screen res and all that?
>
> I agree with you, Melzzzzz that a browser seems to "ask for" way more
> information than it should ever _need_ to know.

Browser can access any info any application can access.

>
> For example, you bring up screen resolution, which, at least, the TBB
> anonymizes (AFAIK) to 1000x1000x24 which works just fine as long as you
> don't resize your browser window (AFAIK).
>
> So why can't _all_ browsers simply use 1000x1000x24 by default?
>
> Likewise, why does a browser _need_ your timezone?
> o What other program you own (besides the clock) need a timezone?

To display proper time?

>
> While I don't know how to anonymize the screen resolution, at least you can
> anonymize the timezone on Windows & Linux with a simple script, e.g.,
> o tzutil.exe /g
> o tzutil.exe /s "Pacific Standard Time"
>
> Where you then need a freeware clock that works outside machine settings:
> o <http://www.clocx.net/download.php>
> o <https://www.dualitysoft.com/dsclock/index.html>
> etc.
>
> In short, I echo your sentiment asking "Why" a browser needs this stuff?

Malicious software can do much more then collect some info widelly
available.

[Spamblk]

Arlen Holder <arlen.geo...@is.invalid> wrote in

<news:qvgq1k$p51$1...@news.mixmin.net>:

> On Mon, 13 Jan 2020 00:57:35 +0000 (UTC), Spamblk wrote:
>
>> To minimize the fingerprinting
>> the TOR browser could possibly do this by adapting a common browser
>> useragent string and all of its engines features.
>
> I appreciate the purposefully helpful conversation on browser privacy.
>
> Thanks for the information about the web kit where it's my understanding,
> from what I recall, that at least the Firefox-based Tor browser bundle (aka
> TBB, or tbb) anonymizes certain fingerprinting things.

Certain but probably not all fingerprinting things (my
perhaps not so humble opinion not based on ever
downloading or trying TOR, though).

> <https://www.torproject.org/>
> "Tor Browser aims to make all users look the same,
> making it difficultfor you to be fingerprinted
> based on your browser and device information."
>

Keyword here is "aims". Having an aim is not the same
thing as success with that aim. Its like the Mozilla
preference "privacy.resistFingerprinting" NB the
preference is not called "privacy.stopFingerprinting"
possibly because Mozilla does not supply a means to stop
fingerprinting. Put another way it might resist a few
fingerprinting attributes but few plans to stop all
of them.

Fingerprinting is here to stay.

>
> My main question is why does a browser _need_ all that information?
>

IMO a browser doesn't.

[Spamblk]

Melzzzzz <Melz...@zzzzz.com> wrote in <news:ikPSF.108381$4c1....@fx31.am4>:

> On 2020-01-13, Spamblk <Zap...@SpamMeNot.invalid> wrote:

<SNIP>

>> browser by adopting all of those engines features whilst disabling all
>> unique Gecko engine features.
>>
>> Browser fingerprinting is here to stay.
>
> Yep. It is really difficult to hide browser info, while still wanting
> sites to work properly. But question is: how usefull is that info?
> I mean screen res and all that?
>

Screen resolution on its own? Probably little value.

As the EFF explains, though, it is the combination.

Fonts, language, Geolocation(Country, State, province),
timezones, fonts installed, extensions, screen width,
height, viewport width and height.... Then if you are
a Mozilla browser with a userAgent string trying to
pretend to be a Webkit browser sites can flag this
rare combination into another useful few bits of
a unique ID.

It was not always like this. Back in the days of NCSA
Mosaic the idea was HTML would be a flexible markup
language. HTML would be so adaptable that if your
screen resolution was 40 chars or 140 chars the display
attributes would be used at the client side to display
the markup. Sites back then didn't know your screen
resolution yet if I recall righly there were few
display issues arising.

[Arlen Holder]

On Mon, 13 Jan 2020 11:31:46 +0000 (UTC), Spamblk wrote:

> Its like the Mozilla
> preference "privacy.resistFingerprinting"

Nice suggestion! Much appreciated!
1. Start a Mozilla-based browser
2. about:config
3. privacy.resistFingerprinting
o privacy.resistFingerprinting true
o privacy.resistFingerprinting.autoDeclineNoUserInputCanvasPrompts true
o privacy.resistFingerprinting.jsmloglevel Warn
o privacy.resistFingerprinting.reduceTimerPrecision.jitter true
o privacy.resistFingerprinting.reduceTimerPrecision.microseconds 1000
o privacy.resistFingerprinting.target_video_res 480
o services.sync.prefs.sync.privacy.resistFingerprinting true
o services.sync.prefs.sync.privacy.resistFingerprinting.reduceTimerPrecision.jitter true
o services.sync.prefs.sync.privacy.resistFingerprinting.reduceTimerPrecision.microseconds true

I had not known about these until now.
Thanks for providing helpful fingerprinting advice for Mozilla browsers.

--
Usenet is a public potluck where purposefully helpful adults share knowledge.

[Spamblk]

Arlen Holder <arlen.geo...@is.invalid> wrote in

<news:qvi3n8$id2$1...@news.mixmin.net>:

> Thanks

You're welcome.

> for providing helpful

Opportunity to point out that

> fingerprinting advice

Re: Firefox is that whilst it may be "resisted" it cannot be stopped.

> for Mozilla browsers.

[Arlen Holder]

On Tue, 14 Jan 2020 03:17:07 +0000 (UTC), Spamblk wrote:

> Firefox is that whilst it may be "resisted" it cannot be stopped.

We can't forever put off tyranny, death and destruction either; but it
doesn't mean we shouldn't constantly try.

[Spamblk]

Arlen Holder <arlen.geo...@is.invalid> wrote in

<news:qvncb8$jqv$4...@news.mixmin.net>:

If Firefox puts 50 or more fingerprinting features into it's increasing
Chrome-like bloated browser then providing a few preferences which it
claims resists fingerprinting (without really defining what it means
by "resist"), so what?

So the nice Mozilla folks load their browser with specific Gecko-centric
features and extensions for sites to datamine and enjoy then provide
a few preferences to persuade the proles that one or two can be resisted.

Holy fingerprinting bloated browser, Batman!!

If you want to resist fingerprinting have a few portable browsers
at hand to run at various times. You aint gonna resist fingerprinting
using only Mozilla's webextensions compatible, bloated, Gecko-centric CSS
using, relentlessly home-phoning browser.

Don't agree? Fine. I'm outta this thread.