Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
How to prevent Etag tracking with Firefox? How to delete cache on exit?
1,087 views
Skip to first unread message
VanguardLH
Mar 27, 2016, 6:08:51 PM3/27/16
to mozilla-sup...@lists.mozilla.org
Firefox 45.0.1
Windows 7 Home SP-1 x64
Etags can get used for tracking. Have read only a little bit about this
but it is a clever trick to track users between web browser sessions by
exploiting the web browser's cache, like:
https://en.wikipedia.org/wiki/HTTP_ETag#Tracking_using_ETags
http://www.arctic.org/~dean/tracking-without-cookies.html
>From the last article, Etag tracking utilizing the web browser's cache
is a very old trick (the article was written/updated in 2003). Although
the wikipedia article may get purged on clearing the web browser's
cache, the settings available within Firefox don't eliminate the cache.
A demo site illustrating that this tracking method works is at:
http://lucb1e.com/rp/cookielesscookies/
This demo site does not use Javascript. Using an add-on to disable
Javascript won't work against preventing Etag tracking. This is an HTTP
"feature" to reduce load on the server in not having to redeliver
unchanged resources. Bandwidth from the server is reduced.
I have Firefox configured to purge everything on exit. Well, Firefox is
configured to purge on exit what items are user-selectable within
Firefox's GUI. This does NOT eliminate the Etag tracking that this site
demonstrates because some cache content still survives an unload and
reload of Firefox with all those privacy items getting purged on exit.
So Firefox is susceptible to Etag tracking.
Even loading Firefox in private mode, visiting the above site, entering
some unique text and saving it into the web browser's cache, unloading
Firefox, and reloading Firefox in private mode does not prevent this
Etag tracking method.
I visited the site, entered some text, unloaded Firefox, and used
CCleaner to do any remnant cleanup after exiting Firefox. Nope, upon
return to the site it still showed my text string (unique to this test).
What do I need to kill/delete upon exit or configure within Firefox to
eliminate whatever cache it is retaining between web browser sessions?
I want a *thorough* cleanup after exiting Firefox. I tried Options ->
Advanced -> Network -> Cached Web Content -> Clear Now but that only
works sometimes: for some tests the demo site will still show the unique
string I entered for a particular test, for some tests the demo site
still showed the unique string used for the Etag. Plus that is a highly
manual method, isn't reliable, and requires the user to remember to wade
through the menus to flush that cache (which should get purged along
with all the other purge-on-exit settings).
I've seen someone recommend going into about:config and changing:
network.http.use-cache
from true to false. That setting is absent. So I created that setting
and set to false. Nope, Etag tracking still worked. Either that
setting is incorrect or Firefox no longer honors it. I'm not sure that
I want to disable caching while I am using Firefox but I do want the
cache to disappear upon exit from Firefox. I was surprised and
disappointed that private mode didn't work. When I revisit a site, I
really do want it to be a fresh and entirely new session, not cached and
dragging old stuff along.
Windows 7 Home SP-1 x64
Etags can get used for tracking. Have read only a little bit about this
but it is a clever trick to track users between web browser sessions by
exploiting the web browser's cache, like:
https://en.wikipedia.org/wiki/HTTP_ETag#Tracking_using_ETags
http://www.arctic.org/~dean/tracking-without-cookies.html
>From the last article, Etag tracking utilizing the web browser's cache
is a very old trick (the article was written/updated in 2003). Although
the wikipedia article may get purged on clearing the web browser's
cache, the settings available within Firefox don't eliminate the cache.
A demo site illustrating that this tracking method works is at:
http://lucb1e.com/rp/cookielesscookies/
This demo site does not use Javascript. Using an add-on to disable
Javascript won't work against preventing Etag tracking. This is an HTTP
"feature" to reduce load on the server in not having to redeliver
unchanged resources. Bandwidth from the server is reduced.
I have Firefox configured to purge everything on exit. Well, Firefox is
configured to purge on exit what items are user-selectable within
Firefox's GUI. This does NOT eliminate the Etag tracking that this site
demonstrates because some cache content still survives an unload and
reload of Firefox with all those privacy items getting purged on exit.
So Firefox is susceptible to Etag tracking.
Even loading Firefox in private mode, visiting the above site, entering
some unique text and saving it into the web browser's cache, unloading
Firefox, and reloading Firefox in private mode does not prevent this
Etag tracking method.
I visited the site, entered some text, unloaded Firefox, and used
CCleaner to do any remnant cleanup after exiting Firefox. Nope, upon
return to the site it still showed my text string (unique to this test).
What do I need to kill/delete upon exit or configure within Firefox to
eliminate whatever cache it is retaining between web browser sessions?
I want a *thorough* cleanup after exiting Firefox. I tried Options ->
Advanced -> Network -> Cached Web Content -> Clear Now but that only
works sometimes: for some tests the demo site will still show the unique
string I entered for a particular test, for some tests the demo site
still showed the unique string used for the Etag. Plus that is a highly
manual method, isn't reliable, and requires the user to remember to wade
through the menus to flush that cache (which should get purged along
with all the other purge-on-exit settings).
I've seen someone recommend going into about:config and changing:
network.http.use-cache
from true to false. That setting is absent. So I created that setting
and set to false. Nope, Etag tracking still worked. Either that
setting is incorrect or Firefox no longer honors it. I'm not sure that
I want to disable caching while I am using Firefox but I do want the
cache to disappear upon exit from Firefox. I was surprised and
disappointed that private mode didn't work. When I revisit a site, I
really do want it to be a fresh and entirely new session, not cached and
dragging old stuff along.
Mayayana
Mar 27, 2016, 6:33:29 PM3/27/16
to mozilla-sup...@lists.mozilla.org
| http://lucb1e.com/rp/cookielesscookies/
|
They're not tracking me. I'm not sure why. I do
set browser.cache.disk.capacity to 0. I figure
cache is an outdated concept. Only static sites
will register as having been visited before. Most
sites hese days load dynamically, so a 304 is never
sent. And many of the sites I visit are constantly
changing. Also, the file download is nearly instant.
For all those reasons, I see no reason to cache.
I also have the Secret Agent extension installed.
I have'nt test whether either or both details are
responsible for the protection.
|
They're not tracking me. I'm not sure why. I do
set browser.cache.disk.capacity to 0. I figure
cache is an outdated concept. Only static sites
will register as having been visited before. Most
sites hese days load dynamically, so a 304 is never
sent. And many of the sites I visit are constantly
changing. Also, the file download is nearly instant.
For all those reasons, I see no reason to cache.
I also have the Secret Agent extension installed.
I have'nt test whether either or both details are
responsible for the protection.
Paul in Houston, TX
Mar 27, 2016, 9:56:45 PM3/27/16
to mozilla-sup...@lists.mozilla.org
There is nothing readable to me in the files.
C:\Tmp\NVIDIA Corporation\NV_Cache
(c: tmp is my designated directory for all caches and temps... for everything.)
Directory of C:\Tmp\NVIDIA Corporation\NV_Cache
03/27/2016 08:52 PM <DIR> .
03/27/2016 08:52 PM <DIR> ..
03/27/2016 08:48 PM 16,384
38e1565aeb015586f27949e2e3374e1c_fce8395e8fd8a86f_41d8f19dcb0af292_0_0.bin
03/27/2016 08:48 PM 4,096
38e1565aeb015586f27949e2e3374e1c_fce8395e8fd8a86f_41d8f19dcb0af292_0_0.toc
03/27/2016 08:48 PM 1,048,576
38e1565aeb015586f27949e2e3374e1c_fce8395e8fd8a86f_41d8f19dcb0af292_0_1.bin
I don't know how to prevent SM/FF from doing that.
Paul in Houston, TX
Mar 27, 2016, 10:11:23 PM3/27/16
to mozilla-sup...@lists.mozilla.org
Paul in Houston, TX wrote:
> VanguardLH wrote:
>> Firefox 45.0.1
>> Windows 7 Home SP-1 x64
>
> VanguardLH wrote:
>> Firefox 45.0.1
>> Windows 7 Home SP-1 x64
>
> For me the website creates a folder and 3 files.
> There is nothing readable to me in the files.
>
> C:\Tmp\NVIDIA Corporation\NV_Cache
> (c: tmp is my designated directory for all caches and temps... for everything.)
>
> Directory of C:\Tmp\NVIDIA Corporation\NV_Cache
Also, I found unreadable files there twice in the last two months and could
> There is nothing readable to me in the files.
>
> C:\Tmp\NVIDIA Corporation\NV_Cache
> (c: tmp is my designated directory for all caches and temps... for everything.)
>
> Directory of C:\Tmp\NVIDIA Corporation\NV_Cache
not figure out why there would be a vid cache. Thought it was an
aberration. CCleaner deletes everything in c\tmp except for the 2 roaming
files that are part of windows and the zone alarm file that is active.
However, that is a manual process.
Dr. Dynamite
Mar 28, 2016, 12:38:18 AM3/28/16
to mozilla-sup...@lists.mozilla.org
On 03/27/2016 01:44 PM, VanguardLH wrote:
> http://lucb1e.com/rp/cookielesscookies/
> ...
of times I've visited, either. I'm not even bothering with private
browsing mode.
> http://lucb1e.com/rp/cookielesscookies/
> ...
> I have Firefox configured to purge everything on exit. Well, Firefox is
> configured to purge on exit what items are user-selectable within
> Firefox's GUI. This does NOT eliminate the Etag tracking that this site
> demonstrates because some cache content still survives an unload and
> reload of Firefox with all those privacy items getting purged on exit.
> So Firefox is susceptible to Etag tracking.
>
> Even loading Firefox in private mode, visiting the above site, entering
> some unique text and saving it into the web browser's cache, unloading
> Firefox, and reloading Firefox in private mode does not prevent this
> Etag tracking method.
>
> I visited the site, entered some text, unloaded Firefox, and used
> CCleaner to do any remnant cleanup after exiting Firefox. Nope, upon
> return to the site it still showed my text string (unique to this test).
Site doesn't display the text I left there. Doesn't remember the number
> configured to purge on exit what items are user-selectable within
> Firefox's GUI. This does NOT eliminate the Etag tracking that this site
> demonstrates because some cache content still survives an unload and
> reload of Firefox with all those privacy items getting purged on exit.
> So Firefox is susceptible to Etag tracking.
>
> Even loading Firefox in private mode, visiting the above site, entering
> some unique text and saving it into the web browser's cache, unloading
> Firefox, and reloading Firefox in private mode does not prevent this
> Etag tracking method.
>
> I visited the site, entered some text, unloaded Firefox, and used
> CCleaner to do any remnant cleanup after exiting Firefox. Nope, upon
> return to the site it still showed my text string (unique to this test).
of times I've visited, either. I'm not even bothering with private
browsing mode.
»Q«
Mar 28, 2016, 2:04:06 AM3/28/16
to mozilla-sup...@lists.mozilla.org
In
<news:mailman.908.1459116526...@lists.mozilla.org>,
VanguardLH <V...@nguard.LH> wrote:
> Subject: How to prevent Etag tracking with Firefox? How to delete
> cache on exit?
<https://addons.mozilla.org/firefox/addon/random-agent-spoofer/> has
the option of spoofing your If-None-Match headers. I haven't tried
this extension, and it seems like overkill for this one task, but it's
the only spoofer I could find.
<https://addons.mozilla.org/firefox/addon/truste-tracker-protection/>
claims to block or limit Etags, whatever that means.
About your second question, I don't think I understood the trouble.
<news:mailman.908.1459116526...@lists.mozilla.org>,
VanguardLH <V...@nguard.LH> wrote:
> Subject: How to prevent Etag tracking with Firefox? How to delete
> cache on exit?
<https://addons.mozilla.org/firefox/addon/random-agent-spoofer/> has
the option of spoofing your If-None-Match headers. I haven't tried
this extension, and it seems like overkill for this one task, but it's
the only spoofer I could find.
<https://addons.mozilla.org/firefox/addon/truste-tracker-protection/>
claims to block or limit Etags, whatever that means.
About your second question, I don't think I understood the trouble.
VanguardLH
Mar 28, 2016, 6:50:42 AM3/28/16
to mozilla-sup...@lists.mozilla.org
Mayayana wrote:
>> http://lucb1e.com/rp/cookielesscookies/
>
> They're not tracking me. I'm not sure why. I do set
> browser.cache.disk.capacity to 0. I figure cache is an outdated
> concept. Only static sites will register as having been visited
> before. Most sites hese days load dynamically, so a 304 is never
> sent. And many of the sites I visit are constantly changing. Also,
> the file download is nearly instant. For all those reasons, I see no
> reason to cache.
>
That worked ... sometimes.
>> http://lucb1e.com/rp/cookielesscookies/
>
> They're not tracking me. I'm not sure why. I do set
> browser.cache.disk.capacity to 0. I figure cache is an outdated
> concept. Only static sites will register as having been visited
> before. Most sites hese days load dynamically, so a 304 is never
> sent. And many of the sites I visit are constantly changing. Also,
> the file download is nearly instant. For all those reasons, I see no
> reason to cache.
>
Options -> Advanced -> Network -> Cached Web Content
Set to zero.
I would do a test with cache disabled (set to zero): visit the demo
site, enter some unique text and save, exit Firefox, reload Firefox, and
sometimes the unique text was pre-filled (it got remembered) and
sometimes it was clear (it was not remembered). I'll have to do some
more testing with repeated tests since this 2nd round (after your reply)
has cache disabled and my text string not remembered. Could be I didn't
configure the setting correctly, like it must be enable to do the
override or maybe I didn't zero out the cache size.
Thanks for confirming what worked for you.
> I also have the Secret Agent extension installed. I have'nt test
> whether either or both details are responsible for the protection.
https://dephormation.org.uk/index.php?page=81
If so, I did not find it listed at addons.mozilla.org. This is probably
why:
https://dephormation.org.uk/index.php?page=86
I am testing uMatrix (same author as uBlock Origin that I also use)
which includes blocking 3rd party images and 3rd party referer. I
disabled Firefox's performance API which sites can use to determine if
you are not retrieving all their resources (another means of detecting
adblockers). I use the CanvasBlocker add-on to thwart the Canvas
fingerprinting scheme. Panopticlick's test is actually misleading.
They say I have 17+ points for fingerprinting despite the add-on changes
the value on each request, so the hash value shown at Panopticlick
changes on every test. I asked them why they don't repeat their test
twice to ensure the fingerprint they see in one test matches or not in a
subsequent test. Their response: they aren't going to adapt their test
to accomodate config changes or add-ons that thwart fingerprinting. So
each test at Panopticlick gives a different hash which means my
fingerprint is different each time despite them announcing that I have
17, or more, points that makes me unique in their 1-test view.
Took me awhile to figure on what was Panopticlick's "Hash of WebGL
fingerprint" score was based. Eventually figured out to set
webgl.disabled to true. I didn't find any other way to disable this
fingerprint method. As yet, I don't need 3D graphics at any web site
that I visit. I also have Firefox's hardware acceleration option (that
uses the GPU) disabled because that causes too many crashes or jittery
scrolling in Firefox.
https://en.wikipedia.org/wiki/WebGL
https://developer.mozilla.org/en-US/docs/Web/API/WebGL_API?redirectlocale=en-US&redirectslug=WebGL
uMatrix has an option to randomize the User Agent string but I've run
afoul of that feature at my banking site. During a logged on session,
uMatrix changed my UA string so the bank's site thought that I was
someone else that hijacked my banking session, so they protect me by
expiring my password. My current banking session was killed (couldn't
do anything). Had to exit, relogin, and immediately forced to change my
password. I need a smarter UA spoofer that doesn't change the UA string
to a domain until I end my web browser session or whatever would be
considers a safe time to change the UA string, like changing the UA
string sent to each domain but not changing it per domain.
Seems I have covered most or all of what SecretAgent provides for
privacy protection. I'm not sure how you have it installed since it is
not a signed add-on. I thought Mozilla decided as of Firefox v45 to
block unsigned add-ons.
VanguardLH
Mar 28, 2016, 7:56:50 AM3/28/16
to mozilla-sup...@lists.mozilla.org
Q wrote:
> VanguardLH wrote:
>
>> Subject: How to prevent Etag tracking with Firefox? How to delete
>> cache on exit?
>
> <https://addons.mozilla.org/firefox/addon/random-agent-spoofer/> has
> the option of spoofing your If-None-Match headers. I haven't tried
> this extension, and it seems like overkill for this one task, but it's
> the only spoofer I could find.
>
> <https://addons.mozilla.org/firefox/addon/truste-tracker-protection/>
> claims to block or limit Etags, whatever that means.
>
> About your second question, I don't think I understood the trouble.
I gave a couple articles mentioning how Etags (which survive within the
web browser's cache) can be used to track you across web browser
sessions. Rather than use cookies, DOM storage, or another traditional
approach to tracking your web surfing, Etags can be used upon revisiting
a site to see that it is you that revisited them. An online search on
"etag tracking" might find some more articles than the Wikipedia and
artic articles to which I linked.
What happened when you visited the demo site (and exited Firefox to
revisit the demo site) that illustrates Etag tracking? My tests showed
the unique text I used per test was remembered upon a revisit to the
demo site: enter the text, save, unload Firefox, reload Firefox, revisit
the site, it knew what was the unique text that I had entered before.
None of the purge-on-exit settings in Firefox were deleting this cached
data. Only eradicating the web cache eliminated this tracking method.
Mayayana found that setting Firefox to use a zero-sized cache was the
only way (so far that either of us know yet) of wiping out the cache -
by not creating it in the first place. So the solution really is not
about deleting the remnant cache between web browser sessions but not
creating the cache in the first place (so there's nothing to delete
after exit).
With users configuring web browsers to delete cookies on exit, or using
tools to do the cleanup (e.g., Ccleaner), and either configuring DOM
storage to prompt you when a site wants to save their data on your disk
(and saying No) or the user disabling DOM storage (which makes some
sites malfunction), other methods were found to track you. Web browser
fingerprinting is one example of tracking you (visit Panopticlick).
I've solved the biggest methods they illustrate for tracking: Canvas and
WebGL fingerprinting. So I was focusing on other tracking techniques.
I had forgotten about Etag tracking (a rather ancient method dating back
to around 2003, I think) until EE mentioned it in another discussion.
So I looked into how to thwart that tracking scheme. So far, not
creating a web cache in Firefox is the only way not to have one left
over and reused later. I haven't found a means of completely wiping a
non-zero sized web cache on exit. The purge-on-exit settings that
Firefox affords in its GUI are not deleting its web cache on exit.
I had mentioned the Random Agent Spoofer add-on in my reply to Mayayana.
Ilias appears to be flagging/rejecting my replies but not my opening
posts ... yet ... so you may not see that reply but then you may not see
this one, either. Now you mentioned it, too. I have a shortcut on my
desktop to investigate that add-on. Maybe it can thwart Etag tracking
without having to disable the use of a web cache. As yet, however, I
have not noticed any slowdown in visiting sites and the time for them to
deliver their page content with a zero-sized web cache.
The web cache may not be a significant performance feature for those
with always-on broadband Internet access. My current downstream
bandwidth is 125 Mbps and upstream bandwidth is 12 Mbps. The time to
download all of a page's content and its non-blocked resources is
probably as quick as the client telling the server what objects the
client already has in its local web cache to reduce what the server has
to deliver to the client.
> VanguardLH wrote:
>
>> Subject: How to prevent Etag tracking with Firefox? How to delete
>> cache on exit?
>
> <https://addons.mozilla.org/firefox/addon/random-agent-spoofer/> has
> the option of spoofing your If-None-Match headers. I haven't tried
> this extension, and it seems like overkill for this one task, but it's
> the only spoofer I could find.
>
> <https://addons.mozilla.org/firefox/addon/truste-tracker-protection/>
> claims to block or limit Etags, whatever that means.
>
> About your second question, I don't think I understood the trouble.
web browser's cache) can be used to track you across web browser
sessions. Rather than use cookies, DOM storage, or another traditional
approach to tracking your web surfing, Etags can be used upon revisiting
a site to see that it is you that revisited them. An online search on
"etag tracking" might find some more articles than the Wikipedia and
artic articles to which I linked.
What happened when you visited the demo site (and exited Firefox to
revisit the demo site) that illustrates Etag tracking? My tests showed
the unique text I used per test was remembered upon a revisit to the
demo site: enter the text, save, unload Firefox, reload Firefox, revisit
the site, it knew what was the unique text that I had entered before.
None of the purge-on-exit settings in Firefox were deleting this cached
data. Only eradicating the web cache eliminated this tracking method.
Mayayana found that setting Firefox to use a zero-sized cache was the
only way (so far that either of us know yet) of wiping out the cache -
by not creating it in the first place. So the solution really is not
about deleting the remnant cache between web browser sessions but not
creating the cache in the first place (so there's nothing to delete
after exit).
With users configuring web browsers to delete cookies on exit, or using
tools to do the cleanup (e.g., Ccleaner), and either configuring DOM
storage to prompt you when a site wants to save their data on your disk
(and saying No) or the user disabling DOM storage (which makes some
sites malfunction), other methods were found to track you. Web browser
fingerprinting is one example of tracking you (visit Panopticlick).
I've solved the biggest methods they illustrate for tracking: Canvas and
WebGL fingerprinting. So I was focusing on other tracking techniques.
I had forgotten about Etag tracking (a rather ancient method dating back
to around 2003, I think) until EE mentioned it in another discussion.
So I looked into how to thwart that tracking scheme. So far, not
creating a web cache in Firefox is the only way not to have one left
over and reused later. I haven't found a means of completely wiping a
non-zero sized web cache on exit. The purge-on-exit settings that
Firefox affords in its GUI are not deleting its web cache on exit.
I had mentioned the Random Agent Spoofer add-on in my reply to Mayayana.
Ilias appears to be flagging/rejecting my replies but not my opening
posts ... yet ... so you may not see that reply but then you may not see
this one, either. Now you mentioned it, too. I have a shortcut on my
desktop to investigate that add-on. Maybe it can thwart Etag tracking
without having to disable the use of a web cache. As yet, however, I
have not noticed any slowdown in visiting sites and the time for them to
deliver their page content with a zero-sized web cache.
The web cache may not be a significant performance feature for those
with always-on broadband Internet access. My current downstream
bandwidth is 125 Mbps and upstream bandwidth is 12 Mbps. The time to
download all of a page's content and its non-blocked resources is
probably as quick as the client telling the server what objects the
client already has in its local web cache to reduce what the server has
to deliver to the client.
»Q«
Mar 28, 2016, 11:31:14 AM3/28/16
to mozilla-sup...@lists.mozilla.org
In
<news:mailman.945.1459166207...@lists.mozilla.org>,
demo site.
I don't stop sites from seeing my IP, so they can track re-visits that
way. ISTM to stop them from that, one would at least need to use Tor
Browser and disable caching entirely.
<news:mailman.945.1459166207...@lists.mozilla.org>,
VanguardLH <V...@nguard.LH> wrote:
> What happened when you visited the demo site (and exited Firefox to
> revisit the demo site) that illustrates Etag tracking?
I think this was a question for me specifically. I didn't visit the
> What happened when you visited the demo site (and exited Firefox to
> revisit the demo site) that illustrates Etag tracking?
demo site.
I don't stop sites from seeing my IP, so they can track re-visits that
way. ISTM to stop them from that, one would at least need to use Tor
Browser and disable caching entirely.
EE
Mar 28, 2016, 1:06:00 PM3/28/16
to mozilla-sup...@lists.mozilla.org
for ETag. Now my browser does not keep or return ETags any more.
Mayayana
Mar 28, 2016, 2:19:15 PM3/28/16
to mozilla-sup...@lists.mozilla.org
| > I also have the Secret Agent extension installed. I have'nt test
| > whether either or both details are responsible for the protection.
|
| Is it this one?
|
| https://dephormation.org.uk/index.php?page=81
|
| If so, I did not find it listed at addons.mozilla.org. This is probably
| why:
|
| https://dephormation.org.uk/index.php?page=86
|
I use Pale Moon 24 most of the time. I currently
| > whether either or both details are responsible for the protection.
|
| Is it this one?
|
| https://dephormation.org.uk/index.php?page=81
|
| If so, I did not find it listed at addons.mozilla.org. This is probably
| why:
|
| https://dephormation.org.uk/index.php?page=86
|
have FF 36 installed, which I use with NoScript in
cases where I need to enable script/cookies/frames.
(I installed K-Meleon 75 and set it up, but haven't got
around to trying it.)
Every once in awhile, when I'm feeling like I have the
stomach, I try another version of FF and see what it
breaks. :) But I currently see no reason to venture into
the 40s. I'm already running a half dozen extensions and
numerous prefs settings to fix what's broken in 36,
and I still can't entirely eliminate tabs, which I very
much dislike. I just don't have the time and ambition
to keep track of what needs fixing in successive versions
of FF.
I don't even remember why I installed 36. But I
do remember that I had to install Classic Theme Restorer
just to get rid of the inane Bookmarks toolbar, which now
seems to be a forced element.... Bookmarks toolbar
forced but program menu is hidden and has to be
restored. It gets more bizarre with every version. I'll
say one thing for the Mozilla UI designers, though:
At least they don't totally disrespect UI preferences
the way that Chrome does.
In any case, I've confirmed that Secret Agent
works in FF 36. It has an ETags spoofer, among other
things, and is very unobtrusive in use. I don't use
the dynamic userAgent spoofer, though. I generally
travel with a generic UA in PM that says I'm on Win7
with a recent version of FF. If you rotate UAs
dynamically you end up with two problems:
1) Sites checking UA to optimize pages may break if
you pretend to be using a different browser. (IE and
everything else *really* don't mix.)
2) You become far more recognizable as unique because
you're the only visitor who appears to be loading ever file
with some different, funky, obscure browser. :)
| I am testing uMatrix (same author as uBlock Origin that I also use)
| which includes blocking 3rd party images and 3rd party referer.
Note that this setting was deliberately broken at
some point by removing it from the settings and
changing the name of the setting. Some online
sources will show the old, outdated setting name
and value options.
Very handy setting. I use it in PM as default, but it will
often block captcha images and also blocks many
images on sites. For instance, if bbc.co.uk loads
images from, say, bbc-img.co.uk then you won't
see them. A surprising number of sites are poorly
designed in that way. And there's no way to fix
it. One would need whois analysis to connect
bbc-img with bbc.
user_pref("network.http.sendRefererHeader", 0);
user_pref("network.sendRefererHeader", false);
They've broken that one at least once and I forget
which is the current value, so I just have both set.
And this, for good measure:
network.http.sendSecureXSiteReferrer false
With script enabled you're a sitting duck, both
security-wise and privacy-wise. And it's hard
to know about all the things that apply. (Until
the recent geo-location thread I didn't know that
worked in other browsers.) But I guess you have
one advantage for privacy: Enabling script makes
your profile online less unique and therefore more
anonymous. Though I wonder how much that really
applies. A site can see that I'm an unusual visitor,
if they care to, just by checking whether script
is enabled. But they don't have much of a way to
label that uniqueness.
Disabling script is increasingly becoming an art
form. At MS support pages I have to put the URL
into Google now and read the cache version. Some
sites try to thwart no script by putting a giant,
blank overlay on their page, so that I need to
read it with no style. Many sites are partially
broken through simple ignorance. Even the page with
the etiquette for this group is faulty. I have to read
it with no style to see all the text.
https://www.mozilla.org/en-US/about/forums/etiquette/
And some sites will use the trick of sending the
browser into a loop if script is disabled, so I have
this setting meant for accessibility:
accessibility.blockautorefresh true
It's getting nasty out there. :)
B00ze
Mar 28, 2016, 8:50:15 PM3/28/16
to mozilla-sup...@lists.mozilla.org
On 2016-03-28 02:02, »Q« <box...@gmx.net> wrote:
> <https://addons.mozilla.org/firefox/addon/random-agent-spoofer/> has
> the option of spoofing your If-None-Match headers. I haven't tried
> this extension, and it seems like overkill for this one task, but it's
> the only spoofer I could find.
I haven't tried Secret Agent yet (which is not on AMO so I'm not sure
> <https://addons.mozilla.org/firefox/addon/random-agent-spoofer/> has
> the option of spoofing your If-None-Match headers. I haven't tried
> this extension, and it seems like overkill for this one task, but it's
> the only spoofer I could find.
how long we will be able to use it) but I do use RAS for eTags spoofing
and it works (it's the only thing I use it for). However, I have been
unable to make its whitelist work, and there are other problems (if you
disable the addOn it forgets everything). So I've been manually enabling
and disabling eTag Spoofing in RAS and spoofing ends-up disabled most of
the time (amazing the number of websites that use eTags and wont give
you pictures if you have spoofing enabled). I'll give that Secret Agent
a try...
Regards,
--
! _\|/_ Sylvain / B00...@hotmail.com
! (o o) Member:David-Suzuki-Fdn/EFF/Red+Cross/SPCA/Planetary-Society-
oO-( )-Oo BIT: The increment by which programmers slowly go mad.
B00ze
Mar 28, 2016, 8:54:48 PM3/28/16
to mozilla-sup...@lists.mozilla.org
On 2016-03-28 00:37, Dr. Dynamite <ka-...@mail.com> wrote:
> Site doesn't display the text I left there. Doesn't remember the number
> of times I've visited, either. I'm not even bothering with private
> browsing mode.
Same here on my main profile - I've got cache enabled, and eTags
> Site doesn't display the text I left there. Doesn't remember the number
> of times I've visited, either. I'm not even bothering with private
> browsing mode.
spoofing disabled in RAS, but it still wont remember my text. I did get
it to remember, on a test profile. No idea why it doesn't remember
anything on my other profile...
B00ze
Mar 28, 2016, 8:59:07 PM3/28/16
to mozilla-sup...@lists.mozilla.org
On 2016-03-28 20:54, B00ze <B00...@hotmail.com> wrote:
> On 2016-03-28 00:37, Dr. Dynamite <ka-...@mail.com> wrote:
>
>> Site doesn't display the text I left there. Doesn't remember the number
>> of times I've visited, either. I'm not even bothering with private
>> browsing mode.
>
> Same here on my main profile - I've got cache enabled, and eTags
> spoofing disabled in RAS, but it still wont remember my text. I did get
> it to remember, on a test profile. No idea why it doesn't remember
> anything on my other profile...
Nevermind that, I got it to remember; I must've had eTags spoofing
> On 2016-03-28 00:37, Dr. Dynamite <ka-...@mail.com> wrote:
>
>> Site doesn't display the text I left there. Doesn't remember the number
>> of times I've visited, either. I'm not even bothering with private
>> browsing mode.
>
> Same here on my main profile - I've got cache enabled, and eTags
> spoofing disabled in RAS, but it still wont remember my text. I did get
> it to remember, on a test profile. No idea why it doesn't remember
> anything on my other profile...
enabled in RAS...
--
! _\|/_ Sylvain / B00...@hotmail.com
! (o o) Member:David-Suzuki-Fdn/EFF/Red+Cross/SPCA/Planetary-Society-
VanguardLH
Mar 28, 2016, 9:04:13 PM3/28/16
to mozilla-sup...@lists.mozilla.org
Q wrote:
> VanguardLH wrote:
>
>> What happened when you visited the demo site (and exited Firefox to
>> revisit the demo site) that illustrates Etag tracking?
>
> I think this was a question for me specifically. I didn't visit the
> demo site.
>
> I don't stop sites from seeing my IP, so they can track re-visits that
> way. ISTM to stop them from that, one would at least need to use Tor
> Browser and disable caching entirely.
I'm not using Tor or an anonymizing proxy to hide my IP address, either.
The vast majority of IP addresses are dynamically assigned so they have
time-limited usability. That you happen to get reassigned the same IP
address after the expiration on the bind depends on how your ISP wants
to reuse them from their IP pool and how long it has been since your
unbind to your next bind. That's why web-based forums that use IP
addresses to ban posters can end up banning someone else: the bad poster
had an IP address that the forum blocked, they did an unbind (like
powering off), and a different user got assigned that same IP address
who then tries to visit the same forum but gets incorrectly banned. IP
banning only works for a short time. For dial-up users, IP banning is
useless because those users almost always get a different IP address
from their ISP's IP pool.
The Etag tracking, however, lasts as long as the value remains in the
client's web cache and the server doesn't disqualify it. I don't know
if Firefox has an expiration on Etag data or just rolls out the oldest
data from its web cache when room is needed for new data (FIFO). From
what I've read, users could be tracked indefinitely using Etag data (or
until the site changed the resources for their web page which then made
obsolete the data in the client's web cache). Depends on how long the
data stays in the client's web cache and when the site changes the
resources for a web page. The site gets to determine when an Etag
expires, not the client. This is why this is referred to as a
cookieless cookie: behaves like a non-session cookie but with no
specific expiration by date, only by mismatch decision at the server.
I haven't delved into the HTTP 1.1 specification. What I've read says
Etags are identified for use but not specified as to how they are
defined. The site figures out how they define and use Etags. So they
could, for example, use a web beacon as the resource and that image
doesn't change for eons at their site. If the image stays the same then
so does the Etag's value.
"If the image stays the same, so does the ETag. When the visitor returns
to the page, the browser can send the ETag number back with a request
asking if the current ETag on the server matches the one it stored."
(https://www.futurehosting.com/blog/etags-allow-tracking-without-cookies/).
I'll put the issue back on your own setup of Firefox: do you have your
own instance of Firefox configured to purge cookies on exit from
Firefox? If so, why? Many users configure their web browsers to purge
cookies on exit. [The abuse of] Etags are just another means of using
cookies without running afoul of users that configure their web browsers
to purge the old-fashioned cookies on exit. Those users do NOT want
cookies lingering around between web browser sessions so site developers
came up with another means of implementing a good-enough equivalent of
cookies with Etags.
If I'm purging cookies on exit, I also don't want them lingering in my
web cache. Etags were created to help reduce bandwidth consumed by
servers to deliver content the client already had. Unfortunately the
unscrupulous figured out how to abuse them for tracking: assign a unique
Etag to each visitor so you could track them upon revisit no matter how
long between visits and despite any change in their IP address (via Tor,
anonymizing proxy, or simply because they did an unbind and their next
bind assigned them a different IP address).
To address my original inquiry, it appears the only way to eliminate
cookieless cookies (Etags) that reside in Firefox's web cache is to not
have Firefox even create a web cache. It's purge-on-exit options are
not clearing out its web cache. So there is a solution to purging
cookieless cookies (by not having the storage for them) but it is not as
elegant as I hoped.
When I get some time, I'll check if the Random Agent Spoofer add-on with
its Etag eradication will let me keep a non-zero web cache in Firefox
but eliminate the cookieless cookie tracking affording with Etags.
However, although I would not have thought of doing it otherwise, I have
found no slowdowns in visiting web sites with no web cache for Firefox.
Not having a web cache does mean the server has to deliver all its
content (more load on the server) instead of relying on the client to
reuse its locally stored prior content.
> VanguardLH wrote:
>
>> What happened when you visited the demo site (and exited Firefox to
>> revisit the demo site) that illustrates Etag tracking?
>
> I think this was a question for me specifically. I didn't visit the
> demo site.
>
> I don't stop sites from seeing my IP, so they can track re-visits that
> way. ISTM to stop them from that, one would at least need to use Tor
> Browser and disable caching entirely.
The vast majority of IP addresses are dynamically assigned so they have
time-limited usability. That you happen to get reassigned the same IP
address after the expiration on the bind depends on how your ISP wants
to reuse them from their IP pool and how long it has been since your
unbind to your next bind. That's why web-based forums that use IP
addresses to ban posters can end up banning someone else: the bad poster
had an IP address that the forum blocked, they did an unbind (like
powering off), and a different user got assigned that same IP address
who then tries to visit the same forum but gets incorrectly banned. IP
banning only works for a short time. For dial-up users, IP banning is
useless because those users almost always get a different IP address
from their ISP's IP pool.
The Etag tracking, however, lasts as long as the value remains in the
client's web cache and the server doesn't disqualify it. I don't know
if Firefox has an expiration on Etag data or just rolls out the oldest
data from its web cache when room is needed for new data (FIFO). From
what I've read, users could be tracked indefinitely using Etag data (or
until the site changed the resources for their web page which then made
obsolete the data in the client's web cache). Depends on how long the
data stays in the client's web cache and when the site changes the
resources for a web page. The site gets to determine when an Etag
expires, not the client. This is why this is referred to as a
cookieless cookie: behaves like a non-session cookie but with no
specific expiration by date, only by mismatch decision at the server.
I haven't delved into the HTTP 1.1 specification. What I've read says
Etags are identified for use but not specified as to how they are
defined. The site figures out how they define and use Etags. So they
could, for example, use a web beacon as the resource and that image
doesn't change for eons at their site. If the image stays the same then
so does the Etag's value.
"If the image stays the same, so does the ETag. When the visitor returns
to the page, the browser can send the ETag number back with a request
asking if the current ETag on the server matches the one it stored."
(https://www.futurehosting.com/blog/etags-allow-tracking-without-cookies/).
I'll put the issue back on your own setup of Firefox: do you have your
own instance of Firefox configured to purge cookies on exit from
Firefox? If so, why? Many users configure their web browsers to purge
cookies on exit. [The abuse of] Etags are just another means of using
cookies without running afoul of users that configure their web browsers
to purge the old-fashioned cookies on exit. Those users do NOT want
cookies lingering around between web browser sessions so site developers
came up with another means of implementing a good-enough equivalent of
cookies with Etags.
If I'm purging cookies on exit, I also don't want them lingering in my
web cache. Etags were created to help reduce bandwidth consumed by
servers to deliver content the client already had. Unfortunately the
unscrupulous figured out how to abuse them for tracking: assign a unique
Etag to each visitor so you could track them upon revisit no matter how
long between visits and despite any change in their IP address (via Tor,
anonymizing proxy, or simply because they did an unbind and their next
bind assigned them a different IP address).
To address my original inquiry, it appears the only way to eliminate
cookieless cookies (Etags) that reside in Firefox's web cache is to not
have Firefox even create a web cache. It's purge-on-exit options are
not clearing out its web cache. So there is a solution to purging
cookieless cookies (by not having the storage for them) but it is not as
elegant as I hoped.
When I get some time, I'll check if the Random Agent Spoofer add-on with
its Etag eradication will let me keep a non-zero web cache in Firefox
but eliminate the cookieless cookie tracking affording with Etags.
However, although I would not have thought of doing it otherwise, I have
found no slowdowns in visiting web sites with no web cache for Firefox.
Not having a web cache does mean the server has to deliver all its
content (more load on the server) instead of relying on the client to
reuse its locally stored prior content.
VanguardLH
Mar 28, 2016, 9:04:24 PM3/28/16
to mozilla-sup...@lists.mozilla.org
EE wrote:
> VanguardLH wrote:
>
>> <snipped my tome about eradicating Etags>
that, too (along with Random Agent Spoofer) to see which of them I'll
use.
> VanguardLH wrote:
>
>> <snipped my tome about eradicating Etags>
>
> I blocked Etags by using the extension Modify Headers and added a filter
> for ETag. Now my browser does not keep or return ETags any more.
Thanks for the heads up. I've created a shortcut to the add-on page for
> I blocked Etags by using the extension Modify Headers and added a filter
> for ETag. Now my browser does not keep or return ETags any more.
that, too (along with Random Agent Spoofer) to see which of them I'll
use.
B00ze
Mar 28, 2016, 9:47:14 PM3/28/16
to mozilla-sup...@lists.mozilla.org
On 2016-03-28 20:49, B00ze <B00...@hotmail.com> wrote:
> On 2016-03-28 02:02, »Q« <box...@gmx.net> wrote:
>
>> <https://addons.mozilla.org/firefox/addon/random-agent-spoofer/> has
>> the option of spoofing your If-None-Match headers. I haven't tried
>> this extension, and it seems like overkill for this one task, but it's
>> the only spoofer I could find.
>
> I haven't tried Secret Agent yet (which is not on AMO so I'm not sure
> how long we will be able to use it) but I do use RAS for eTags spoofing
> and it works (it's the only thing I use it for). However, I have been
> unable to make its whitelist work, and there are other problems (if you
> disable the addOn it forgets everything). So I've been manually enabling
> and disabling eTag Spoofing in RAS and spoofing ends-up disabled most of
> the time (amazing the number of websites that use eTags and wont give
> you pictures if you have spoofing enabled). I'll give that Secret Agent
> a try...
Tried Secret Agent but I don't like it. First, the addOn Bar icon
> On 2016-03-28 02:02, »Q« <box...@gmx.net> wrote:
>
>> <https://addons.mozilla.org/firefox/addon/random-agent-spoofer/> has
>> the option of spoofing your If-None-Match headers. I haven't tried
>> this extension, and it seems like overkill for this one task, but it's
>> the only spoofer I could find.
>
> I haven't tried Secret Agent yet (which is not on AMO so I'm not sure
> how long we will be able to use it) but I do use RAS for eTags spoofing
> and it works (it's the only thing I use it for). However, I have been
> unable to make its whitelist work, and there are other problems (if you
> disable the addOn it forgets everything). So I've been manually enabling
> and disabling eTag Spoofing in RAS and spoofing ends-up disabled most of
> the time (amazing the number of websites that use eTags and wont give
> you pictures if you have spoofing enabled). I'll give that Secret Agent
> a try...
appears in the addOn Container, which no longer exists since forever
(there is also a regular toolbar icon). Since I use Status-4-Ever, I SEE
that icon in Status-4-Ever's addOn Container; I have no way to disable
it, and it insists on adding text next to it, making it annoyingly wide.
And for some reason, it also adds a double-arrow at the end of the
search bar which I cannot remove with "Customize" (I'd have to use CSS).
That double-arrow is called "More Tools" but clicking on it brings-up an
empty listview. And finally, the developer clearly states he won't open
an AMO account so the addOn gets signed, so screw it for me (its eTag
spoofing does work by the way, and so does its whitelist).
Best Regards,
--
! _\|/_ Sylvain / B00...@hotmail.com
! (o o) Member:David-Suzuki-Fdn/EFF/Red+Cross/SPCA/Planetary-Society-
0 new messages