How can a site see what extensions you have?
One of the things I’ve seen mentioned before is that installing too many extensions can make you more unique, and thus have a negative influence on your fingerprint. This got me curious, how exactly do sites detect which extensions you have anyway? Can they outright read your list of extensions?
Furthermore, do all extensions make you more unique? I guess the answer would depend on the answer to the first question (surely, if they can just outright see your list, then the answer would be yes), but lets say you install something that seems rather innocuous, like Transparent Standalone Images, for example. Can a site see that this is installed / does it make your fingerprint more unique?
explanation
Web sites do not have any way to enumerate or query your installed extensions, and they cannot directly “see” the content scripts injected by extensions. However, some extensions do modify pages in a way that scripts in the page could recognize as being the work of a particular extension, assuming the owners of the site care to research and check for such things.
One particular issue is that an extension may insert a path into the document to a page or image in the extension itself. Firefox assigns a randomized UUID to the extension at install time, and the path uses this UUID. On the plus side, this may prevent the site from associating the URL with a specific extension. On the minus side, at least in theory, a site could detect this weird URL in the page and use that for fingerprinting. See: How to prevent fingerprinting via Add-on UUID?.
is there anything else that I should notice?
Thank you!
Answered by @[email protected]
Web pages are not allowed to list your extensions. They can indirectly surmise you have certain extensions based on how your requests differ from expectations. For example, if they have advertisements, but your browser never actually makes any requests to load the images, CSS, JS or HTML for the advertisements, they can deduce you have an ad-blocker. That’s a datapoint they now have to ID you: “has an ad-blocker”
Now let’s say they have an ad they know AdBlockPlus allows, but uBlock Origin doesn’t. They see your browser doesn’t load that ad. Another datapoint: “Not using AdBlockPlus”.
Based on what requests go back and forth between your browser and their servers, they map out a unique fingerprint.
everything you do to customize your browser makes your browser fingerprint unique. but you have a mostly unique fingerprint due to things you arent considering as well. system related stuff that your browser tells about you.
you have some options. 1) there are addons that limit privacy issues, 2) use a local web proxy, im using squid proxy for example just have it running on an old laptop. Optionally, I would also say, from a privacy standpoint look into DNS blackholing pihole, unbound, etc, and there are plenty of other things.
my favorite addons are ublock, privacy badger, i run noScript which is probably more painful than most are willing to put up with but I have heard that jShelter is a good compromise.
Thanks a lot
The problem with hardening your system is that you become more identifieable unless you provide fake data. For example, here are my test results from coveryourtracks.eff.org
Within our dataset of several hundred thousand visitors tested in the past 45 days, only one in 2054.58 browsers have the same fingerprint as yours.
Couldn’t we use this information to provide a fake fingerprint for the browser? Like a plugin that makes your browser read as being from an unmodified Chromebook?
Yes, this is what most browsers do that are not Chrome or Edge.
Yes, you can give fake info. I would say thats kinda the next step. Harden your browser and associated tech stack so you are secure. Then provide fake data that is generic enough so that it blends in. firefox or chrome standard agent, windows 11, etc.
for example https://deviceatlas.com/blog/list-of-user-agent-strings
Thanks