Skip to content
Naked Security Naked Security

Firefox picks up advertiser-dodging tech from Tor

Letterboxing comes straight from the Tor browser, and will help Firefox users avoid advertisers that follow them around the web.

Firefox users will soon get yet another privacy feature to help them avoid snooping advertisers – and the measure comes straight from its cousin, the Tor browser.

The new privacy protection will help Firefox users avoid a long-used snooping technique called fingerprinting. Browser cookies are not the only way to track users as they visit different websites. Even with cookies turned off, advertisers can still identify you across multiple sites.

They do this by looking at other characteristics that your computer reveals when visiting a website such as the size of your browser window.

Many people resize browser windows by manually dragging their corners around. This creates random window sizes that few people will share. The chances are you’ll visit several websites in that window, which communicates its size to each one. Advertisers can use that data to track you across multiple sites.

To combat this, Firefox has borrowed a technique called letterboxing from Tor as part of a bigger, more structured program to transfer features between the browsers.

The Tor browser is based mostly on Firefox code, but its developers add additional features to make it more anonymous. A project called Tor Uplift takes many of these patches and applies them to the original Firefox browser as experimental functions that are turned off by default.

Letterboxing in Tor manipulates the page content in a window, introducing a tiny delay in loading it. During that time, it adds grey space to the size of the webpage, adjusting its width and height to multiples of 100 pixels. This creates a generic window size that will be common among hundreds of thousands of browsers, making it more difficult for advertisers to uniquely identify yours.

The letterboxing patch is now available in Firefox Nightly, which is the pre-release version of the browser designed for early adopters. The feature will make it into version 67 of the mainstream Firefox browser in May, but it won’t be enabled by default. Instead, users will have to set it to ‘true’ in the Firefox configuration page.

This isn’t the first anti-fingerprinting measure that has landed in Firefox courtesy of Tor Uplift. Firefox 58 integrated another feature that stopped advertisers tracking users via the HTML 5 canvas element.

The latest feature will help to bring more protection to an already privacy-conscious browser. Other measures have included a redesigned content blocking section that makes it easier for users to switch off cross-site trackers.

7 Comments

Thanks for sharing this useful piece of information, always good to know about new security threats and defense systems when your livlihood is on the web

I use Firefox but I also use several third party extensions to block and otherwise frustrate tracking like Ghostery, ublock Origin and Cookie AutoDelete. It is difficult to tell how these extensions interact with the built in features of Firefox or if some of them are redundant. An article addressing these issues would be helpful.

Ghostery and Ublock should be built into Firefox. Love them but it also can become an issue when ghostery or another add-on knows everything about you.

I switched to Firefox last month. It went pretty well- my dozen or so quality of life and privacy plugins were all available. I did add a few plugins, and so the speed comparison is not apples to apples, but it FF is loading pages noticeably slower than Chrome. So far it’s still worth it.

If you have Firefox Nightly then about:config, search for privacy.resistFingerprinting toggle to true.
Use Privacy Badger to block the other pest- Fakebook;s pixel.

My concern…any chance this is going to show up on my network as Tor traffic? It doesn’t look like it uses the Onion protocol at all…but who knows?

No.

Strictly speaking, Tor is short for “The Onion Router” and it works by creating a listening SOCKS5 proxy on your computer, and shoving any traffic you direct to that proxy through the Tor network where it gets shuffled around to aid anonymity and privacy.

But a typical Tor download also includes a special build of Firefox called the “Tor Browser”, which has a bunch of privacy-related tweaks but isn’t part of the network routing code.

So this feature is just code from the Tor *Browser* ported back into Firefox, not code from the Tor *router*.

Somewhat confusingly, you will hear the word “Tor” used to mean “the Tor router”, or “the Tor browser”, or both of them combined.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?