DNT header ignore Firefox config

[Bane]

Sorry for the double post. A couple corrections as self-quotes:

If 18 bits of entropy do that, then 1 bit does make a difference right ?

It depends on the math to calculate entropy, but it most likely matters. Better yet, still from EFF's PDF: "In particular, a fingerprint that carries no more than 15-20 bits of identifying information will in almost all cases be sufficient to uniquely identify a particular browser, given its IP address, its subnet, or even just its Autonomous System Number."

Being incognito can only be is a separate activity from fighting for the right to be incognito

[barbaz]

I forgot the math but I think it's around one bit of entropy. According to EFF's experiment which we've both heard of when it was started: "Overall, we were able to place a lower bound on the fingerprint distribution entropy of 18.1 bits, meaning that if we pick a browser at random, at best only one in 286,777 other browsers will share its fingerprint.".
Which, coupled with an IP address, should be enough to uniquely identify anyone but those living in the most densely populated areas. If 18 bits of entropy do that, then 1 bit does make a difference right ?

A couple corrections as self-quotes:

If 18 bits of entropy do that, then 1 bit does make a difference right ?

It depends on the math to calculate entropy, but it most likely matters. Better yet, still from EFF's PDF: "In particular, a fingerprint that carries no more than 15-20 bits of identifying information will in almost all cases be sufficient to uniquely identify a particular browser, given its IP address, its subnet, or even just its Autonomous System Number."

So if it's already that bad why worry about just one extra bit?

How many countries would have to vote such a law for it to have any real impact ? And do you think they will all vote into law the exact definition of DNT, or do something completely useless like California ? Even if all major countries in the world voted it exactly like we want, which is not just unlikely but completely impossible in any decent time frame,

Yeah, it's likely to take a while for it to be backed by law, the point is just that that's not ruled out at this point.

Because silence is the answer when someone is bullying you and assuming you are OK with it?

(Silence is the answer when you want to go unnoticed. Being incognito can only be a separate activity from fighting for the right to be incognito). Besides, DNT like a protest only has weight when people know they are participating in it. NoScript enables it by default regardless of Firefox preferences, so there is a grey area regarding the will of all of its 2.2 million users. Even if it makes sense that someone installing NoScript would want to enable DNT, it can be disputed, and it gives ground for jerks to claim that DNT doesn't have much weight and can therefore be ignored.

This is not necessarily an argument to disable DNT-by-default - it's just as valid as an argument to make the DNT functionality better documented so that it's obvious to users who don't find NoScript through AMO (again, also NoScript 3 could say in its presets screen that it's going to enable DNT unless you opt out). So agreed.

disabled Javascript + no DNT doesn't make you much more identifiable than disabled Javascript + DNT.

NoScript users have massively had DNT enabled, so as a NoScript user, I have less entropy if I enable DNT as well. I am singled out as being a Firefox user with JS disabled (very likely from NoScript) with no DNT header (the vast majority of Firefox users with JS disabled have DNT ON)

I'm curious, where did you see that most Fx users with JS off have DNT on (or that most Fx users with no JS have NoScript)?

Quite a few people use about:config > javascript.enabled instead of NoScript...
Also, if you're still really sure "Fx user with no JS and no DNT header" is so unique, note that with JS off + UA/HTTP header spoofing, you could impersonate a completely different browser - if both UA and other headers are spoofed, I think it requires JS to detect that spoofing. So if you were to grab this extension and configure it right you could go around pretending to be some other browser where you think having JS disabled and DNT off is likely...

Right. So then, NoScript could just have DNT unset by default, like Firefox.


So I guess there are two arguments for a DNT header unset by default:
- Counter-productivity due to entropy
- Default enable is undermining the message. Do-Not-Track is a proactive move. (Currently jerks can shrug it off with the argument that NS users may or may not want DNT, we have no means to know, so that's 2 million DNT users we're going to ignore)

Again, these points are good reasons to make NoScript's DNT-by-default clearer to the user, maybe by making it selectable in NoScript 3's preset screen; not necessarily arguments to disable DNT by default.

One major argument for keeping DNT-by-default, at least for the rest of NoScript 2.x, is that existing users who expect DNT to be on by default won't have the rug pulled out from under them, so to speak...

[anonymous-coward]

Giorgio Maone is such a hypocrite. He constantly slams people down when they ask for privacy features that would be easy to implement yet has had this horrible DNT overwrite implemention for HALF A DECADE.

>Noscript is a security addon, not a privacy addon... except when I say so. Now shut up with those feature requests!
- Our 'wise' over ruler.

Funniest thing is - as other people pointed earlier - this DNT setting actually just increases the tracking surface. Good job!

[Bane]

So if it's already that bad why worry about just one extra bit?

Because thanks to Firefox and NoScript, it's already possible to reach an almost acceptable fingerprint. Almost! Chasing little gains here and there can be interesting if you live in densely populated areas, particularly in certain European countries where Firefox can have around 30% market share.

Also and perhaps more importantly, DNT is a very obvious mark, more prone to be logged if only because a number of websites must study their audience when considering how they will handle DNT. Whereas only ad companies are interested in complex fingerprinting, ad companies that only load as 3rd party and that you can block with Adblock Plus.

Yeah, it's likely to take a while for it to be backed by law, the point is just that that's not ruled out at this point.

I should have said it won't ever happen in any meaningful way. Big data is too important a business and politicians are obsessed with growth and employment. In the mean time DNT provides no guarantee and adds to our fingerprints :/

Quite a few people use about:config > javascript.enabled instead of NoScript...

Really ? It's horribly impractical... usually "horribly impractical" means few users will browse like this

Also, if you're still really sure "Fx user with no JS and no DNT header" is so unique, note that with JS off + UA/HTTP header spoofing, you could impersonate a completely different browser - if both UA and other headers are spoofed, I think it requires JS to detect that spoofing. So if you were to grab this extension and configure it right you could go around pretending to be some other browser where you think having JS disabled and DNT off is likely...

I used to spoof (manually) Windows 7 when I was under Vista. Now I have Win 7 so no spoofing: If you do it wrong you stand out like a sore thumb. Not to mention that even when you impressively do it right, you have to be vigilant all the time with updates to both the useragent you spoof, Firefox, and the spoofing add-on. I'm not sure you're entirely safe from detection without JS either, there are differences in how browsers adopt and implement CSS.

his is not necessarily an argument to disable DNT-by-default - it's just as valid as an argument to make the DNT functionality better documented so that it's obvious to users who don't find NoScript through AMO

Even NoScript's page on AMO doesn't mention DNT, not in my language at least. If it was a message on install, then ok, but there would be people to choose "I don't want DNT", and you'd end up with a fragmented audience fingerprint-wise, which is not much better.

One major argument for keeping DNT-by-default, at least for the rest of NoScript 2.x, is that existing users who expect DNT to be on by default won't have the rug pulled out from under them, so to speak...

Such people are among the most concerned NoScript users. Most of them probably read the changelog. Perhaps they enabled it in Firefox options since it's 10 times more obvious...


Well anyway I had to talk about this because it's been on my mind to make a thread for a while. I guess I just ended up hijacking someone else's

[Bane]

Self-quote again (sorry):

I'm not sure you're entirely safe from detection without JS either, there are differences in how browsers adopt and implement CSS.

Although they have to call back to get the data. I can't say how possible this is nor if there are advanced JS-less fingerprinting techniques used in the wild. That's a lot of unknown so I tend to avoid useragent/header spoofing, especially since I need to enable rather JS frequently nowadays. (In which case faking your fingerprint just makes you almost unique)


(I'd like to add that for a time I completely forgot that NoScript kept DNT enabled even after Firefox exposed it in the UI, even when the UI says DNT is disabled)

[barbaz]

So if it's already that bad why worry about just one extra bit?

Because thanks to Firefox and NoScript, it's already possible to reach an almost acceptable fingerprint. Almost! Chasing little gains here and there can be interesting if you live in densely populated areas, particularly in certain European countries where Firefox can have around 30% market share.

Also and perhaps more importantly, DNT is a very obvious mark, more prone to be logged if only because a number of websites must study their audience when considering how they will handle DNT. Whereas only ad companies are interested in complex fingerprinting, ad companies that only load as 3rd party and that you can block with Adblock Plus.

Ah, that is actual reasoning for disabling NoScript's DNT-by-default that makes sense.

spoofing: If you do it wrong you stand out like a sore thumb

That's what I would have thought - but even trying the EFF's fingerprinting test with headers I knew were mismatched, I wasn't unique..

I'm not sure you're entirely safe from detection without JS either, there are differences in how browsers adopt and implement CSS.

... ok, now that you mention that, I realize that does make enough of a difference to be detectable.
But will this be a problem long term? The only way I can think to really try to detect a browser without JS would be to take advantage of some rendering-engine-specific CSS extension that could be used to request an image only if the browser supports said extension; but browsers are moving away from prefixed anything, which will mean such things eventually won't work right?

Even NoScript's page on AMO doesn't mention DNT, not in my language at least.

See my first post in this thread viewtopic.php?p=73990#p73990

One major argument for keeping DNT-by-default, at least for the rest of NoScript 2.x, is that existing users who expect DNT to be on by default won't have the rug pulled out from under them, so to speak...

Such people are among the most concerned NoScript users. Most of them probably read the changelog.

If that is really the case then turning off NoScript's DNT by default isn't the problem I had thought it would be...

[freakedman]

NoScript users have massively had DNT enabled, so as a NoScript user, I have less entropy if I enable DNT as well. I am singled out as being a Firefox user with JS disabled (very likely from NoScript) with no DNT header (the vast majority of Firefox users with JS disabled have DNT ON)

I agree that DNT by default should be disabled.

If I don't allow a page to run scrips they can't fingerprint me but they can see that I sent the DNT header?
If I do allow them to run scripts they can see my addons including noScript, and having noScript along with DNT enabled gives me less entropy?