...??
Bane wrote:I'm a privacy conscious user before being security-minded. DNT is a privacy thing, not a security one, and NoScript often claims to be security-focused first and foremost. So I should be happy that NoScript enables DNT right ?
Yes!
Bane wrote:But DNT was used by about 11% of Firefox users last time I checked, so privacy wise it is bad in that it makes you stand out of the pack.
Right, because with a total of millions, about 1 in 10 being just like you in one specific way is "standing out of the pack"...
Bane wrote:Furthermore, websites seldom respect it and when they do, they just do it their own way, such as "track user but don't show targeted ads".
So what?
Yes, some people/groups are willing to be jerks for the sake of business. That's not a problem with DNT, that's a problem with business being profitable.
Bane wrote:DNT was meant to protect privacy but in adding entropy without providing any guarantee to not be tracked, it makes the situation worse.
One boolean
*that everyone else has access to* doesn't make much difference to your browser fingerprint. And it matters even less considering that this particular property could, at some point, be backed by law somewhere (if it's not already?).
Bane wrote:So not providing the DNT header is probably the best solution for privacy-conscious users.
Because silence is the answer when someone is bullying you and assuming you are OK with it?
Bane wrote:But it is enabled by default with NoScript, so disabling it risks making the user stand out even more as a "NoScript user with DNT disabled" (i.e. it adds entropy to our fingerprint)
Have you
really read anything about browser fingerprinting?
NoScript, DNT and all, actually makes it very difficult for sites to fingerprint your browser, because most fingerprinting can only be done by Javascript which NoScript blocks by default. NoScript isn't the only way to disable Javascript, so disabled Javascript + no DNT doesn't make you much more identifiable than disabled Javascript + DNT.
And if you allow Javascript... well, I've seen some scripts that can ferret out information that's a LOT more identifying than a tracking preference... just as one example, have you heard about AddThis' canvas fingerprinting?
In short, the DNT header really doesn't make a significant difference to your browser fingerprint or fingerprintability.
Please go to
https://panopticlick.eff.org/browser-uniqueness.pdf and search for the word "NoScript", and read all the statements that comes up with.
Bane wrote:Considering all of this, I think NoScript should just leave DNT alone and let Firefox handle it. The feature is very accessible nowadays - it was not the case in 2010 when Giorgio wrote this article and implemented it in NoScript.
Can it please be considered to remove this functionality altogether ?
Please no, NoScript's DNT feature is useful because those who do want DNT can use NoScript to opt not to send DNT to specified sites, which can't be done with just the browser builtin DNT. It's happened before that a site breaks with DNT but works fine without:
viewtopic.php?f=7&t=18078
Also NoScript still supports Firefox 3.0.9 and later. DNT in Firefox wasn't added until Fx 4, so Fx 3 users would be left with no DNT (possibly with no warning).
Protip: next time you want significant functionality completely removed from some software, try to avoid using FUD and random out-of-context statistics as the primary basis for your reasoning.
Bane wrote:(Yes I did read Giorgio's article in 2010 when it was published, but since then I learned more about fingerprinting, watched adoption of this header both by servers and users, and concluded that DNT sucks for privacy)
Sounds like you have been badly misinformed since then. Maybe you should read the entire document I linked above (in which notably, they don't even bother considering using DNT info for constructing a browser fingerprint)...
(Off to OpenBSD and NetBSD, both of which I was able to get going - starting from official install iso - without too much effort.)