JackBlack wrote:I guess my main question was more around this one:
If DNT is a header, isn't it sent not only for page requests but also any third party image or asset request?
First, a disclaimer: As said, I don't use ABP or Ghostery, and so am not highly conversant regarding them.
I never see ads anyway (ask me how, should you like), and if there is anything that Ghostery can do that the combination of NS +
RequestPolicy does not, certainly please point them out.
JackBlack wrote:By this I meant, is there a difference between NoScript, ABP and Firefox 4+ DNT implementations? For instance, I believe that ABP with EasyPrivacy only adds the header for image requests, but not for other assets. (I could be wrong).
Does NoScript add the header to ALL requests, from main page to all first and third party assets? What about the built-in DNT of Firefox 4+?
Again, sorry, not a topic I've delved deeply into, given that it's highly dubious whether it's honored, but AFAIK (someone please correct me if I'm mistaken), DNT is part of any HTTP request header, regardless of the target or its purpose (at least, if it's set by NS or by Fx itself). Surprised that ABP would limit its use, so just set it in Fx 9 and forget it. For F3, set in NS and forget it.
JackBlack wrote:And finally, can the presence of all those different DNT enablers mess up with our final output that's sent to distant servers?
Double-checking at a site that tells you what sites see about you, it's simply DNT=1 (versus former X-Do-Not-track). Since it's a binary question (DNT=0, or DNT=1?), it doesn't matter how many add-ons tell Firefox to enable DNT. If *any* of them does, it does.
Tested this at
Code: Select all
http://www.ericgiguere.com/tools/http-header-viewer.html
If DNT is disabled in both Fx and NS, then no header element at all is included. If either of them enables it, it shows as above.
And with *both* Fx and NS enabling it, nothing changes. Still shows as just DNT=1. So no messing up of headers.
JackBlack wrote:Making us even more unique, like "Oh I know this request in my server log, it shows that the user has Ghostery and NoScript. Whereas this one only has ABP with EasyPrivacy. Oh, and this guy has none of those addons but went out of his way to enable the built in Firefox DNT checkbox! Gotta automate this check now."
Some add-ons are detectable; some aren't, and in some cases, the detection is by script, so disabling scripting defeats that method. There is also
this criterion. None of mine fit that detectable criterion, though there are other methods, too.
Elite hacker Robert "RSnake" Hansen posted
this in 2006.
It told me, "You are not using JSView", when in fact, I am. Undoubtedly, improvements in Firefox since then have defeated that method.
With Fx 2, I used SafeHistory and SafeCache add-ons. Not necessary with the proper configs in F3+, plus safe browsing habits.
JackBlack wrote:Side answer:
As far as entropy, did you mean "decrease", i. e., reduce the number of browsers with similar fingerprint, making yours one of a smaller number of possibles?
Right, decrease entropy. Or wait, no! Information entropy is described as a 2^n number, the higher this number, the more unique you are. So my side question was whether or not enabling DNT makes you, in the end, more easily trackable, since it increases entropy by increasing n.
DNT is either present or absent in the header. If only 2% of users enable it, then the subset of possible unique browsers among DNT users versus the total population of browsers is reduced by a factor of 50. (1/50th as many total browsers with DNT as without.) That's a large reduction in the randomness of fingerprints.
To get all geeky here, if DNT were a *random* value, not user-set, with a 50% probability of being enabled at any given moment in any given browser, then yes, it would add one bit of entropy. (Maybe you could switch it on and off randomly?
)
If 100% (or 0%) of browsers used it, then it doesn't reduce entropy at all; it becomes irrelevant in fingerprinting.
JackBlack wrote:Come to think of it, DNT redundancy helps making it more widespread, so it's good so long as it doesn't mess with request headers to have so many different things trying to add DNT.
Agreed.
It appears the real issue here is browser fingerprinting and/or user identification/tracking, judging both from the text and the nick.
Lots of ways to increase randomness:
User Agent Switcher add-on.
If your IP doesn't change regularly, nag your ISP to do so. There are ways to force changes for some IP's, though of course each ISP works differently. so can't guarantee it.
Proxies.
Wardriving, preferably without leaving home. (Get permission first, of course.)
Vary between two supported versions of Fx, currently 3.6.25 and 9.01.
If adventuresome, add 10a and 11a to the mix.
And others. Use your imagination.
Increasing privacy:
Max privacy settings in Fx -- store *nothing* permanently.
Many browser sandboxing or virtualizing solutions will dump everything when the browser is closed, if so configured.
RequestPolicy
RefControl
Paranoid browsing habits (dump everything before leaving one site for another, or close/restart the browser)
and many more, all beyond the scope of this thread.
, so NS's default-on provides this for users who don't know that it exists (which is most of them).