cross-posted from: https://lemmy.world/post/31884410
Please see the cross-post as it is updated.
How can a site see what extensions you have?
One of the things I’ve seen mentioned before is that installing too many extensions can make you more unique, and thus have a negative influence on your fingerprint. This got me curious, how exactly do sites detect which extensions you have anyway? Can they outright read your list of extensions?
Furthermore, do all extensions make you more unique? I guess the answer would depend on the answer to the first question (surely, if they can just outright see your list, then the answer would be yes), but lets say you install something that seems rather innocuous, like Transparent Standalone Images, for example. Can a site see that this is installed / does it make your fingerprint more unique?
explanation
Web sites do not have any way to enumerate or query your installed extensions, and they cannot directly “see” the content scripts injected by extensions. However, some extensions do modify pages in a way that scripts in the page could recognize as being the work of a particular extension, assuming the owners of the site care to research and check for such things.
One particular issue is that an extension may insert a path into the document to a page or image in the extension itself. Firefox assigns a randomized UUID to the extension at install time, and the path uses this UUID. On the plus side, this may prevent the site from associating the URL with a specific extension. On the minus side, at least in theory, a site could detect this weird URL in the page and use that for fingerprinting. See: How to prevent fingerprinting via Add-on UUID?.
is there anything else that I should notice?
Thank you!
cross-posted from: https://lemmy.world/post/31884410
Please see the cross-post as it is updated.
Web pages are not allowed to list your extensions. They can indirectly surmise you have certain extensions based on how your requests differ from expectations. For example, if they have advertisements, but your browser never actually makes any requests to load the images, CSS, JS or HTML for the advertisements, they can deduce you have an ad-blocker. That’s a datapoint they now have to ID you: “has an ad-blocker”
Now let’s say they have an ad they know AdBlockPlus allows, but uBlock Origin doesn’t. They see your browser doesn’t load that ad. Another datapoint: “Not using AdBlockPlus”.
Based on what requests go back and forth between your browser and their servers, they map out a unique fingerprint.
Now you visit another site, and lo and behold, all the same quirks are found. Tada, they now say “hm, probably the same browser,” and start personalizing content. Site use an ad network, so it’s the common denominator, not the sites you visit. The ad networks do the between-sites tracking.
also, VPN does diddly squat when you login to some service like google, facebook, xitter, amazon, outlook, reddit, etc. You logged in as you. They don’t give a shit you’re logging in from another IP. And if the sites are working with the same ad network, if you’ve ever logged in from your real IP even once, they they just add another datapoint about you: “Sometimes uses a VPN” and that gets tucked away in your permanent record.
nothing you do online is private. I’m not saying “give up” but it’s pretty bleak and I don’t see it getting better anytime soon.
Web pages are not allowed to list your extensions. They can indirectly surmise you have certain extensions based on how your requests differ from expectations. For example, if they have advertisements, but your browser never actually makes any requests to load the images, CSS, JS or HTML for the advertisements, they can deduce you have an ad-blocker. That’s a datapoint they now have to ID you: “has an ad-blocker”
Now let’s say they have an ad they know AdBlockPlus allows, but uBlock Origin doesn’t. They see your browser doesn’t load that ad. Another datapoint: “Not using AdBlockPlus”.
Based on what requests go back and forth between your browser and their servers, they map out a unique fingerprint.
Thank you so much that makes sense
