Firefox Expands Fingerprint Protections
Key topics
Firefox is expanding its fingerprint protections, but users and developers discuss the effectiveness and potential drawbacks of these measures, highlighting the ongoing cat-and-mouse game between browser security and tracking technologies.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
-53306s
Peak period
150
Day 1
Avg / period
40
Based on 160 loaded comments
Key moments
- 01Story posted
Nov 11, 2025 at 11:04 AM EST
about 2 months ago
Step 01 - 02First comment
Nov 10, 2025 at 8:15 PM EST
-53306s after posting
Step 02 - 03Peak activity
150 comments in Day 1
Hottest window of the conversation
Step 03 - 04Latest activity
Nov 25, 2025 at 2:02 PM EST
about 1 month ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
If there's one thing I don't like its the fact that NoScript doesn't integrate with Multi-Account Containers. It would be neat if instead of having to temporarily allow GitHub JavaScript and re-disable it when I'm done; I could just allow GH JS in a GitHub or Microsoft container and it only being enabled in that container.
By installing Canvasblocker, Decentraleyes and NoScript you are providing more entropy to trackers and thus making it easier to track you. Imagine how many people worldwide block specifically Canvas, have weird looking network requests to certain js libs and have JS disabled for some (/all) scripts combined with your general setup (window size, font size, and many other factors that do not even require JS).
The Tor project explicitly suggests to not install an adblocker for example because of this.
The web without ad blocking is revolting. Browsers building in these features makes them more popular.
Aside: Fuck the Washington Post. They have a line in their privacy policy that acknowledges the existence of "Do Not Track" flags in browsers. Their acknowledgement: since there is no industry standard for responding to it, they ignore it.
> Do Not Track. Some web browsers may transmit a “do-not-track” signal. Because there currently is no industry standard concerning how to treat such signals, the Services currently do not take action in response to do not track signals. We respond to legally recognized browser-based opt out signals such as the Global Privacy Control signal for California residents.
https://www.washingtonpost.com/privacy-policy/
https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/...
I also don't get advertising in any form, maybe because I don't have ecommerce apps on my phone and I block a lot of things with Blockada, but that's another story.
Yeah, they require CSS, which you can also block using noscript and other tools, if you want.
Also, while you might be more "trackable" to those who fingerprint, if you are blocking those cross origin or same origin scripts from loading you are already stopping some of that. You can even blacklist some known hosts completely in your browser's policy settings and prevent those requests from ever reaching their destination.
* Cookies
* Tracking Content
* Cryptominers
* Known Fingerprinters
* Suspected Fingerprinters
But there is no separate toggle for the feature that adds noise to the image, or indication of which toggle would affect that.
But to disable it on a per-site basis, I would just disable ETP for the entire site. If it's a service or site you use frequently you probably trust them or otherwise have a login to them that makes trying to avoid fingerprinting illogical.
My experience lately has been that fingerprint.com is able to identify my main profile "in bursts", i.e. it will identify me consistently for some days, then it will forget and tell me it's never seen me. Maybe the service they provide on the landing page has a TTL policy? Either way, I've observed this behaviour on both my main profile and my "Firefox Focus"-like profile (a mix of no history + automatic temporary containers). On Mullvad Browser, however, it always seems to group me with random access across the globe.
If a website has 100 visitors, and 99 of them use Chrome, and 1 user uses Firefox, it doesn't matter how good their fingerprinting resistance is, they're always the one using Firefox.
https://xkcd.com/1105/
Even if every Firefox browser gave off the exact same fingerprint, that wouldn't make the network traffic indistinguishable between Firefox users. There is a lot of entropy that is provided by your network stack of your device, the networks you connect to in order to get to the end website, the behavior of your requests, etc.
Now, most websites aren't doing this kind of analysis. But it isn't unheard of or impossible. There are major websites that are known to do TLS fingerprinting.
[0] https://radar.cloudflare.com/reports/browser-market-share-20...
However, if you're trying to search for somebody, and you're able to eliminate 96% of the data, you're in a much better position to accomplish your goal.
Whether or not you should care about this depends on what kind of tracking threats you're trying to avoid.
I can get feedback with access, I can't get feedback with tracking. That's why I mentioned access.
By contrast, tracking people on the web is a multibillion dollar industry, and there are out of the box commercial libraries that do very sophisticated tracking. None of these solutions rely on user agent string alone.
The vast majority of websites by count are not doing anything sophisticated. But some are.
But ultimately, Netflix is just trying to check a box in their contractual obligations, and/or prevent high-schoolers with chrome dev tools from sending movies to all their friends. They're not really interested in spending large sums of money to figure out your browsing history. It's just not relevant to their revenue stream.
>> tracking people on the web is a multibillion dollar industry
> Of which Netflix is a part of.
I was referring to businesses that do web activity tracking as their primary business. Facebook and Google's primary business is advertising, which isn't the same thing, and they control enough products that they don't actually have to do very much fingerprinting in order to target ads effectively. Most of their data, people voluntarily hand over. I was getting more at the big ecosystem of commercial tools that others can implement that do these sorts of things. e.g fingerprint.com and many others.
I'd rather be trackable but secure -- the big draw for me is NoScript. Paired with uBlock, I'm safe from malvertising[1]
[1] https://en.wikipedia.org/wiki/Malvertising#Examples_of_malic...
Only things uBlock doesn’t replicate:
NoScript’s anti-XSS and anti-clickjacking heuristics (uBlock just blocks the sources, not sanitize payloads).
NoScript’s control over other active content types (e.g., WebGL, media codecs, etc).
What data do you have to support this assertion? uBlock doesn't seem to have the ability to selectively enable only JS nessecary for functionality, and if it does, the UI makes it much more difficult to enable.
I just ran a test -- merely uBlock use renders me unique, whereas one in 5742.77 had the same fingerprint as me when using NoScript. (I suspect that's the number of people also using Firefox with NoScript who own this particular monitor size)
A big chunk of the fingerprinting techniques require JS -- it's pretty hard to ascertain what specific extensions are installed with it. I tested disabling it and it didn't seem to do much difference in terms of bits of entropy on EFF's tool.
I encourage you to try for yourself and then think hard on your advice.
I'm going to assume you meant to say "I have not".
If you can't judge the validity, maybe you shouldn't give out advice that might be read by vulnerable populations, given the sources you list do not address my points.
If you're doing fingerprinting for tracking purposes, you're gonna be tracking a lot more in-depth data.
But in the end, there are pretty much three types of Internet user today: 1. The person who uses the default browser installed on their device. 2. The user who always downloads Chrome when they first get a new computer. and 3. Nerds who do something else.
I don't remember the discrepancy that the study found, but it's significant.
So… we keep optimising for Chrome, as if that's the bulk of our audience. That makes things shittier for everybody else, and we think it's okay because they're such a small part of the group. This reminds me of a former client burning almost 9 million euros every year because they excluded IE6–8 from their reporting, yet they would account for 15% of the traffic.
The fact that I have to go to great lengths to browse anonymously - and companies desperately try to circumvent my genuine decision to opt out of their tracking - tells me everything I need to know about those companies. Words like sleezy, shady, and predatory come to mind.
I would love to see this taken one step further and have states/countries prevent companies from tracking me altogether if I reject their cookies, but I fear it's more likely those companies will lobby to prevent Firefox from protecting us.
Given that /usr/bin/firefox is just a shell script, you can
If you use an icon to run firefox (say, /usr/share/applications/firefox.desktop), you'll need to do copy/adjust line for the icon.Or add "-p" to the startup command to do the same thing without right-clicking:
AFAIK, they can only be created at the command line, not configured. If you want to do things like change default settings or install extensions from the Firefox Add-On store, you can't really do that at the command line.
You can do that by mucking around in the user.js file and manually adding .xpi files to the extensions/ subfolder, but that's probably stretching the definition of "done at the command-line" since most people aren't creating Puppet modules to manage Firefox profiles.
Perhaps someone knows an easier way to do this, though.
When you talk about a "shopkeeper" it gives it a small community charm. The Internet is anything but that.
All while showing me 2 advertisements before I enter the store, trying to trick me into clicking a mysterious "track me more" button while I try to get toothpaste, and never lowering the price of pasta for me because my wife mentioned on a post that she loves eating Italian.
And he's the town's least creepy shopkeeper.
I'm absolutely positive I could if they were getting other store owners to help them track me.
What I don't understand is why this is unacceptable if they do it to a single person but perfectly normal if they do it to all their customers. IMO that should make things worse, not better.
Let's put it this way. You'd get a restraining order against someone if they followed you around all day, logging when you woke up, ate, who you talked with (even if they don't hear the conversation), where you went, and when you went to bed. That's clearly stalking, right? So why us it suddenly acceptable when it's being done by some guy named Mark who is stalking a billion people instead of just one?
We clearly differentiate this from being a regular customer at a store. If I'm a regular at Joe's Corner Market and get a sandwich every Wednesday for lunch then he remembers me because we're talking face to face and making conversation. It's personal. There's clear consent in what I'm sharing and there's a clear expectation that Joe isn't going to use that information to manipulate me or follow me around town. Our interaction is limited to the store and maybe bumping into each other on the street. It's clearly not stalking, we're just friendly. The same way your partner might know about when you wake up, go to sleep, eat for breakfast, and all that same stuff. Your partner isn't stalking you.
[Edit]: I want to encourage the above comments. Doesn't matter if recursive4 believes the other side or not, I want these conversations to be front and center. I like to see the other responses than mine as well and I think these help us refine our arguments and by being prominent they help others be convinced and join us. So while I know we don't usually talk about how to upvote/downvote, I'll just say "vote strategically rather than agreeability" :)
Also, if they were logging you specifically, you may have grounds to stand on. But if they're logging every customer that comes in/out (like websites do), I think there is a lot less grounds for a restraining order or anything
Edit: Found out I'm using 'proverbial' wrong but I think you get the idea either way.
No (you have to use it at the register for Costco to know you were there),
and they don't track your every movement in store either,
and they don't track your every movement outside the store either,
and there isn't a standard way to say "I don't want this" which they nonetheless choose to ignore.
Not the case where I am: Costco scans everyone's card upon entry into the store.
> and they don't track your every movement in store either,
It might: Costco certainly uses security cameras, and it's possible that Costco may be using some sort of AI / facial recognition software alongside the cameras. Perhaps someone who has worked with Costco in security / loss prevention could chime in.
> and they don't track your every movement outside the store either,
Probably true, although who knows whether Costco purchases data about its members from brokers?
> and there isn't a standard way to say "I don't want this" which they nonetheless choose to ignore.
I think you're talking about the equivalent of cookies in the real world, in which case I'd generally agree.
Not the case where I am: You just ask for a "code 99", because they are legally required to sell alcohol to nonmembers where I am. I'm sure there are other loopholes too ("I want to browse to see if I want to join"), but nonetheless, no tracking for me.
> it's possible that Costco may be using some sort of AI / facial recognition software alongside the cameras
It's possible that they have a magic genie that grants wishes to shoppers who rub the right pallet, but if we have no evidence of either, we need not entertain such hypotheticals.
> Probably true, although who knows whether Costco purchases data about its members from brokers?
Those brokers are literally the people to whom we're comparing Costco. If Costco must outsource the act in question to the brokers even in the analogy, then Costco is not analogous to the brokers.
Ok but you say - It is not this overt online - well if we live digital life, lot of things are not overt, but we know we need to clean cookies, some of us create containers, some of us use TOR, so the sensibilities in digital are different than real life, and I am showing pretty much equivalent examples / metaphors if the same level of intrusiveness was there in real life.
https://archive.is/kK1V8
Even more than that, it’s purchasing a membership that requires authentication when you use the store.
Costco is much more like the Joe's Corner Market. I'm only dealing with Costco. It is a bit more invasive than Joe's Corner Market, but I'll admit that I have much more trust for Costco given their history. Like Joe, Costco isn't following me around the store, unless I explicitly ask for their help finding something. They similarly won't follow me outside unless I'm explicitly asking for something like a delivery or some other service. It is always explicit and I'm always aware that I'm being "watched".
But the key difference is that Costco isn't sharing that data with Walmart, Facebook, and others. There is some tracking and I definitely don't like that, but there's a huge difference in going to Costco.com vs Facebook.com or even Google.com. Heading to Costco.com uBlock hits me with 9 blocks. Heading to google.com I get 17 and then it is constantly rising. In the time to write these few sentences it has already hit 30. Meanwhile, costco is still at 9. I mean I'm literally on google.com sitting and staring at a search page doing nothing. There's a much more aggressive and invasive attitude here.
Mind you, nuance and intent matter very much. Without them we wouldn't be able to differentiate a partner you live with and a stalker. Similarly expectations of trust. I'm glad you're asking the question of getting the steelman and pressing, but we must make it clear that if we're going to brush away detail and be dismissive of the nuances then we are contriving an environment where we would be unable to differentiate these things. But again, the consequences of that contrived setting is that we would not be able to differentiate someone's husband/wife from a stalker. And that result is beyond laughable. So maybe the better question is to ask where these lines are drawn. I'm not sure there's an easy answer, but I'm certain it is important.
You can talk at a normal voice inside your own home at night, and even if the neighbor can hear you through the thin walls, they have no legal recourse. If you start blasting music, the police will (in principle) come and stop you.
Some things are okay in moderation and simply bad in excess.
So no, you cannot steelman a broken analogy.
Rather than presupposing an analogy to something importantly different, I would propose that the steelman would be along the lines of noting that ads and hyperpersonalization are effective at meeting and predicting your needs, and steering you towards an interpretation of your own needs that finds their fulfillment in deepening a consumer relationship. And if you get steered into lock-in with one company's ecosystem, you get the convenience of a stack of vertically integrated services.
One of them might peer out their window, the other will infiltrate every aspect of your life. One of them is bored, the other has no qualms about doing significant harm to you if it serves their interests.
I briefly discussed this extension and how to proceed after the passing of a maintainer with Mozilla staff in their Extensions and People teams at FOSDEM this year, but there was no real procedures in place at the time of our chat.
[0]: https://addons.mozilla.org/en-GB/firefox/addon/temporary-con...
[1]: https://github.com/stoically/temporary-containers/issues/634
You're in luck since EU's GDPR is about informing users of PII harvesting and consent in general (among other things). So the banner is not only about cookies. And I think nowadays there are similar regulations elsewhere.
https://news.ycombinator.com/item?id=23235341
They actually published an op-ed criticizing Amazon for using dark patterns to prevent people from leaving Amazon Prime while they were using those exact same patterns themselves.
https://www.nirandfar.com/cancel-new-york-times/
"Hi, I see you've read [x-y] amount of news of new this month, we're going to cut you off at [x]"
What's the correct value of x?
If [x] is greater than or equal to the total amount of news published, then scrapers need one account.
If [x] is less than the total amount of news published, then you have now made it so legitimate subscribers cannot read all of the news.
Also, you have made things easier for scrapers, because they can determine how many accounts they need by dividing the total amount by [x].
Then I remembered why I no longer use firefox. I believe we, as users, need to take back the open web. The days of some random developers ruining the UI should really be over, be it firefox, or Google chrome killing ublock origin. We need to fight back.
Do you use something else?
It's a bit more privacy focused, so may need some tweaking to your liking (by default it won't persist history, zoom levels, cookies, etc.)
https://hn.algolia.com/?query=browser%20ml%20chat&type=all
Started a fresh profile, but couldn't find an AI button. The AI stuff in the context menu? You can remove the chat bot functionality right there. As for the buttons, if there is an undesirable button, it should be removable via context menu or toolbar customization.
This is not right. If you have a unique fingerprint every time someone tries to fingerprint you, then they have to do extra work to try and figure out which are the same. If you make it always be the same you've made the fingerprinter's job much easier.
You can't just make your browser's APIs give erroneous outputs and still expect the browser's APIs to work.
In contrast a randomized fingerprint mean when you visit A you have a fingerprint X' and on B you have a fingerprint Y' and no one else on the internet has X' or Y' but A and B can't correlate you.
The protections we've put in place first try to do API normalization to make it so more people have a fingerprint X, and it isn't unique. And then they do API randomization so you use X' and Y'.
If a fingerprint goes to extra effort of detecting a randomized fingerprint, and ignore (or remove) the randomization, they will get the X fingerprint which - hopefully - matches many more users.
Last time I tried everything I could to prevent Firefox from calling home, it was still requesting Mozilla servers. Though I haven’t given up, my plan is disabling it at source code level and build my own release.
"People should do work for free" isn't very workable.
People lock info behind a signup if they want to to monetise. Something stopping that is forcing advertising as the monetisation strategy, or else saying people should work for free.
You've got 6 layers under your browser before that data is sent -- some of those are useful for fingerprinting. Also, browser behavior and feature sets are not and likely will never be 100% uniform.
> GDPR to make it illegal for browsers to track this information
Unfortunately the internet is global and people outside of the reach of those jurisdictions can just exist outside of the reach of those laws. Consider the existing landscape of malicious internet traffic and scams which are already illegal in almost every country -- they are still a widespread problem.
When I say selling, I mean that in the truest form. Google chrome isn't free; you just pay with your data rather than your wallet. You as a consumer should retain the full ownership and access/control of your data and that should be legible in a way you can inspect exactly what's going on. I think it would really wake up a lot of privacy folk to what actually goes on with people's data and things like facebooks Onavo VPN is more visible
> The browser ultimately sends only what the webpage requests.
You should do research before making such claims.
They could not build a profile on you and it would break their system of tracking user login per device.
https://addons.mozilla.org/en-US/firefox/addon/temporary-con...
https://addons.mozilla.org/en-GB/firefox/addon/auto-containe...
https://github.com/Shajirr/FF-Auto-Containers
Edit: Seems to break ad blocking and there's some issues with login. Such as adding a container for YouTube requires also doing *.google.com since that's how the login is handled. Interesting and I'll keep playing around with it
Regarding login, it's a struggle with any container addon. But I like how this one makes it easier. It streamlines it a bit because you can right click the page and go to Auto Containers -> Exclude tab from domain exclusions, then login as normal and add each intermediate domain to the container's URL patterns. It would be nice if the dev could add a way to record all intermediate domains and add them at the end; sometimes I miss one or two due to an auto-redirect.
https://github.com/stoically/temporary-containers/issues/347
It would be really useful to have something that dithers the reported canvas size by 5 or 10 pixels in different containers to add noise there.
about:config -> set privacy.resistFingerprinting to true
about:config -> create new boolean key privacy.resistFingerprinting.letterboxing set to true
this will set your canvas to a common size which fits in the viewport and display a grey "letterbox" border in the surrounding space.
I have more restrictive protections on. If you use just loose settings, it completes, but advanced fingerprint protection, for example, breaks captcha completion.
This is very known issue.
https://news.ycombinator.com/item?id=35742606
I was actually wondering if the stuff that Mozilla's talking about here will be used by bad bot people to try to circumvent CF's abuse protections. As I recall from when I was working with them, CF's service relies in part on being able to identify botnet attacks by doing its own fingerprinting.
https://news.ycombinator.com/item?id=35742606
Unless they tackle all the hidden things, all artifacts, canvas rendering and many more.
These companies will be actually happy after this change, because even users with ublock and other plugins, will think they're not tracked. Yeah, nope.
And it's not that hard to see how they fingerprint your browser, reverse any JS tracking script yourself and see.
9 more comments available on Hacker News