new | ask | show | jobs
cbsks 3 hours ago  [ - ]

Looks like Firefox is immune.

This works by looking for web accessible resources that are provided by the extensions. For Chrome, these are are available in a webpage via the URL chrome-extension://[PACKAGE ID]/[PATH] https://developer.chrome.com/docs/extensions/reference/manif...

On Firefox, web accessible resources are available at "moz-extension://<extension-UUID>/myfile.png" <extension-UUID> is not your extension's ID. This ID is randomly generated for every browser instance. This prevents websites from fingerprinting a browser by examining the extensions it has installed. https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...

rchaud 3 hours ago  [ - ]

And they said that using a browser with sub-5% market share would cause us to miss out on the latest and greatest in web technology!

dana321 3 hours ago  [ - ]

chrome was made by ex-firefox devs, chrome is still not as good!

awesome_dude 3 hours ago  [ - ]

This is probably a naive question, but...

Doesn't the idea of swapping extension specific IDs to your browser specific extension IDs mean that instead of your browser being identifiable, you become identifiable?

I mean, it goes from "Oh they have X, Y , and Z installed" to "Oh, it's jim bob, only he has that unique set of IDs for extensions"

triceratops 3 hours ago  [ - ]

It's not a naive question. This comment says it's not possible to do that: https://news.ycombinator.com/item?id=46905213

awesome_dude 3 hours ago  [ - ]

Oh, it's (re)randomised upon each restart, whew, thanks for the heads up

edit: er, I think that that also suggests that I need to restart firefox more often...

tech234a 2 hours ago  [ - ]

The webpage would have to scan the entire UUID space to create this fingerprint, which seems unlikely.

 2 hours ago  [ - ]
[deleted]
throwaway808081 2 hours ago  [ - ]

Just have a database of UUIDs. Seems pretty trivial to generate and sort as it's only 16 bytes each.

dullcrisp an hour ago  [ - ]

https://libraryofbabel.info/

stirfish an hour ago  [ - ]

lol

Let's go a step further and just iterate through them on the client. I plan on having this phone well past the heat death of the universe, so this is guaranteed to finish on my hardware.

  function* uuidIterator() {
   const bytes = new Uint8Array(16); 
   while (true) {
     yield formatUUID(bytes);

     let carry = 1;
     for (let i = 15; i >= 0 && carry; i--) {
       const sum = bytes[i] + carry;
       bytes[i] = sum & 0xff;
       carry = sum > 0xff ? 1 : 0;
     }
 
     if (carry) return;
   }
 }
 
 function formatUUID(b) {
   const hex = [...b].map(x => x.toString(16).padStart(2, "0"));
   return (
     hex.slice(0, 4).join("") + "-" +
     hex.slice(4, 6).join("") + "-" +
     hex.slice(6, 8).join("") + "-" +
     hex.slice(8, 10).join("") + "-" +
     hex.slice(10, 16).join("")
   );
 }
This is free. Feel free to use it in production.
b00ty4breakfast an hour ago  [ - ]

Free space heater

jorvi an hour ago  [ - ]

Doing it on restart makes the mitigation de facto useless. How often do you have 10, 20, 30d (or even longer) desktop uptime these days? And no one is regularly restarting their core applications when their desktop is still up.

Enjoy the fingerprinting.

tristan957 an hour ago  [ - ]

I restart my browser basically every day.

cyanydeez 23 minutes ago  [ - ]

yeah I close out everything as a mental block against anything I'm working on.

I think there's a subset of people that offload memory to their browsers and that's kinda scary given how these fingerprint things work.

eek2121 an hour ago  [ - ]

Umm, I restart my PC about once a week for security and driver updates.

If you don't, you have a lot more to worry about beyond fingerprinting...

Oh and I'm on LINUX (CachyOS) mind you.

b112 3 hours ago  [ - ]

Maybe, but how long are the extension ids? And if they are random, how long to scan a trillion random alphanumeric ids, to find matches?

I presume the extension knows when it wants to access resources of its own. But random javascript, doesn't.

maples37 3 hours ago  [ - ]

The extension IDs are UUIDs/GUIDs, so 128 bits of entropy. No site is going to be able to successfully scan that full range.

b112 2 hours ago  [ - ]

ChatGPT told me it can be done though.

It won't disclose how, as it says it has had several users report it. And that it expects 50% of the bounty, and will use it for GPU upgrades.

 2 hours ago  [ - ]
[deleted]
 3 hours ago  [ - ]
[deleted]
 3 hours ago  [ - ]
[deleted]