Firefox takes aim at canvas fingerprinting to stop cookie-free tracking
Security through obscurity by blending in with the crowdBy Greg Synek
Mozilla is pushing for a release of Firefox 58 in January 2018 and there are some important changes incoming that can greatly improve user privacy.
Canvas fingerprinting is a method of tracking user activities across websites by extracting data from the HTML5 canvas element. Although the technique is not a perfect method to track individuals, it is difficult for end-users to notice and tough to completely prevent.
In an effort to give users greater privacy and stop unwanted tracking, Mozilla may be the first major browser to give users the option to deny canvas fingerprinting. Instead of automatically allowing canvas element data to be collected, Firefox 58 will explicitly require user permission before data is shared.
By rendering content to a canvas and then passing the rendered content through a hash function, the resulting identifier can be used to single out a specific user. Differences in graphics cards and operating systems produce slight variations during a rendering process, thus allowing unique hashes to be found when also combined with user agent information. When presented with a complex set of content to render, it is extremely rare for any two site visitors to have a perfect match of all gathered data.
If this sounds familiar, you may have known that Tor Browser already automatically blocks any attempt to grab metadata that can be used to track users. Canvas fingerprinting was reported over four years ago and has just now been addressed for mainstream users.
One major issue with trying to prevent browser fingerprinting is that plugins are not able to effectively prevent the problem. Adding a new plugin to your browser adds one more piece of data that can be used to single out a user and differentiate a person from a large group.
Updated 11/9/2017: A correspondent from Mozilla's public relations team has reached out with new information and has provided the following statement.
Mozilla is working with the TOR project to add a number of privacy and security features to the shared codebase that both Mozilla and TOR use to produce Firefox and TOR browser respectively. Canvas Fingerprinting is one such feature, however it is disabled by default and we have no current plans to ship Canvas Fingerprinting in Firefox beyond the Nightly channel.
Fingerprinting is part of our overall Tor Browser uplift project to incorporate their patches into our core code. This feature is already available to Tor Browser users. By integrating this into our code, this saves the Tor Browser team work and allows them to build their browser more easily. We are always exploring ways that we can give our users additional control over tracking on the web.