130
submitted 4 months ago by sag@lemm.ee to c/firefox@lemmy.ml
you are viewing a single comment's thread
view the rest of the comments
[-] ReversalHatchery@beehaw.org 3 points 4 months ago

Websites can look at their own structure, and they can see the changes addons make to them, for example of a CSS property was changed or added.

Maybe there are ways around that, like with the use of a shadow DOM, but I'm not a web developer

[-] derek@infosec.pub 2 points 4 months ago* (last edited 4 months ago)

That's not true for all sites. If the page is static then it'll have no clue. If it's dynamic and running a client-side script to report this info back, and if that information is collected, then I can see how that might be a useful supplement for fingerprinting if the server owner is so inclined. At that point though I'm wondering why a security-conscious user is raw dogging the internet and allowing scripts to run in their browser without consent (NoScript saves browsers).

Even then it's unclear when/how altering the page to render it differently is commonly communicated back to the server, how much identifying information that talk-back is capable of conveying, and how we might mitigate those collections (wholesale abstinence and/or script control aside). What are the specific mechanisms of action we're concerned about? This isn't a faux challenge for the sake of hollow rhetoric. I'm ignorant, find the dialogue interesting, and am asking for help being less dumb. :)

I found some brief and useful discussion in this Privacy Guides thread. Seems like the concern is valid but minimal for all but the most strict/defensive postures.

Trying to validate this myself for Dark Reader without breaking out Wireshark and monitoring some big tech site while I toggle color modes (which I might do later if I think of it and find the time) I see Dark Reader is open source, an Open Collective member, and seems to engender little hand-wringing. The only public gripe I can find is this misguided Orion Browser feedback thread.

Thanks for the interesting diversion!

[-] ReversalHatchery@beehaw.org 1 points 4 months ago

Trying to validate this myself for Dark Reader without breaking out Wireshark and monitoring some big tech site while I toggle color modes (which I might do later if I think of it and find the time)

You would also need to setup up a custom certificate authority to MITM the TLS traffic (a very blunt wording but to the point).
I think you should be fine using the network tab in the normal browser devtools, or the one in the browser toolbox as that latter one is supposed to show all traffic your browser makes.

[-] ReversalHatchery@beehaw.org 1 points 4 months ago

Yes, this is absolutely just a possibility for a website to do it. Actually it's probably also quite complicated technically, but there are multiple services for recording precise user behaviour including all mouse movements on a website, so I would imagine there's something for this, too.

What are the specific mechanisms of action we're concerned about?

I was thinking about the website's code running some light checksum on all the resources it has downloaded and loaded into the browser, and if it differs then upload the diff. I think it should work to find groups of people with a similar browser setup, but maybe it would fine just as browser fingerprinting too.

this post was submitted on 29 Aug 2024
130 points (93.9% liked)

Firefox

18136 readers
114 users here now

A place to discuss the news and latest developments on the open-source browser Firefox

founded 5 years ago
MODERATORS