Starting with Firefox 58, users will be able to refuse websites’ requests for information extracted via the HTML5 canvas element, which can be used to fingerprint their browsers.

What is browser fingerprinting?

Browser fingerprinting is used as an alternative to browser cookies by websites and web analytics services that want to identify users and track their online behavior.

There are a number of browser/device fingerprinting techniques, but Mozilla aims to address the issue of “canvas fingerprinting,” which works by exploiting the browser’s HTML5 canvas element.

The technique works like this: a user visits a website that sends a request to his browser to render hidden text or graphic on a hidden canvas element. The result is extracted, and a hash of it becomes the fingerprint of the browser.

This fingerprint is shared among advertising partners, and used to detect when that user visits affiliated websites. In this way, a profile of the user’s browsing habits can be created, and used to target advertising.

Canvas fingerprinting works because each browser and the system on which it is installed has a specific hardware and software configuration, meaning that the fulfilment of the site’s request will result in different renders and, therefore, different and possibly unique fingerprints.

Some browser fingerprinting attempts can be prevented by using add-ons like Privacy Badger or DoNotTrackMe in conjunction with ad blocking lists.

Firefox changes

With the change, which will require sites to prompt users for permission before they can extract canvas data, Firefox will become the first of the major browsers to do something about this ubiquitous online tracking technique.

This new feature comes over four years after the Tor Browser implemented an option of letting users prevent canvas fingerprinting, and is the result of an ongoing effort to implement all Tor Browser privacy and security patches into Firefox. (Tor Browser is based on Mozilla Firefox ESR.)

Mozilla has a history of trying to prevent online user tracking. With Firefox 52, it stopped allowing websites to access the Battery Status API and the information it can provide about the visitor’s device, as well as implemented protection against system font fingerprinting.

Firefox 58 is due for release in January 2018, and another change set to take place with it is the removal of WoSign and StartCom root certificates from Mozilla’s root store.

A discussion has also been recently started on whether Firefox should continue trusting certificates signed by the Staat der Nederlanden Root CA – the Dutch national CA – in wake of a new law that would allow intelligence and security to intercept internet traffic, and to use “‘false keys’ in third party systems to obtain access to systems and data.”