Firefox to add Tor Browser anti-fingerprinting technique called letterboxing

Mozilla is scheduled to add a new user anti-fingerprinting technique to Firefox with the release of version 67, scheduled for mid-May this year.Called "letterboxing," this new technique adds "gray spaces" to the sides of a web page when the user resizes the browser window, which are then gradually removed after the window resize operation has finished.Advertising networks often sniff certain browser features, such as the window size to create user profiles and track users as they resize their browser and move across new URLs and browser tabs.The general idea is that "letterboxing" will mask the window's real dimensions by keeping the window width and height at multiples of 200px and 100px during the resize operation --generating the same window dimensions for all users-- and then adding a "gray space" at the top, bottom, left, or right of the current page.The advertising code, which listens to window resize events, then reads the generic dimensions, sends the data to its server, and only after does Firefox remove the "gray spaces" using a smooth animation a few milliseconds later.In other words, letterboxing delays filling the newly-resized browser window with the actual page content long enough to trick the advertising code into reading incorrect window dimensions.Notice the gray space near the side of the browser window marginLetterboxing isn't a new technique. Mozilla is actually integrating a feature that was originally developed for the Tor Browser four years ago, in January 2015.A demo of the letterboxing anti-fingerprinting feature is available below, as it was first developed for the Tor Browser:Letterboxing is currently available in Firefox Nightly and will be generally available for all users with the release of Firefox 67 in May.The feature isn't enabled by default, though. Firefox users will first need to visit the about:config page, enter "privacy.resistFingerprinting" in the search box, and toggle the browser's anti-fingerprinting features to "true."Firefox's letterboxing support doesn't only work when resizing a browser window but also works when users are maximizing the browser window, or entering in fullscreen mode.According to a Bugzilla entry, this is how Firefox's letterboxing protection works in these two states:When the user maximizes the window, the largest possible viewport is used, again a multiple of 200 x 100. window.devicePixelRatio was always spoofed to 1.0 even when device pixels != CSS pixels.The only thing that's missing in Firefox's letterboxing support is the warning that the Tor Browser shows users when users are maximizing their window.Firefox's upcoming letterboxing feature is part of a larger project that started in 2016, called Tor Uplift.Part of Tor Uplift, Mozilla developers have been slowly porting privacy-hardening features developed originally for the Tor Browser and integrating them into Firefox.For example, in Firefox 48, Mozilla integrated a list of known user fingerprinting domains that the Tor Project was maintaining to block inside the Tor Browser. That list later morphed and was upgraded into the Enhanced Tracking Protection feature that Mozilla later shipped in Firefox 63.In Firefox 52, Mozilla added a second Tor Browser anti-fingerprinting technique that prevented websites from identifying users based on their operating system fonts.The Tor Uplift process later continued in Firefox 55 when Mozilla added a Tor Browser feature known as First-Party Isolation (FPI), which worked by separating cookies on a per-domain basis, preventing ad trackers from using cookies to track users across the Internet. This feature is now at the heart of Project Fission and will morph into a Chrome-like "site isolation" feature for Firefox.Three releases later, in Firefox 58, Mozilla engineers integrated another Tor Browser anti-fingerprinting technique that prevented websites from tracking users via the HTML5 canvas element.Upcoming Tor Uplift plans include Mozilla engineers adding support in Firefox for blocking sites from fingerprinting users via VP8 and VP9 codecs, via the AudioContext API, and support for preventing Firefox from loading user details (username, emails, real names) into the operating system RAM.SecurityWDS bug lets hackers hijack Windows Servers via malformed TFTP packetsSecurityGoogle reveals Chrome zero-day under active attacksSecurityNSA releases Ghidra, a free software reverse engineering toolkitSecuritySaudi caller ID app leaves data of 5+ million users in unsecured MongoDB server Facebook's privacy pivot vs Microsoft's 2002 security pivot: Facebook has more to prove CEO Mark Zuckerberg said Facebook will retool its messaging services to be more interoperable, ephemeral, and with end-to-end encryption. Hacker group behind SingHealth data breach identified, targeted mainly Singapore firms