The Mozilla Foundation is boosting privacy in an upcoming version of its Firefox browser by removing the snooping capability called canvas fingerprinting, a method of tracking users across multiple websites.
The feature is expected to be removed in January 2018 with the introduction of Firefox 58, according to Mozilla.
Canvas fingerprinting capabilities are currently available in all major browsers. Using the HTML5 framework, websites are able to identify users (or a browser image) not by cookies, but the unique characteristics of a browser such as fonts, SVG widgets and WebGL—for starters.
“This rendered image data can then be extracted and hashed, to produce a single, potentially unique identifier to track users without any actual identifier persistence on the machine,” wrote developers in the Mozilla bug tracking system.
Now, in an effort to protect user privacy from tracking, Mozilla is slated to be the first major browser to give users the option to block browser fingerprinting. Instead of automatically opting users in to tracking and sharing data, users must proactively give permission before data is shared.
However, despite the privacy upgrade, experts said the Firefox update will have a limited impact on overall browser privacy for most users. According to insights from Risk Based Security, using Firefox as a regular user, you are already sharing your IP with websites, accepting cookies from the website you visit and from ad providers. Plus, over the past several years, since concerns were first raised about fingerprinting, new tracking techniques have supplemented older ones.
The upcoming Firefox feature to block canvas fingerprinting attempts comes directly from the Tor Browser, which is almost entirely built on Firefox code. Typically features flow from Firefox to Tor Browser. But in a program called Tor Uplift Project, Mozilla is slowly hardening Firefox’s defenses with Tor privacy features.
“In Tor Browser, we have opted to have the canvas return white image data until the user has accepted a doorhanger UI that flips a site permission to either enable or permanently block canvas access from that site,” developers wrote. Now that feature comes to Firefox, Mozilla said.
For years, canvas fingerprinting has been a boon to advertisers who can track visitors to their website, whether or not tracking cookies are enabled or present. But it has also been used by threat actors. Last year, a malware campaign targeting Mac OS X machines is suspected of using browser fingerprinting to identify targets.