In 2014, The Tor Project announced that they would be forming a partnership with Mozilla, the company most known for the Firefox browser and Thunderbird email client. The two organizations still work in unison, sharing patches, bug fixes, and even high-capacity relays. In recent news, Mozilla fought to have the FBI release information regarding a Tor exploit – one that leaves Tor and Firefox users vulnerable to hacking and other privacy violations. These requests were denied, but that hasn’t stopped Mozilla from continually working to improve the level of privacy Firefox provides.
We were made aware, a few days ago, that the nightly build of Firefox 50 has started integrating features that originated in Tor. While only a handful are available now, it appears several more – potentially huge – changes will be made public in the following weeks.
So far there’s three patches to write about, all of which are not enabled by default. The first patch is aimed at reducing or removing browser fingerprinting. This is, if you aren’t aware, information that can be extracted from your web browser by the websites you visit. Some consider it a violation of privacy as this information can potentially lead to personal identification. It has non-malicious purposes too, such as analytics and preventing Internet identity fraud. Firefox accomplishes this by restricting the ability to read plugins and MIME types that the browser supports.
The second patch is also directly related to device fingerprinting – when a page requests screen.orientation.angle and landscape-primary, Firefox will return a value of 0, rendering the site or application’s request useless.
And the last one is fairly simple – it allows for removal of the “open with” option after downloading a file.
If you want to give these new features a shot, you’re going to have to manually enable them. Since the general public may not be suited for the Tor-related patches, they won’t ever be enabled by default. Ghacks outlines how to access the patches, given that they aren’t available on the preferences panel. Make sure that you’re running Firefox 50 Nightly. If you don’t have the build, are interested in trying new features, and don’t mind running a browser that is for testing only – you can find the Nightly builds here.
In the address bar, you’re going to want to head to “about:config,” obviously without quotes or the comma. The fingerprinting option doesn’t exist yet, so you’re going to have to create it by right clicking anywhere in the page and selecting “New” and then “Boolean.” Name it privacy.resistFingerprinting, set the value to True, and then you’re good to go. While you’re at it, if you want to remove the “Open With” option that appears when downloading files, don’t leave the About:config page. In the search bar, type browser.download.forbid_open_with. Double click and set the value to True.
Mozilla notes that eight patches are currently being worked on and will be implemented as time goes on. You can see these here. If you want to see the future for Firefox patches, head over to the Tor Uplifting entry on the Mozilla Wiki. Whether or not you may be a security-conscious Firefox user, following along and keeping track of what changes are being made may prove to be a wise decision. That being said, the FBI still has an undisclosed exploit and, not knowing where to look, Mozilla will likely be unable to patch it for some time. In closing, as always, be safe and remember that security patches don’t make you impenetrable.