this post was submitted on 11 Aug 2024
98 points (65.6% liked)

Privacy

32156 readers
945 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

Did you know? Despite claiming to block all cross-site cookies out of the box, Firefox automatically allows Google to use them in your browser should you log in to one of their services.

The browser only lets you know about this once it happens, and it's on you to notice the permissions icon appearing in the URL bar. There is a link to a paragraph on a help page explaining this behaviour, but it seemingly goes unmentioned pretty much everywhere else on the internet.

This surprised me, especially considering Firefox's stance on privacy. I was even more surprised that this is done without consent. If this is for usability, Firefox should at least warn the user before this happens.

all 35 comments
sorted by: hot top controversial new old
[–] [email protected] 216 points 3 months ago (3 children)

Take it you didn't click "learn more"?

To sign into YouTube, you need to sign into Google.Com. that's the cross site script. Nothing scary, or unexpected.

[–] [email protected] 136 points 3 months ago (2 children)

What's with the influx of anti Firefox posts here? Really weird. Especially since yes everything is in their learn more stuff.

[–] IAmNotACat 79 points 3 months ago (1 children)

It is a bit odd that there’s an influx of anti Firefox and AMD stuff after Google and Intel were in the news for major things.

[–] [email protected] 37 points 3 months ago (1 children)

Yeah feels a bit intentional

[–] [email protected] 18 points 3 months ago

FF deserves this criticism but time is suspect for sure.

[–] just_another_person 23 points 3 months ago (2 children)

People have been up in arms for every new "flavor of the month" browser that boasts better security, or some new privacy thing, and Firefox not offering it. Also, the freakout about Mozilla enabling "ad-tracking" was wildly misunderstood and overblown by the privacy nuts, but started a slew of these "WELLFFDIDTHISTHINGBLETRRGGHWAAAHHHHHHH"

It's all overblown in my opinion.

[–] [email protected] 17 points 3 months ago (1 children)

"flavor of the month" browser

"flavor of the month" ~browser~ Chromium

[–] just_another_person 1 points 3 months ago (1 children)

Well I would have just said Chromium then, but that's not what I said.

[–] [email protected] 6 points 3 months ago (1 children)

I think they meant that they are chromium based.

[–] just_another_person 1 points 3 months ago

Yeah, I got the sarcasm. Just saying that wasn't my point at all.

[–] [email protected] 0 points 3 months ago (1 children)

If you've lost your entire user base except the privacy nuts, you should be very careful about your messaging because they're your only demographic left.

[–] just_another_person 10 points 3 months ago

It's not clear who you are referring to. Privacy nuts seem to hate every browser that exists at the moment. I even see people pissed an Librewolf for one thing or another.

Fact of the matter is that the browser is less the problem, and the contents they consume are, yet people are unwilling to just stop interacting with the sites that cause their concerns. There's no way to win with everyone.

[–] [email protected] 12 points 3 months ago

the moment I saw login im like um yeah I bet same with microsoft or any other login that is across. wait for it. sites. login to outlook.com and then go to 0365

[–] [email protected] 0 points 3 months ago

But that's one of the most dangerous trackers afaik. There should at least be an option to disable it.

[–] [email protected] 66 points 3 months ago (3 children)

Don't log into their services.

[–] [email protected] 26 points 3 months ago (1 children)
[–] [email protected] 27 points 3 months ago (1 children)

Don't even use HTTP, only Gopher and BBS.

[–] [email protected] 15 points 3 months ago (1 children)

Don't even use UDP or TCP, only FCP.

[–] [email protected] 26 points 3 months ago (1 children)

Don't even use a computer, talk to your friends in person.

[–] toomanypancakes 33 points 3 months ago (1 children)

Don't even have friends, talk to the voices in your head.

[–] [email protected] 8 points 3 months ago* (last edited 3 months ago) (1 children)

Don't even talk to the voices in your head, your wife will think you're cheating on her.

The voices in your head are selling your data too.

[–] GustavoFring 6 points 3 months ago

Don't even your wife will think you're cheating on her, talk to your wife's boyfriend.

[–] [email protected] 9 points 3 months ago (1 children)

Bingo! This is the way. I only open chrome when I need to log into a google/ alphabet site on the unlikely occasion. And close it immediately after.

[–] [email protected] 2 points 3 months ago

Exactly if it can be used without logging in you don't have to log into everything.

[–] [email protected] 62 points 3 months ago

If they wouldn't allow this, signing into YouTube wouldn't work

[–] [email protected] 17 points 3 months ago (2 children)

If you access Google sites only in a special Firefox container, that still isolates your Google cookies from the rest of your tabs? Or does it just add a “you don’t get this from me” flag when it gives Google your user cookie, so it can pretend to not recognise you as it adds your web-browsing history to your ad-targeting profile (flagged appropriately as to keep it deniable, of course)?

[–] [email protected] 10 points 3 months ago (1 children)

Yes.
I have a google container for one account.
If I open a google site in another container it will be as if the account didn't exist.
The containers are all partitioned.
You can also partition off the cookie/storage per site by proxy used (in about:config).
So, you could create a container for google account 1 using proxy 1 and another container for google account 2 using proxy 2 and they will never have access to the data stored by either.

[–] ngwoo 1 points 3 months ago (1 children)

Out of curiosity, do you know if these containers also obfuscate browser and device fingerprinting? Separating cookies is important but unless it also blocks fingerprinters (in a different way for each container) the site will instantly know the same person is using both accounts.

[–] [email protected] 1 points 3 months ago* (last edited 3 months ago)

FF doesn't really enable full fingerprint resistance by default. But it can.

These settings are some of what I usually use. All fingerprint values (that are able to be are randomised on every reload of a page.

Set secutity setting to custom, select known AND suspected fingerprinting > select from dropdown 'In ALL tabs'

Also: Because it's of no value / use to me, and (IMHO) a giant gaping privacy and security issue, I also disable webgl and webrtc, and navigator completely in about:config

Set the following:

WebGL webgl.disabled true
WebGL2 webgl.enable-webgl2 false
WebRTC media.peerconnection.enabled false
Navigator media.navigator.enabled false
RFP privacy.resistFingerprinting true

RFP options like bounce protection etc can also be enabled in config.

Check fingerprints on browserleaks.com, coveryourtracks.EFF.org, etc

Should be 100% unique fingerprint every time.

[–] [email protected] 1 points 3 months ago* (last edited 3 months ago)

I think the "rest of your tabs" would have to be sites that already include google js (e.g. for "sign in with google" type stuff) to even know you have a google cookie (otherwise what's the point of FPI/ETP/TCP/network partitioning/no-3rd-party-cookies/etc.), but I could be wrong.

[–] DirkMcCallahan 3 points 3 months ago

Is it sufficient to set the Enhanced Tracking Protection to "Strict" (which claims to block cross-site cookies in all windows), or is there something else you have to do?