Bug 785673

Summary: Panopticlick browser fingerprint unique because of detailed plugin versioning
Product: [Fedora] Fedora Reporter: Reinout van Schouwen <reinouts>
Component: firefoxAssignee: Gecko Maintainer <gecko-bugs-nobody>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 16CC: gecko-bugs-nobody, stransky
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-14 18:03:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Reinout van Schouwen 2012-01-30 09:56:23 UTC 
(Filed under "Firefox" component but applicable to all web browsers)

Description of problem:
Panopticlick is a tool that shows how unique your browser fingerprint is. If it is unique, then a site owner or advertisement company can identify you because of that.

Currently, some browser plugins shipped with Fedora 16 give very detailed version information which increases the chance on a unique browser fingerprint. Examples:
- IcedTea-Web Plugin (using IcedTea-Web 1.1.4 (fedora-4.fc16-x86_64))
- VLC Multimedia Plugin (compatible Totem 3.2.1)

Interestingly, the Gecko build identifier in the user agent string seems to be generic:

- Mozilla/5.0 (X11; Linux x86_64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1

I believe that Fedora should try to minimize the bits of information that plugins identify themselves with to protect the privacy and anonymity of the user.

Version-Release number of selected component (if applicable):
9.0.1

How reproducible:
Always

Steps to Reproduce:
1. Install icedtea-web, totem-mozilla or any other bundled plugins
2. Visit https://panopticlick.eff.org/
3. Click 'Test Me'
  
Actual results:


Expected results:


Additional info:
Comment 1 Martin Stransky 2012-02-14 18:03:55 UTC 
The plug-in versions are provided by plug-ins themselves, we can't change the exposed plug-in version string. If you believe Firefox should filter the plugin version strings, please file a bug at bugzilla.mozilla.org and try to find support there.
Comment 2 Reinout van Schouwen 2012-02-14 23:09:23 UTC 
(In reply to comment #1)
> The plug-in versions are provided by plug-ins themselves, we can't change the
> exposed plug-in version string. 

Are you saying that the plug-in itself provides the string "(fedora-4.fc16-x86_64)"? I don't believe so.
Also, given that RH developers are working on both Totem and IcedTea, the statement that "we can't chag the plug-in version string" is doubtful.

> If you believe Firefox should filter the plugin
> version strings, please file a bug at bugzilla.mozilla.org and try to find
> support there.

This is already discussed in https://bugzilla.mozilla.org/show_bug.cgi?id=566423 .