Bug 785673 - Panopticlick browser fingerprint unique because of detailed plugin versioning
Summary: Panopticlick browser fingerprint unique because of detailed plugin versioning
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: firefox
Version: 16
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
Assignee: Gecko Maintainer
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-01-30 09:56 UTC by Reinout van Schouwen
Modified: 2012-02-14 23:09 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-02-14 18:03:55 UTC
Type: ---


Attachments (Terms of Use)

Description Reinout van Schouwen 2012-01-30 09:56:23 UTC
(Filed under "Firefox" component but applicable to all web browsers)

Description of problem:
Panopticlick is a tool that shows how unique your browser fingerprint is. If it is unique, then a site owner or advertisement company can identify you because of that.

Currently, some browser plugins shipped with Fedora 16 give very detailed version information which increases the chance on a unique browser fingerprint. Examples:
- IcedTea-Web Plugin (using IcedTea-Web 1.1.4 (fedora-4.fc16-x86_64))
- VLC Multimedia Plugin (compatible Totem 3.2.1)

Interestingly, the Gecko build identifier in the user agent string seems to be generic:

- Mozilla/5.0 (X11; Linux x86_64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1

I believe that Fedora should try to minimize the bits of information that plugins identify themselves with to protect the privacy and anonymity of the user.

Version-Release number of selected component (if applicable):
9.0.1

How reproducible:
Always

Steps to Reproduce:
1. Install icedtea-web, totem-mozilla or any other bundled plugins
2. Visit https://panopticlick.eff.org/
3. Click 'Test Me'
  
Actual results:


Expected results:


Additional info:

Comment 1 Martin Stransky 2012-02-14 18:03:55 UTC
The plug-in versions are provided by plug-ins themselves, we can't change the exposed plug-in version string. If you believe Firefox should filter the plugin version strings, please file a bug at bugzilla.mozilla.org and try to find support there.

Comment 2 Reinout van Schouwen 2012-02-14 23:09:23 UTC
(In reply to comment #1)
> The plug-in versions are provided by plug-ins themselves, we can't change the
> exposed plug-in version string. 

Are you saying that the plug-in itself provides the string "(fedora-4.fc16-x86_64)"? I don't believe so.
Also, given that RH developers are working on both Totem and IcedTea, the statement that "we can't chag the plug-in version string" is doubtful.

> If you believe Firefox should filter the plugin
> version strings, please file a bug at bugzilla.mozilla.org and try to find
> support there.

This is already discussed in https://bugzilla.mozilla.org/show_bug.cgi?id=566423 .


Note You need to log in before you can comment on or make changes to this bug.