FP-Block

FP-Block (XPI, 255kb) is a proof-of-concept open-source Firefox plugin that prevents fingerprint-based cross-domain tracking. FP-Block is an implementation of the concept "separation of web identities". This concept ensures that embedded third-party content such as social media buttons (Facebook's Like, Pinterest's PinIt, Google's + button) cannot track the user over different websites. More details below.

A detailed write up can be found in the ESORICS'15 paper. FP-Block is an extension of Christof Ferreira Torres' Bachelor project, further augmented by the bachelor project of Siebren Cosijn and Nataliya Yasko.

Installation instructions

Update: Firefox no longer allows unsigned extensions by default. See here for more information on how to enable unsigned extensions.

• Download the plugin (XPI file, 255kb) using Firefox.
• Click "Allow:" when Firefox asks you if you wish to allow installation.
• Next, click "Install now" when Firefox asks you to install.
• Restart Firefox to finish installing FP-Block.

News

• August 9, 2019: version 2.0 released. This version is based on the work of Siebren Cosijn and Nataliya Yasko and improves FP-Block with:
  - fast fingerprint generation
  - fingerprint stability and inconsistency fixes
• July 1, 2015: version 1.0.1 released.
  - clean up source code
  - remove blue from logo.
• April 16, 2015: Version 1.0 released.

About fingerprint-based online tracking

Fingerprint-based tracking is the process of tracking a user across different web sites by determining various characteristics, such as screen resolution, browser version, IP address, HTTP header order, etc. Together, such a "fingerprint" is unique and therefore allows the fingerprinter to track the user without using HTTP cookies or other client-side storage.

Most pages on the web embed some content from a third party. Examples of such embedded content include:

• social media buttons such as Facebook's Like, Twitter's tweet, etc.,
• video hosting (YouTube, Vimeo, etc.),
• photo hosting (Flickr, Instagram, etc.),
• advertising services (Google AdWords, DoubleClick, etc.),
• payment services (PayPal, credit card portals, etc.)
• analytics services (Google Analytics, etc.)
• JavaScript frameworks (JQuery, Node.js, etc.)
• etc. etc. etc.

When a page embedding such a service is visited, the page rendering triggers the browser to contact the third party. This allows the third party to begin fingerprinting. Moreover, often a script is requested. This makes it trivial for the third party to inject active fingerprinting.

How FP-Block stops fingerprint-based tracking

When a user visits a website A, FP-Block generates a unique fingerprint for website A: ID_A. This identity is then used for all contact with website A, as well as any contacts to retrieve content embedded on website A. This identity is never used otherwise. Since any new identity is generated such that it is distinct from all previously generated identities, no two identities are the same.

Example:
Suppose a user visits two websites, A and B, which both contain a Facebook like button. When visiting site A, Facebook will receive a request for their like button from a browser with fingerprint ID_A. When visiting site B, Facebook will get the request from a browser with fingerprint ID_B. Since ID_A and ID_B are different, Facebook cannot link these two visits.

Technical details

FP-Block thwarts both active (JavaScript) and passive (HTTP) fingerprinting. It does so by a combination of spoofing and blocking access to typically fingerprinted attribute values.

Compatibility:
In general, using FP-Block in combination with other plugins that block or change attributes may lead to interesting behaviour. We tested FP-Block with Disconnect, AdBlock Plus, Ghostery, and Privacy Badger. FP-Block cooperates with the default settings of these plugins. When using such a pluing to block 3rd parties also blocked by FP-Block, however, interference will occur.

Team

FP-Block was created by Christof Ferreira Torres, Hugo Jonker and Sjouke Mauw.