Mozilla Firefox has just announced that it is collaborating with The Tor Project to add one of its main security techniques to the Mozilla browser. The security technique, referred to as “letterboxing”, will be featured in the stable version of Firefox 67, which is expected to be released in May.
What is letterboxing?
Letterboxing is a novel anti-fingerprinting technique that aims at stopping advertisers from tracking users, or fingerprinting them, via means of the size of their internet browser’s window. Even though it seems relatively awkward, it is currently one of the sneaky approaches being deployed by entities whose job is to serve up ads specifically tailored to users. Advertising networks usually sniff certain features of a user’s internet browser, including the window size, in order to create user profiles and monitor their activities as they resize their browser’s window and surf across new URL’s and different browser tabs.
Letterboxing aims at improving Firefox’s privacy features via obfuscating the size of the browser’s window from advertising entities. Indeed, there are dimensions to create user profiles automatically and follow them throughout their browsing sessions.
How does letterboxing work?
Letterboxing acts via adding “grey spaces” to the top, bottom, and both sides of a web page whenever the user attempts to resize the window of their internet browser. These grey spaces are then progressively removed following completion of the browser’s window resizing operation. This process results in the confusion of the “sniffing” technique utilized by advertisers, leading to the diversion of the unwanted attention.
The general goal is to obfuscate the browser window’s actual dimensions via keeping its size at predefined ratios (height and width at multiples of 100px and 200px) when the user attempts to resize it, resulting in generation of the same window size for all users, which is followed by adding the previously mentioned grey spaces. The advertising script, which is coded to identify window resizing events, will detect the generic dimensions and then send the information to its server. In other words, the letterboxing technique deceives the advertising script into identifying the resized browser window at unrealistic dimensions. The browser’s window can be of any size and shape, yet its page content can only be displayed at specific predefined dimensions and the remainder of the page is filled with grey spaces.
Mozilla’s spokesperson described the letterboxing implementation by saying:
“Our present Letterboxing experiment is different from the previous experiments conducted by the Tor Project. The main difference is that the implementation deployed by the Tor Browser maintained the whole window of the browser at predefined dimensions, whereas Mozilla’s implementation utilizes grey spaces in order to make it possible for the browser window to be visualized at any size, while maintaining the content of the page at present dimensions.”
Mozilla’s developers porting Tor Browser’s privacy features:
The letterboxing technology was first implemented experimentally in the Tor browser in 2015 and then became part of Tor’s Uplift project in July 2016. In addition to Uplift, Mozilla’s developers have been adopting Tor Browser’s privacy enhancing features throughout the past few years.
For instance, in Firefox 48, the browser integrated a group of identifiable user fingerprinting domains which were maintained by the Tor Project to be blocked inside the Tor Browser bundle. In Firefox 52, the Mozilla browser added another Tor Browser anti-fingerprinting technology that blocked websites from identifying visitors on the basis of their operating system’s fonts.
The Tor Uplift integration process continued in Firefox 55, as Mozilla added one of Tor Browser’s features, which is termed “First Party Isolation” (FPI). This feature works through the separation of cookies via means of a per-domain basis that prevents ad trackers from exploiting cookies to track website visitors.
In Firefox 58, Mozilla’s developers implemented another anti-fingerprinting technology borrowed from the Tor Browser, which blocked websites from tracking visitors via means of the HTML5 canvas element.
The upcoming Tor Uplift implementation will enable the Mozilla browser to block websites from fingerprinting visitors via the AudioContext API, and via the VP8 and VP9 codecs. It also includes support for preventing the browser from loading user information details (real names, usernames, emails, etc) into the operating system’s RAM.
Letterboxing represents a part of Firefox’s plan to distance itself from other browsers, especially Chrome and Chromium based browsers such as Vivaldi, Opera, and Edge. Letterboxing is presently available in Firefox Nightly and is planned to be available for all users in a stable version in May via the release of Firefox 67.
by: Tamer Sameeh