sighOS

It seems like only yesterday that I had to warn you all that from time to time, I write sensible posts about serious matters and here I am having to do precisely that again already.

I’ll try and keep it short — this isn’t a shaggy dog story and doesn’t, therefore, need to tease you before delivering the punchline.

If you recall, I drew your attention to the fact that an awful lot of people don’t know as much as they think they do … championing solutions that aren’t solutions,

[Since the recent update of Firefox mobile to version 79, it is unusable on Android, if you have any concerns about privacy. As a result, I have found myself using the Torbrowser whilst I wait for extension support to be restored to Firefox. So, an update to the above is in order: the mobile version of Torbrowser seems to have NoScript enabled by default.]

Big news for iOS users is that version 81 can now be set as the default browser on their devices.

Oh, dear …. where to even start.

I’m gonna gloss over the detail that, no, it can’t be … because, whether it’s set to be the default browser or not is immaterial (under the Firefox skin, the browser engine is Safari, so you aren’t even using Firefox on iOS anyway) — you can investigate the details of that for yourselves.

The point I’m going to make here is that, immediately, there arose debates about the efficacy of third party browsers on iOS due to that fact, with people, quite reasonably pointing out they are not able to use the Content Filtering API and thus cannot effectively block web elements as the ‘pure’ Safari browser can.

And the next thing you know, you’ve got people chipping in with observations that

“Anyone can block ads and videos by just setting it to not display images. Even the social media tracking icons are GONE. And the web bugs, etc. […] the browser never sends a request to load a tracking image or video, they can’t track you.”

*sigh*

If … IF … that’s how it works, great.

But it’s exceedingly unlikely that it does.

Remember, third party browsers are not able to use the Content Filtering API on iOS. So, what are the chances that they make full use of the image blocking feature rather than simply making a request to the OS that it not render them?

Even on Windows/Linux/Android … where Firefox does have control over whether and how it loads web elements … blocking an element does not necessarily mean it never gets referenced.

Which is why it is important to use uMatrix rather than simply an ad blocker and NoScript: where your adblocker might prevent images from rendering … and NoScript will prevent scripts from running … unlike uMatrix (which blocks them at the domain level), neither of them prevents the elements from being loaded in the first place. And that means the site you visit knows not only that they were requested and when but also how; meaning it can track things like what browser you are using and details about your system (like display resolution) as a result, by returning different images and different scripts for different browsers.

This is the kind of exploit used by the Conficker worm and resulted in its evolution after Microsoft disabled the autorun feature for non-optical media in Windows, such that the simple fact that a call had been made to the autoplay service meant that, although the autoplay option was never displayed for non-optical media, Conficker made use of the mechanism invisibly by latching on to a side-effect of the call. I won’t bore you with the details, not simply because they’re boringly technical but because, it’s been so long since it was an issue that I don’t remember them any more … but, at the time, it was significant that Microsoft simply disabling the autorun feature was insufficient to protect users against infection because the mere existence of the autoplay technology was enough to enable Conficker.

Simply preventing the browser from rendering images is equivalent to disabling autorun — no, you can’t see what’s happening … but it’s still happening.

Moreover, the loading of images and videos is not the only way you are tracked — without mention of fingerprinting … in particular methods of the kind that CanvasBlocker and Chameleon attempt to mitigate against … the level of knowledge evidenced by the person giving advice is suspiciously lacking.

The moral of the story is: do not listen to other people who blithely dismiss issues … they are know-nothing idiots.

[Corrections]

  1. Do do not listen to other people ̶w̶h̶o̶ ̶b̶l̶i̶t̶h̶e̶l̶y̶ ̶d̶i̶s̶m̶i̶s̶s̶ ̶i̶s̶s̶u̶e̶s̶ … they are know-nothing idiots.
  2. The moral of the story is: I’m fantastic ¹.


¹ Sorry E. Scott … I (nearly) forgot.

There he goes. One of God's own prototypes. A high-powered mutant of some kind never even considered for mass production. Too weird to live and too rare to die.