Do you know? Thousands of websites use HTML5 Canvas—a method supported by all major browsers that allow websites to dynamically draw graphics on web pages—to track and potentially identify users across the websites by secretly fingerprinting their web browsers.
Over three years ago, the concern surrounding browser fingerprinting was highlighted by computer security experts from Princeton University and KU Leuven University in Belgium.
In 2014, the researchers demonstrated how browser’s native Canvas element can be used to draw unique images to assign each user’s device a number (a fingerprint) that uniquely identifies them.
These fingerprints are then used to detect when that specific user visits affiliated websites and create a profile of the user’s web browsing habits, which is then shared among advertising partners for targeted advertisements.
Since then many third-party plugins and add-ons (ex. Canvas Defender) emerged online to help users identify and block Canvas fingerprinting, but no web browser except Tor browser by default blocks Canvas fingerprinting.
Good news—the wait is over.
Mozilla is testing a new feature in the upcoming version of its Firefox web browser that will grant users the ability to block canvas fingerprinting.
The browser will now explicitly ask user permission if any website or service attempts to use HTML5 Canvas Image Data in Firefox, according to a discussion on the Firefox bug tracking forum.
The permission prompt that Firefox displays reads:
“Will you allow [site] to use your HTML5 canvas image data? This may be used to uniquely identify your computer.”
Once you get this message, it’s up to you whether you want to allow access to canvas fingerprinting or just block it. You can also check the “always remember my decision” box to remember your choice on future visits as well.
Starting with Firefox 58, this feature would be made available for every Firefox user from January 2018, but those who want to try it early can install the latest pre-release version of the browser, i.e. Firefox Nightly.
Besides providing users control over canvas fingerprinting, Firefox 58 will also remove the controversial WoSign and its subsidiary StartCom root certificates from Mozilla’s root store.
With the release of Firefox 52, Mozilla already stopped allowing websites to access the Battery Status API and the information about the website visitor’s device, and also implemented protection against system font fingerprinting.