FP-Block

• Software

News

• July 1, 2015: version 1.0.1 released.
  - Clean up source code
  - remove blue from logo
  
• April 16, 2015: Version 1.0 released.
  

Downloads

• FP-Block-v1.0.1.

Installation instructions

• Download the latest version using Firefox.
• Click "Allow:" when Firefox asks you if you wish to allow installation.
• Next, click "Install now" when Firefox asks you to install.
• Restart Firefox to finish installing FP-Block.

Package information

FP-Block is a proof-of-concept Firefox plugin that generates a unique fingerprint for each web site visited. This ensures that embedded third-party content such as social media buttons (Facebook's Like, Pinterest's PinIt, Google's + button) cannot track the user over different websites.

FP-Block is an extension the work of Christof Ferreira Torres for his Bachelor thesis.

About fingerprint-based online tracking

Fingerprint-based tracking is the process of tracking a user across different web sites by determining various characteristics, such as screen resolution, browser version, IP address, HTTP header order, etc. Together, such a "fingerprint" is unique and therefore allows the fingerprinter to track the user without using HTTP cookies or other client-side storage.

Most pages on the web embed some content from a third party. Examples of such embedded content include:

• social media buttons such as Facebook's Like, Twitter's tweet, etc.,
• video hosting (YouTube, Vimeo, etc.),
• photo hosting (Flickr, Instagram, etc.),
• advertising services (Google AdWords, DoubleClick, etc.),
• payment services (PayPal, credit card portals, etc.)
• analytics services (Google Analytics, etc.)
• JavaScript frameworks (JQuery, Node.js, etc.)
• etc. etc. etc.

When a page embedding such a service is visited, the page rendering triggers the browser to contact the third party. This allows the third party to begin fingerprinting. Moreover, often the service is to add some elements to the source of the web page. This makes it trivial for the third party to additionally add some client-side fingerprinting scripts.

How FP-Block stops fingerprint-based tracking

When a user visits a website A, FP-Block generates a unique fingerprint for website A: ID_A. This identity is then used for all contact with website A, as well as any contacts to retrieve content embedded on website A. This identity is never used otherwise. Since any new identity is generated such that it is distinct from all previously generated identities, no two identities are the same.

Example:
Suppose a user visits two websites, A and B, which both contain a Facebook like button. When visiting site A, Facebook will receive a request for their like button from a browser with fingerprint ID_A. When visiting site B, Facebook will get the request from a browser with fingerprint ID_B. Since ID_A and ID_B are different, Facebook cannot link these two visits.

Technical and academic details

FP-Block thwarts both active (JavaScript) and passive (HTTP) fingerprinting. It does so by a combination of spoofing and blocking access to typically fingerprinted attribute values.
FP-Block is an implementation of the concept "separation of web identities". For more details, see the paper (currently under submission).

Team

FP-Block was created by Christof Ferreira Torres, Hugo Jonker and Sjouke Mauw.