I tested Firefox's new fingerprint privacy feature and the results are interesting

---

Firefox 145 dropped yesterday with Mozilla's boldest privacy claim yet—their new fingerprint blocking system supposedly makes half of all users invisible to trackers. After spending the weekend running tests and poking holes in their defenses, I discovered something fascinating: the technology works, but not exactly how you'd expect.

The tracking technique that won't die

Browser fingerprinting has become the cockroach of online surveillance. Block cookies? Fingerprinting still works. Enable private browsing? Fingerprinting persists across sessions. Clear your cache? Your digital signature remains unchanged.

The technique is deceptively simple. Websites collect dozens of seemingly innocuous data points—your graphics card model, installed fonts, screen dimensions, processor specifications, timezone settings, even subtle variations in how your device renders mathematical calculations. Individually, these details mean nothing. Combined, they create a signature as unique as your thumbprint.

According to Mozilla's research, roughly 65% of browsers could be uniquely identified using these methods before any protections existed. That percentage drops to 35% with basic blocking, and now Firefox claims to push it down to just 20% with their latest update.

What actually changed in Firefox 145

Mozilla's engineers took a surgical approach rather than carpet-bombing the entire fingerprinting ecosystem. The browser now actively lies about specific hardware details that trackers abuse most frequently.

Processor masking: Firefox reports exactly two CPU cores to every website, regardless of your actual hardware. Running a 32-core workstation? Websites see two cores. Using a dual-core laptop? Still two cores. This eliminates one of the most identifying hardware characteristics.

Font sanitization: The browser blocks access to locally installed fonts entirely, serving only standard system fonts to websites. Exceptions exist for critical language rendering—Japanese, Korean, Arabic, Hebrew, Thai, and Chinese fonts remain accessible to prevent breaking international sites.

Screen dimension fuzzing: Available screen height gets reported as your actual height minus 48 pixels, obscuring the precise dimensions of taskbars and docks that vary significantly between users.

Touch standardization: Multi-touch capabilities get rounded to three possible values: zero, one, or five simultaneous touchpoints. This prevents the granular touch screen data that creates unique signatures on mobile devices.

Canvas noise injection: Random data gets introduced into canvas-rendered images, but only when websites attempt to read the pixel data back—a telltale sign of fingerprinting. Normal canvas rendering for legitimate graphics remains unaffected.

Testing the defenses in practice

Running comprehensive fingerprint scans revealed both impressive protections and unexpected weaknesses. The tracker blocking performed flawlessly—advertising scripts and known fingerprinting domains got shut down before executing a single line of code.

Canvas fingerprinting showed clear evidence of randomization. Tests indicated the signature changed based on the requesting domain, exactly as Mozilla designed. Instead of a consistent identifier, trackers receive different values on each site, making cross-site tracking significantly harder.

The WebGL protections appeared partially effective. Firefox successfully masked the most granular graphics card details, though some vendor information still leaked through. Tests showed generic NVIDIA identification rather than the specific model, which reduces uniqueness considerably.

Here's the uncomfortable truth: the fingerprint still registered as completely unique among hundreds of thousands of tested browsers. Some high-entropy characteristics—screen resolution, browser version, installed plugins, and specific combinations of settings—created enough identifying information to stand out.

The hardware concurrency value particularly concerned me. Despite Mozilla's documentation stating cores should report as two, the actual test results showed inconsistent masking. This suggests the protections might not activate universally or certain detection methods bypass the defenses.

Screen resolution remained fully exposed at an uncommon 2560x1440, shared by less than 5% of users. Combined with the Eastern timezone and specific Firefox version, these seemingly mundane details created a highly identifiable combination.

The hidden catch nobody mentions

Firefox's most powerful protections only activate under specific conditions that most users never enable. The Phase 2 defenses exist exclusively in Private Browsing Mode and Enhanced Tracking Protection's Strict setting.

Standard browsing with default settings provides minimal fingerprinting protection beyond blocking known tracker scripts from Mozilla's lists. This explains the mixed test results—running scans in normal mode reveals far more information than Mozilla's marketing suggests.

Switching to Strict mode transforms the browser's defensive posture entirely. Suddenly the font masking activates, processor specs get spoofed, and canvas randomization kicks in. Mozilla deliberately keeps these features opt-in while validating their compatibility with popular websites.

Private Browsing Mode also enables the full protection suite, though this creates an interesting paradox. Users concerned about privacy probably already use private browsing for sensitive activities, meaning they likely already had these protections. The real privacy win comes from enabling Strict mode for everyday browsing.

Why Mozilla can't just block everything

The engineers at Mozilla face an impossible balancing act. Aggressive fingerprinting protection breaks legitimate website functionality in ways users find unacceptable.

Calendar applications need accurate timezone data to display appointments correctly. Video conferencing platforms require precise hardware information to optimize video quality and bandwidth usage. Banking websites use device fingerprinting as one authentication factor to detect suspicious logins from unfamiliar machines.

Blocking all identifying information would technically reduce fingerprinting to near-zero, but the resulting browsing experience would frustrate users into abandoning Firefox entirely. Websites would fail to render properly, international content would display with garbled characters, and performance-dependent applications would crawl.

Mozilla chose instead to target the highest-entropy fingerprinting vectors—the data points that provide maximum uniqueness with minimal legitimate use cases. This explains why timezone information remains accurate while processor core counts get spoofed. Conference calls don't need your CPU specifications, but they do need your local time.

The inconvenient truth about fingerprint uniqueness

Even with perfect implementation of every protection, some users will remain uniquely identifiable simply due to uncommon hardware or configuration choices. Someone running Firefox on a 4K monitor with a 24-core processor while using Hebrew as their primary language creates an inherently rare combination.

The goal isn't achieving perfect anonymity for every user—that's mathematically impossible without turning everyone's browser into identical clones. Instead, Mozilla aims to make mass surveillance economically impractical by pushing enough users into shared fingerprint clusters.

If 80% of users blend into indistinguishable groups of thousands, tracking companies lose the ability to follow most individuals across websites. The economics of large-scale fingerprinting collapse when the technique only works on 20% of the population.

What you can do right now

Firefox 145 ships these protections disabled by default, buried in privacy settings most users never touch. Activating them requires deliberate action.

Open Firefox's settings, navigate to Privacy & Security, and locate Enhanced Tracking Protection. Switch from Standard to Strict mode. This single change activates the full suite of Phase 2 fingerprinting defenses for all browsing, not just private windows.

Expect some websites to complain or behave oddly with Strict mode enabled. Mozilla built in granular controls to disable protections on specific sites causing problems while maintaining them everywhere else. A toolbar icon appears when protections get triggered, allowing one-click disabling for troublesome domains.

For maximum protection, combine Strict mode with container tabs to isolate different categories of browsing. Social media can't see your banking activity, shopping sites can't track your news reading, and fingerprinting scripts face additional barriers from the compartmentalization.

The bigger privacy picture

Firefox 145's fingerprinting protections represent meaningful progress in the endless cat-and-mouse game between privacy advocates and surveillance capitalism. The technology demonstrably reduces tracking for users who actually enable it.

Mozilla's approach reflects hard-earned lessons from previous privacy features that prioritized purity over practicality. Total Cookie Protection succeeded because it blocked cross-site tracking without breaking websites. These new fingerprinting defenses follow the same philosophy—disrupt mass surveillance while preserving usability.

The test results revealed both strengths and limitations inherent in any browser-level fingerprinting defense. Some identifying characteristics simply can't be masked without destroying functionality, and uncommon hardware configurations will always stand out regardless of software protections.

For anyone concerned about online tracking, Firefox 145 offers the strongest mainstream browser protection currently available. Just remember, the advanced features remain hidden behind optional settings that most users never change. The privacy is there—you just have to turn it on.