Firefox turns out the lights on two privacy-sucking features

Turn out the lights

Did you know that the websites you browse can ask your phone how far away your face is from the screen, and that they can determine the ambient light levels of the room you’re in?

No, me neither, and I do this stuff for a living.

The fact it is that the web browser you’re using now is stuffed full of exotic, esoteric, somebody-somewhere-will-use-them features of questionable utility.

These features, often APIs (Application Programming Interfaces) that allow websites to act more like native apps, give sites access to some of your device’s most sophisticated capabilities, exposing everything from your GPS, gyroscopes and accelerometers, to proximity and ambient light sensors.

Until recently that list also included access to your battery charge level. It doesn’t now, on Firefox at least, thanks to the work of Lukasz Olejnik and the boldness of the Firefox development team.

The Battery Status API was killed off in late 2016 because, while it had almost no legitimate uptake at all, it became quite popular as a browser fingerprinting technique for cookie-less tracking.

Mozilla’s decision to flense the Battery Status API from Firefox, a move described by Olejnik as “unprecedented”, was a welcome check on the trend to fold ever more complexity (and attack surface) into web browsers.

And now that trend is about to hit another bump.

We’ll soon be losing proximity and ambient data from the list too, on Firefox at least, thanks to… the work of Lukasz Olejnik and the boldness of the Firefox development team!

From Firefox 62 onwards, the legacy APIs for proximity and ambient light, exposed via the devicelight, deviceproximity and userproximity events, will be disabled by default. Websites won’t be able to access them unless you turn them on, and if you want to do that you’ll have to dig them out of Firefox’s UX-challenged configuration graveyard, the about:config screen.

So what’s wrong with these features?

The proximity API, which tells websites how far away the thing nearest a device’s proximity sensor is (typically a hand or face), is being switched off because it could be abused as an identifier for fingerprinting, used to discriminate between users or even used in behavioural profiling.

The ambient light sensor gets the chop because of some eye-catching work by Olejnik demonstrating how it can be abused by a malicious websites to leak your browsing history, or to copy images from other sites you’re looking at (a violation of the same-origin policy).

Like many browser history attacks, the ambient light sensor leak leverages the fact that the colour of visited and unvisited links can be controlled.

By displaying visited links as white on black and unvisited links as black on white, a malicious website could cycle through a series of likely URLs, displaying each one in turn and using the changes in ambient light to determine the colour of the screen.

To their credit, developers at Mozilla seem keen to get ahead of these potential privacy issues and have nipped these leaky sensor APIs in the bud, before they’ve become widely used or abused.

The march of progress is relentless though, and both proximity and ambient light data could soon be accessible again via a new Generic Sensor API. The new API is currently being put through its paces and it remains to be seen if Firefox’s latest prohibition will extend to the ambient light and proximity parts of that API, or indeed if it will need to.

No doubt Olejnik will be there to tell us if it should.