Skip to content
This repository has been archived by the owner on Dec 11, 2019. It is now read-only.

FingerPrinting Protection in Brave browser not working according to Panopticlick by EFF. #6128

Closed
SilverFoxu2 opened this issue Dec 10, 2016 · 8 comments

Comments

@SilverFoxu2
Copy link

My search for the this topic in GitHub's database came up empty.

I went to the following website to test my newly installed Brave browser:
[ https://panopticlick.eff.org/ ]

I made sure all my settings were correct, including making sure the "Fingerprinting Protection" option was turned on. However after visiting the Panopticlick website (managed by the Electronic Frontier Foundation), I was shocked to see the test results reveal that my newly installed Brave browser was displaying a unique fingerprint. (In other words---it failed that part of the test). These test results indicated that my Brave browser has a fingerprint which is conveying at least 17.51 bits of identifying information.

  • Platform (Win7, 8, 10? macOS? Linux distro?): My system is a Desktop PC with Win7 Ultimate 64-bit OS, AMD FX4100 Quad-Core CPU, ASUS MOBO and Graphics Card. I also run ESET NOD32/AV in conjunction with Comodo Firewall and F-Secure Freedome VPN. Mozilla Firefox is currently my default web-browser.

  • Brave Version: 0.12.11

  • Steps to reproduce:

    1. Visit the Panopticlick website.
    2. Click on the "Test Me" webpage button while in an open Brave browser window.
    3. Examine the results to determine why Fingerprint protection might not be working.
  • Screenshot if needed:

Panopticlick Test Results for Brave Browser_12-9-16.pdf

  • Any related issues:
@lewellyn
Copy link

I'd like to submit for consideration that you're working off a sample size of one to determine if fingerprint detection works. ;)

As far as I can tell (from comparing your results against mine), there are 3 variable pieces of information from Panopticlick's view point when you turn on fingerprint protection in Brave:

  1. Resolution
  2. Time zone
  3. User agent (Notably OS version)

Unfortunately, you can't stop telling sites those 3 things (first two via JavaScript) without breaking user experience across much of the web.

As it stands, I'm bored of sites that think I'm on a Mac because they see "Safari" in the user agent of most of my browsers, and the particular user agent isn't white-listed as something else. Imagine how great it would be if the OS information was omitted from that header... Much convenience for users comes from figuring out their OS quickly and easily. And since most browsers don't lie about that, the User Agent is a great way to handle which page to serve rather than making it handled in JavaScript.

As for resolution and time zone, I can't imagine the fun bug reports that would result if those were lied about. "This page looks funny, but only in Brave!" and "Every web site that shows me the time is showing the wrong time, but only in Brave..." for starters.

I believe even Tor Browser keeps those bits of data intact. But please correct me if I'm wrong.

So basically, use a common resolution and get your (local) friends to use Brave too. Your fingerprint's uniqueness will decrease rapidly. 👍 And Panopticlick is a power user tool to demonstrate things to people, not something really representative of how trackable you are. Note how relatively few results they have... And I've always wondered how many of those are people on not-Windows and not-Mac browsers, which would greatly increase the long tail's length.

@luixxiul
Copy link
Contributor

CC @diracdeltas for your comment.

@diracdeltas
Copy link
Member

@lewellyn is pretty much right. if you reload panopticlick in a bunch of private tabs repeatedly, it'll stop thinking you are unique. it's very much skewed by EFF's sample set, so it's not worthwhile or feasible for us to always get a perfect panopticlick result.

we do our best to reduce the number of identifying bits, but there's some likelihood that someone with your browser configuration has never visited panopticlick.eff.org before.

@diracdeltas
Copy link
Member

dupe of #5975

@lewellyn
Copy link

Thanks for the confirmation, @diracdeltas. 😄 I tried to explain the best I could at that hour.

Specifically, I'd like to clarify my statement that "Panopticlick is a power user tool to demonstrate things to people, not something really representative of how trackable you are": There is no way that something with Panopticlick's self-selected small sample size primarily consisting of those who are techno-savvy (and who are presumably also testing browsers besides their own, more mainstream daily browsers) can possibly compete with the huge data mines that actual tracking services use. The more data you have, the more you can slice and dice it. And if you have enough, you can make some pretty good assumptions about people you have only partially tracked... to the extent that it doesn't matter if you misidentify some people as the same.

I can think of a few ways that the EFF could feasibly make Panopticlick more useful in regards to how some people think it should work (showing actual ability to correlate their browser with others versus the reality of it being more of a demonstration of how such technologies work), however I can't think of a single way that it could be done without people crying foul over hypocrisy. You simply can't be all things to all people. What Panopticlick does well is raise awareness, but it is unlikely to ever be truly representative of the trackers you encounter in the wild simply because it's purposely not-evil.

So while there's some potential concern here for improvement ("should there be a strict fingerprinting mode which fakes 1080p and UTC, as well as minimal User Agent header?"), I simply don't see value in it since most users won't use it due to experience breakage around the web. This negates any actual benefit from such an option, if you're still a special snowflake when you turn it on. ☹️

The best result I can think of here is to document its limitations better, perhaps in a dialog box with a "never show again" option when it's turned on. Managing expectations is better than trying to convince yourself you're more anonymous by standing out from the herd.

@SilverFoxu2
Copy link
Author

Much thanks to both 'lewellyn' and 'diracdeltas' for clarifying the situation. I can understand the limitations mentioned with Panopticlick's test. Also what was said about the 3 main factors above, in regard to how website performance would be effected, is of obvious importance too.

I suppose, if one already has other variables covered (such as VPN, FDE of the Hard-drive, layered security applications w/strict policies as well as a hardware-firewall, etc...), then, any stealth-tracking and/or infiltration's could be kept at a minimum.

[ https://tinyurl.com/gpszbpc ]

Of course, I'm well aware that no security configuration is full-proof, but to the extent possible, I firmly intend to do what I can to keep these insidious trackers and spammers off my back.

I've had the unfortunate experience of interacting with one of these low-life scum-bags, some time ago. And to this day, I feel like I'm being unusually ho-ranged by these sleazeballs, whom love to hide behind the already obscure nature of the internet while at the same time perpetrating violations to our (PII) personally identifiable information.

There is no justification for their cloak-and-dagger-style exploitation's of ordinary, law-abiding citizen's such as us. They've been over-stepping their bounds for far too long and it's about time that we have a fighting-chance to take back what rightfully belongs to us in the first place.

Privacy is an innate human right and is needed to maintain our society with decency. The day we give up on that is the day we give up on ourselves...

[ https://tinyurl.com/q5bjzz5 ]

@bsclifton
Copy link
Member

Closing this issue as it's working as designed (herd anonymity), per comment #5975 (comment)

@jamespic
Copy link

Just wanted to clarify one thing: Tor Browser does spoof values for User Agent (including OS), timezone, language, fonts installed, and pretty much any measurable aspect of the system. It doesn't spoof resolution, but does start a standard size and warn against resizing.

You can certainly argue against spoofing these things from a user experience perspective, but it's strictly weaker anonymity than Tor browser, and for some use cases that matters.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

6 participants