Replies: 1 comment 4 replies
-
|
Surely these factors need to be generalised not randomised. We need every Dot user look identical making it harder to fingerprint. I am fine with you working on these changes, and we can definitely reenable timezones, make sure the plugins are just really generic (maybe look at Chromium's list) and for the device sensors and gamepad API that should probably be locked behind a permission popup. |
Beta Was this translation helpful? Give feedback.
-
|
Generalizing these factors is one way of doing it, however I believe it will be harder to implement and lead to edge cases, like the timezones. Where as we can take inspiration from the canvas anti-fingerprinting method and add a bit of random noise to everything, making it impossible for a finger printer to get a lock. From my knowledge this is the method that brave uses, it is the easiest to benchmark and probably the easiest to implement. |
Beta Was this translation helpful? Give feedback.
-
|
We could do it that way but I think it would need to be random on every host change. e.g. when the host changes from google.com -> duckduckgo.com the fingerprint would need to be completely different. |
Beta Was this translation helpful? Give feedback.
-
|
Do you think that is better than just changing it on every page reload? The current canvas protection changes on every reload from my knowledge. |
Beta Was this translation helpful? Give feedback.
-
|
I think it would be good to have the other factors change on host change so we can retain some functionality with sites. For example a site might need to know your OS to send the correct installer, and by retaining that on a per host basis sites that have a global state can save fetching the OS every page load. However we could add an option to change the fingerprint on every page load in settings possibly. |
Beta Was this translation helpful? Give feedback.
-
As a firefox-derived browser, we already get a lot of anti-fingerprinting protections builtin. These are currently enabled by default, however I believe they do not go far enough in some regions whilst going to far in others. Notably, a number of spoofing implementations are generally bad for the user experience, like timezone being spoofed to UTC-0, breaking everything relying on the date api.
Fingerprint.js, the fingerprinting library I have derived a test from, collects more than simply a canvas fingerprint. There are more opportunities to implement randomness. I propose that an element of randomness are added to the following apis:
CPU Class(Can't find in web docs)Device Memory(Unsupported by firefox)en-GBanden-AU)sin,cos, etc)Plugins(Depreciated, firefox doesn't list installed plugins)All of these values should be close to their original values, but varying enough to be hard to track.
Additionally, I believe the following data points and APIs should be unspoofed or reenabled for UX reasons:
All enabled plugins should be included (Maybe with some fake, random plugins?)Further research research should be conducted at some point around how server-side fingerprinters, like fingerprint.js pro work and how to counteract them effectively. @EnderDev are you fine for me to begin working on these changes?
Beta Was this translation helpful? Give feedback.
All reactions