Add options to customize/anonymize HTTP Header data to Avoid Fingerprinting


#1

TL;DR;

This request is about providing options for users to determine how they want their browsers to identify themselves when sending HTTP requests to servers, including the option to send no information at all. This is already possible under KDE/Plasma settings if you use KDE’s Web Browser.


I’ve visited some sites, such as https://amiunique.org/, to test out how good a job the browser is doing. Something that stands out is the fact that, as part of the information the browser sends to the server, it clearly reveals that I’m using a GNU/Linux distribution, among other details. The page’s summary reports the following:

Yes! (You can be tracked!)
38.51 % of observed browsers are Chrome, as yours.
1.07 % of observed browsers are Chrome 61.0, as yours.
14.89 % of observed browsers run Linux, as yours.
63.71 % of observed browsers have set "en"as their primary language, as yours.
3.73 % of observed browsers have UTC-7 as their timezone, as yours.

I think one possible solution could be to offer some options so that the user is in control of what, if anything, Brave sends.

As an example, under KDE/Plasma Settings, you can specify what identifying information the KDE web browser should send, such as OS/version, architecture, language, and so on; you can also tell it to not send identifying information at all.

As another example, the Tor Browser explicitly identifies itself as being a Windows OS, even if it’s running under GNU/Linux, which makes sense b/c Windows machines represent the vast majority, and would make it harder to individually track specific users.

When it comes to Brave, some of the information it sends looks as follows:

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36
Platform: Linux x86_64
Timezone: UTC-7

While saying that I’m using “Chrome” is probably less of a problem (~38.51% vs Firefox’s ~43%; would still be nice to give users control to change this), I’m not sure why Brave needs to state that I’m using a specific version, which in this case immediately places me in the ~1.07% of the population, making my system easier to fingerprint :frowning:

I think the same reasoning applies to the Platform information. If Brave could identify itself as Windows, users would fall in the ~55.8% of the general population. Currently, however, as a Linux user, I fall under “Linux (Other Distro)” at ~9.6%. (I can see it doesn’t put me under Ubuntu’s ~5%, which is slightly better than I expected, but I think we can do better, yes? :slight_smile:)

I hope this made sense and thank you all in advance.
-zsh

Brave Version Info:

Brave: 0.19.48 
rev: de939f6dcd1647f43de544b22dfdd103585b4ec2 
Muon: 4.4.28 
libchromiumcontent: 61.0.3163.100 
V8: 6.1.534.41 
Node.js: 7.9.0 
Update Channel: Release 
OS Platform: Linux 
OS Release: 4.10.0-35-generic 
OS Architecture: x64