The original article by @yan and Mr. Peter Snyder is available here: https://github.com/brave/browser-laptop/wiki/Fingerprinting-Protection-Mode
Warning: enabling browser fingerprinting defense might break some sites.
Brave includes best-effort defense against browser fingerprinting. Broadly speaking, browser fingerprinting is the detection of browser and operating system features that differ between users for the purpose of invisibly (and non-consensually) identifying users and tracking them across the web. Although fingerprinting attacks will always be possible, it is worthwhile for us to make these attacks as slow / costly / difficult as possible.
Because most browser fingerprinting defense requires disabling web features that are required for many sites to work properly, it is implemented as off-by-default for now (can be turned on in
about:preferences globally, or on a per-site basis in the Bravery panel). We will consider turning it on-by-default when we have fingerprinting detection heuristics with a sufficiently-low false positive rate.
UPDATE (8/18/17): As of Brave 0.21.x, Fingerprinting Protection Mode will be enabled by default for all third-party content.
Fingerprinting methods blocked in Fingerprinting Protection Mode
- Canvas fingerprinting: it should report a fixed value on tests like panopticlick
- WebGL fingerprinting: it should report as undefined on tests like panopticlick
- AudioContext fingerprinting
- WebRTC IP leakage
- Battery Status fingerprinting (disabled in general, not just when FP mode is turned on)
SVG fingerprinting (specifically, the
Privacy protection enabled regardless of whether Fingerprinting Protection Mode is on
- 3rd party cookies and referers blocked by default
- User-Agent is set to Chrome except on a few sites that need it for major functionality to work
navigator.mimeTypesis empty unless you’ve enabled Flash
- Connections to known tracking domains are blocked via the Tracking Protection library
How to check that it’s working
Why does panopticlick.eff.org or some other site say that I am fingerprintable?
Although useful for raising awareness of fingerprinting techniques, sites like Panopticlick are not a perfect indicator of how fingerprintable your browser is. Some known limitations are:
- Panopticlick only reports your uniqueness relative to the population of users visiting Panopticlick, which is almost certainly skewed relative to the entire population of users on the web. For instance, imagine that a very large number of Tor Browser users visit Panopticlick because they’re trying to test their Tor Browser privacy settings. If you then visit Panopticlick in Chrome with default settings, you will then appear as more identifiable than Tor Browser users despite the fact that Chrome with default settings is more popular than Tor Browser overall. Similarly, because many Panopticlick users care about privacy and turn on Do Not Track, Panopticlick reports that users are less unique when they have DNT turned on than off, even though probably less than 12% of web users have DNT enabled.
- Panopticlick also compares you against old browsers. For instance, if the plurality of Panopticlick visits were from people using Firefox 3 many years ago, then a person using Firefox 3 could appear as not-very-identifiable even though there are extremely few Firefox 3 users on the web in 2017 (or at least one would hope).
- Panopticlick does not account for the fact that randomized fingerprint values are an effective way to prevent real-world fingerprinting. For instance, if Brave browser randomized canvas fingerprints on every page request, then it would be impossible for a site to track a specific Brave user across requests using canvas fingerprinting. However, because the randomized values would be unique, Panopticlick would report Brave as being highly canvas-fingerprintable.
One way to “trick” Panopticlick is to open the site in various Brave session tabs and re-run the fingerprinting test. Panopticlick will then report that your Brave configuration is less identifiable because there have been other “users” visiting the site with the same configuration.
- Double-key HSTS/HPKP (and cookies/localstorage)?
- Decrease JS timer resolution