Brave browser fingerprinting protection is useless

Description of the issue:
Brave has the same browser fingerprint on https://fingerprintjs.com/demo/ whereas bromite and firefox with resist.fingerprinting enabled show different fingeprint values.

Steps to Reproduce (add as many as necessary):

  1. Launch Brave with private tab to ensure fingerprint is not saved using a cookie.
    2.Go to https://fingerprintjs.com/demo/ and check the visitor ID.
    3.Note the visitor ID somewhere.
    4.Close the browser and repeat the previous 3 steps.

Actual Result :
The visitor ID remains same.

Expected Result:
The visitor ID should change with every new session.

Reproduces how often:
Always on all builds on windows and android

Brave Version:
Version 1.34.72 Chromium: 97.0.4692.56 (Official Build) dev (64-bit)

Reproducible on current live release :
Yes

Additional Information:
It occurs on all builds(release,beta and nightly) of windows and android. I do not know about linux and mac os.

2 Likes

Rob has a good guide on how brave random fingerprinting works. The fingerprinting is randomized when the browser is completely closed (in the background too). I think only canvas and webgl are randomized for each browser session. Other data remains the same and is not randomized.

It also gave me the same ID every time I visited the site (which I believe it should not). I also have gecko browser on my device with max privacy setting. Every time I visited the site with a new session, it gave me a different ID (which it should, and it did).
I think the site (in brave’s case) is considering the fingerprint to be the same on the basis of non-randomized data.

https://www.coveryourtracks.eff.org/ , https://brax.me/

The website shows the same id in firefox and chrome. I have the same version of brave 2 times on the same pc and it shows different IDs. So the javascript must be using something that is unique in the browser data

Check this image

I think you (including me) should contact Peter Snyder (head of privacy team at brave) to know what exactly is happening. Or you can create an issue on github.

I could have created an issue on github but I do not want to signup for github now. I hope there is some official response and fix for this.

1 Like

This demonstration is bogus, FingerprintJS does a lot of things that are not related to browser fingerprinting at all.

1 Like

@Nurep Thanks for clarifying(though it is still a privacy issue nevertheless). These flags in ungoogled chromium help in randomizing the vistor ids of that site( in case the brave devs want to implement it).

It’s not necessary, Brave already has robust fingerprinting protections. In this case, it’s just FingerprintJS doing tricks to make their commercial trash look more impressive to people, while in a third-party context, their product wouldn’t even work (see Ephemeral Third-party Site Storage and Partitioning Network-State for Privacy).

1 Like

@newuser11 Brave already randomizes your fingerprint in a wide range of ways (far more than what Ungoogled Chromium does, in a more sophisticated way). https://brave.com/privacy-updates/4-fingerprinting-defenses-2.0/ has more details if you’re interested.

@Nurep is exactly right.

I’ve replied in more detail here: https://github.com/brave/brave-browser/issues/20268#issuecomment-1003189602

The short of it is that for an-unpopular site (like https://fingerprintjs.com/) UA + time of visit + screen size probably is a pretty good predictor of whether you’re the same person. But there is so little fingerprintable information in these inputs that this approach straight up will not work on a real-world popular site.

I also describe more reasons why Brave users should be confident they’re protected against this form of fingerprinting in the issue, along with additional randomization based defenses we’ve just released or got lined up for Q1 2022.

1 Like

Also to clarify, Brave randomizes far more than Canvas and WebGL. Off the top of my head (possibly an incomplete list) heres what Brave randomizes:

  • Canvas / WebGL drawing
  • WebGL Plugin / debugging information (when in strict mode)
  • Web Audio
  • harwareConcurrency
  • deviceMemory
  • Plugins
  • Web Speech
  • User Agent (though very slightly, and only when in Strict Mode)

You can find demos of these in a test suite I maintain at https://dev-pages.brave.software/fingerprinting/farbling.html and https://dev-pages.bravesoftware.com/fingerprinting/farbling.html.

These inputs are randomized per browser session, and per site (eTLD+1); and so restarting the browser, or changing site will get you different versions of those inputs. The “sometimes same” values are because there are only a small range of values that are randomly selected here (between 3 and 8 different possible values for these inputs), and so you might by chance just get the same value for this input after restarting the browser or changing site.

Here are some additional randomization inputs that are currently under development, an that we hope will land in 2022 Q1.

These are taking a bit longer to land though than expected, because they have high webcompat risk we want to be careful with

Finally, i just want to note that the above is in addition to browser features we modify to remove or reduce fingerprinting information (though w/o randomization). These include (off the top of my head) APIs related to WebXR, WebGL, WebAudio, Dark mode detection, Network Information API, among others

1 Like

I don´t think that site works like you wanted too. fingerprintingjs

Try using this site to check and learn about the information you leave on servers… https://panopticlick.eff.org/

Anyway if you want maximum privacy use Tor Browser (official not the Brave Tor). When posting a request to visit a site It goes through 3 relays (nodes), so you´re basically untraceable.

Chromium Browsers are to be meant to be fast and responsive which makes them vulnerable.

Howdy @nigthguarder, thanks! Just wanted to make a few small corrections:

I don´t think that site works like you wanted too. fingerprintingjs

Try using this site to check and learn about the information you leave on servers… https://panopticlick.eff.org/

I completely agree with the above. The EFF site (panopticlick, and the updated version at https://coveryourtracks.eff.org/) do a better job of assessing how (re)identifiable you are in practice than the fingerprintjs site.

Anyway if you want maximum privacy use Tor Browser (official not the Brave Tor). When posting a request to visit a site It goes through 3 relays (nodes), so you´re basically untraceable.

Chromium Browsers are to be meant to be fast and responsive which makes them vulnerable.

I think this is conflating two very different things. The Tor Browser (sightly simplifying) protects your browser in two different ways:

  1. by stripping out or modifying browser features to make it harder for sites to identify you through browser fingerprinting
  2. by routing your traffic through the TOR network, to make it (much) harder for sites to identify you by your IP address

In general (again, slightly simplifying), when you use Brave’s Tor mode, you hide your IP address more-or-less exactly the same way you hide your IP address when you use the Tor Browser. In both cases your requests are routed through Tor nodes, instead of traveling directly from your browser to the server / website you’re visiting.

When it comes to protections against browser fingerprinting, Brave and Tor Browser have very different approaches. Tor removes a lot of features that aid fingerprinters; Brave removes some features, and randomizes other features. In general, you can think of this as “Tor provides higher protection, but breaks more sites; Brave’s protections aim to protect you from how most web tracking is done on the web, but is less robust against highly motivated tackers”. Put differently, if your aim is to protect yourself against commercial trackers like Criteo and Google and that group, both Brave and the Tor Browser will protect you very well. If, though, your goal is to protect yourself against state actors or other highly motivated trackers, Tor Browser will do a better job (since they’re even more willing than Brave is to sacrifice compatibility to gain privacy).

Anyway, all that is to say that the primary way Tor Browser (and the Tor network) protect your privacy is not related to browser fingerprinting; it is by hiding your IP from the servers you communicate with. The fingerprinting protections Tor Browser (or Brave, or anyone else) offer are unrelated to the Tor-network protections.

IMPORTANTLY: If you are using a privacy focused browser to protect your safety or have similar heightened privacy needs, you should always use the Tor Browser. Brave does a great deal of things to protect your privacy, but Brave is not intended to, and doesn’t make any claims to, protect users against motivated, targeted attackers. The great work of the Tor, and Tor Browser, project work to protect folks from targeted, motivated attackers.

2 Likes