Linux user agent & fingerprint protection

According to wikipedia, Linux has a 2.9% share on desktop users (and i very much doubt that even half of them are single boot users.)
so basically Brave’s fingerprint protection is useless for Linux users (and i’m guessing mac users too, in fact mac users may have even more exposure, macs are expensive, they are even less popular than Linux in many countries), at the very least make it spoof the user agent to windows when you have selected the “strict” option under fingerprinting.

@loyda it randomizes just about everything else about you. Brave did used to spoof the user agent but then there was a lot of compatibility issues with websites. After a lot of trial & error, along with a lot of research, Brave arrived at what it does now.

The majority of our information does get randomized and we have solid fingerprint protection. I know I had questioned a lot and had to do some research to learn more on how it works.

i use privacy.resistFingerprinting (it does what i ask among other things) on Firefox and i never had compatibility issues on daily browsing (obviously i’m not doing work/using web apps/banking/etc from a hardened profile), the strict option is not default and comes with a warning “may brake sites” anyway, so how can compatibility be the reason?
i have done some research too and in the end random api hashes won’t help much if statistics are not on your side, how many local single boot users, how many of them use brave, how many of them have the same distribution/window manager, the same resolution and everything else untouched? how many on the same ASN? you easily end up being something like the 1% of the 2%

@loyda I’d like to challenge some of your assumptions. Have you not attempted to see what bits of your information is fingerprinted? For example, you mention things like resolution. Let me share two screenshots.

September 13, 2023:

September 14, 2023

You mention resolution…one was 1925 x 941 while the other is 1923 x 934.

Even look at other details and you’ll see where they differ.

I also thought perhaps things like languages were tracked, but…


Notice how on one it said 93 fonts and 85 unique metrics found while the other says 95 fonts and 85 unique metrics? This actually changed frequently. In fact, a third day had the below, 104 fonts and 89 unique metrics:

I spent a lot of time trying to talk to Brendan Eich, Sampson, and others. They had some from the privacy team discuss things with me and I then tracked for a solid month to see what the fingerprinting showed. I then felt more comfortable. They really do randomize a lot of things and we aren’t easy to fingerprint or track.

Also want to make sure you know the following:

Parts of the discussions that occurred also was the following:

Things like OS, UA are not expected to be hidden, that would really break websites (we’ve tried) and don’t provide much in the way of privacy

i’m not saying Brave has weak fingerprinting protections, besides the user agent thing i can’t find a flaw (and it’s much more convenient than maintaining a user.js), i’m saying Linux users are such a tiny minority that the protections won’t really matter.
and i believe it’s even worse for vpn users, usually when you use a VPN, the client will auto connect to the lowest latency/load servers, unless you know which server is on which asn and manually pick one for each session, you will most likely end up using the same ASN 99% of the time, now since these ASNs offer data center services only, you are reduced to a list of a few thousand web users, at best, depending on how many servers your vpn has in the neighboring countries, it could as little as a few hundreds of users.
Brave sure does randomize things, but you are still in the 2.8% of Linux users, in the x% of only-Linux users, in the x% of Chromium based Linux users, in the x% of the FHD resolution bracket…in a handful of IPs from a data center in Romania.
anyway since they have made up their minds i won’t push the subject anymore, cheers!

@fanboynz or @shivan would either of you have any corrections or anything to add?

User agent isn’t something we modify (just standard chromium UA), that said its becoming a less and less. User agent isn’t a major fingerprint or tracking vector, many other variables sites can check for.

If/When this occurs, we’ll folllow suit. Though some sites (banking/financial etc) will check for useragent, not sure if will break here.

1 Like