Privacy guidance please - browser fingerprinting defences

No, it is very good thing when enabled. https://support.mozilla.org/en-US/kb/firefox-protection-against-fingerprinting
Hardened firefox, arkenfox, librewolf, tor browser all have it

If you try to reduce your fingerprint, it itself creates a unique fingerpint. As you said 99% users do not use bitwarden, the same way 99% users do not use brave.
To reduce your fingerprint has many layers. Not using any extension itself creates a unique fingerprint. As 99% users will atleast install one extension be it UBO, honey, adobe pdf reader etc. Meaning as you do not have any extension you are among the tiny minority of 1%.

It itself is a major fingerprint as said above.

It is perfectly safe from anti-fingeprinting point of view to use Bitwarden as an extension via below point 1.). Official brave privacy team will also recommend the same.

A template for you to follow to increase your privacy:-
1.) Go to brave://extensions/ and in it go to ‘Bitwarden’. There on site access, select specific sites and add URL. Then open Bitwarden extension and deselect ‘Autofill’ and ‘Ask to login’. It will not insert iframes/javascript from bitwarden to the websites which the websites can use to idetify if you are using bitwarden or not.

2.) Go to brave://settings/shields and enable all settings and increase their level to aggessive.

3.) Go to brave://settings/cookies and block all cookies and only allow them on few selected domains.

4.) brave://settings/clearBrowserData On exit, just your preferred settings.

5.) brave://settings/content Just block all stuff

6.) brave://settings/socialBlocking, cancel all

7.) brave://settings/privacy webrtc, select third or fouth option, ‘Default public interface only’

8.) brave://settings/languages, select En-US as language

9.) Just follow the steps upto the point which it will not affect your work.

1 Like

Just go through them, you will get most of your answers.

Some more advanced questions like how many or what type of extensions can a website know about; cannot be answered by average users. Eg., Does UBO, honey, btiwarden, which of these are identifiable by websites and to what extent can be only answered by brave team.

No, you’re misunderstanding me. That statement does NOT mean I want to be as unique as possible, it means I want to be as NON-unique as possible. Small fingerprint = Large group of users, Big fingerprint = small group of users.

" 1.) Go to brave://extensions/ and in it go to ‘Bitwarden’. There on site access, select specific sites and add URL. Then open Bitwarden extension and deselect ‘Autofill’ and ‘Ask to login’. It will not insert iframes/javascript from bitwarden to the websites which the websites can use to idetify if you are using bitwarden or not."

This looked quite interesting at first, but not sure I follow you. I can’t “select specific sites and add URL”. I need Bitwarden open to all sites otherwise no point using it, it would take me hundreds of hours to insert all the URLs I may need BitWarden for, and then a load more (the rest of the web) which I MAY want it for if I sign up for an account.

I am not sure this is a solution to hiding bitwarden from my fingerprint, so I may just have to go without it. Shame.

I can’t speak for @chh_68 but I think what he meant was, simply by being a Brave user, that provides a good deal of uniqueness (a bad thing) because of its lower deployed base.

That being said, as I recall Brave does not modify its own User-Agent string so in most cases it will simply appear as a Chrome user. Also, with Google and Chromium moving towards a more reduced UA string I suspect the effectiveness of this will increase over time.

Regarding Bitwarden, it does appear that it can be detected on Chromium-based browsers including Brave. This is unfortunate. However you likely find enough security value in using it, and its own deployed base is ‘wide enough’ (subjective), that I doubt it presents much of a uniqueness risk as it is quite a popular extension.

You can go very far with this, but keep in mind we haven’t even discussed IP addresses in this thread and nothing discussed thus far hides that from remote sites and tracking. So in short, I would suggest only worrying about the “really big” things and let the browser technology do the bulk of the work for you.

On the other hand if you have “extreme” anonymity requirements we likely would not be having this discussion, on this forum, from either browser. It’s good to be thinking about these things but at some point you have to find a pragmatic place to land, and Brave is a pretty good place.

Thanks Jim…

I understood that (although that wasn’t the point I was responding to). However I read that brave just shows up as “Chrome” in UA string, not sure if that’s true or not now, but if it is, it would surely negate your very valid point?

Security benefits of BitWarden are no part of this. The alternative to the plugin/extension, is using the vault I have installed, just a lot more work to conduct logins and save new ones, but not impossible if it reduces my fingerprint uniqueness. And it would appear that it does!

I just ran my browser through here: https://z0ccc.github.io/extension-fingerprints/

With just one extension (BitWarden) installed, it says “0.385% of users share the same extensions”. Without BW (private window in Brave which don’t get extensions) it jumped to 55%!!! That’s pretty damn huge. However it still raises the obvious question: is 0.385% really ‘all that bad’?!

I have various computers, on one I would like as much anonymity as possible (despite having nothing to hide except my personal data from monolithic and utterly evil mega corporations like G and FB), on the other it’s mostly business use so convenience/efficiency rules, and I will probably keep BW extension installed there for its massive convenience. I still wonder though, by my numbers, based on 8 million daily Brave users, I think the calculation said I was in a group of around 26,000 users. That’s pretty damn good! Subjective of course, I just want to make it hard to PICK ME OUT individually, i.e. uniquely. Ok, one in two does that, but not really comfortably! One in 26,000 however seems pretty decent.

Yes that’s why I said I really wanted to keep this focussed on fingerprinting. I know the many other issues and I have those covered, I don’t want to let the conversation grow legs like that as they so often do ‘you should worry more about x’. It’s a fair point for most people asking such questions, hence why I understand and appreciate your raising of this point, but really, it’s a non-issue here. I am exclusively interested in fingerprinting issues only. My move from Firefox to Brave seems easy, the only issue is that now, with the sudden removal of all those extensions (many redundant and expose me in other ways I know), mainly UbO i should say, I just fear if I am more exposed to being tracked/surveilled/screwed by FB, G, Twatter and the many other dragnet surveillers!

That’s pretty much how I feel and why I came over here. :slight_smile: Thanks again

Oh, and P.S. - I checked on https://amiunique.org/ and it shows my UserAgent attribute is <0.01% similar. That seems a massive fingerprint. It shows my UA string as :slight_smile:
“Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36”
I don’t understand why Brave is considered the best for reducing fingerprint, when the UA puts me in <0.01% of the population, or am I reading this wrong?!

https://httpbin.org/user-agent

They most certainly could be – if the friction involved in doing things the hard way makes you stop using it altogether, then there’s a trade-off there. YMMV, it’s user dependent.

My understanding – could be wrong of course – is that Brave will randomize more-or-less meaningless values returned to the site. So in practice, if you download your JSON fingerprint from that amiunique site; delete cookies from the site (because they apparently cache your fingerprint for 4 months, keeping the cookies and checking the same site again doesn’t really count here); and then restart the browser and download a new fingerprint results JSON – there should be small differences between the two.

So in effect, you appear to be a ‘unique’ endpoint each time, but it will be a different unique endpoint across sessions; and, each site also gets different values so even within the same session, two different sites will get different fingerprint values.

Hopefully that makes sense (and is correct!).

Brave is the best for anti-finerprinting but it not the best best. It does a great of anti-fingerpriting to the point that it does not cause compatibility issues or breakage for end users which they do not like.
The official tor browser is the best best. Brave blocks/fools ‘naive’ scripts easily. Finerprinting as far as I know is done by third party scripts, meaning if you are visiting any website it will load third party scripts for analytics. Brave blocks alll these tracking and finerpritning scripts by default. Meaning whatever we are doing here is pretty much meaningless to some extent in actual web browsing.

Amiunqiue.org is the not the correct indicator. If you see on their website, linux is rated 50%, firefox is rated 50% which is not possible.
Linux should be 2% and fiefox 5%.
The database is based on amiunique user data. Users of amiunique will obviously be privacy freaks instead of your average user you see watching youtube next to you.

As you say and want, if we are talking about only fignrrpitning and not includiing privacy and security with it then
10.) Do not install any extensions
11.) Follow above point 2.) and 8.)
12.) As you are on Mac, changing UA will not be good. If you were on linux, UA should be changed to the one of windows like hardened fireofx, librwolf, tor browser.
13.) Change your OS timezone to UTC. Brave picks its timezone from the OS unlike fireofx which has its internal directory.

The guts of useful fingerprinting defenses are not to make everyone look the same, or to make everyone looking different; both of those are fundamentally not possible without massive breakage. What makes Brave’s defenses uniquely strong is that for naive fingerprinters, we feed them enough randomization that they can’t reidentify people (everyone looks different). And for sophisticated fingerprinters, the randomization forces those fingerprinters to ignore the random-but-high-entropy inputs, and only consume a much smaller number of inputs, reducing identifiability and putting users into large anonymity sets for sites with non-trival numbers of visitors. All that is to say, fingerprint.js is doing a crummy job on their unpopular site (again, see the false positive); if they tried to do the same from popular, real-world sites like the ones they advertise at the bottom, their success rate would be even worse.

2.) Fingerprintjs is not exactly the way real word websites work to track, fingerprint users**. But sites like fingerprintjs, coveryourtracks, amiunique, creepjs can be good starting point to see browsers fingerprinting, and I tested brave with such sites too.

Fingerprintjs particularly uses:-
i.) User Agent
ii.) Probability
iii.) Device Timezone (Most Imp)
iv.) Browser/Device Language

3.) Normal default firefox got fingerprinted (ID’ed) easily. But, if firefox hardened to its extent, it could pass the test from fingerprintjs. For hardening it easily, I used arkenfox.js and created a new hardened firefox profile. Arkenfox.js and Tor browser got fingerprinted in similar way, as the base firefox/gecko is hardened similarly. Both of them beat fingerprintjs, but tor needed to be safer mode rather than standard mode to beat it. Opera and Edge have their own UA, and it seemed it made them both more unique.

a.) arkenfox and tor user agent is changed from Linux firefox to windows firefox.
b.) The anti-boting probability was affected as everyone looked the same.
c.) Device timezone is override and changed to 0+ GMT without affecting device timezone itself.
d.) Browser language by default was changed to English (US).
Other data is made same for all users (resisting) or afaik Canvas and Webgl are randomized like Brave does.

4.)
a.) Brave UA is the same as chrome (which is a good thing). On Linux, Brave UA by default is configured for Linux itself, making it more unique. Linux is smaller compared to windows, and on top of that, majority of users on Linux seem to prefer gecko browsers over chromium browsers.
If we consider UA data from amiunique (it may not be perfect real world data), brave/chrome similarity ratio on Linux were around 1%, while default firefox on linux similarity ratio to 8%. Arkenfox/tor on linux uses Windows UA making it around 15%. If UA of brave/chrome on linux is changed to brave/chrome Windows via web store extension, it is around 7%.
When I changed the UA from linux to brave, it hard a hard time ID’ing me. Only half of the time it could correctly ID me. Even chrome with Ubo could evade it to some extent.

b.) With the extension, I was changing the UA per session. UA was changed to more recent versions of chromium rather than old ones. Due to it the anti-boting probability was also affected but to smaller extent.

c.) Device timezone was notorious of all of them (in relation to fingerprintjs, other fingerprinting data collectors like coveryourtracks, creepjs or real world may be different). If device timezone was changed repeatedly per session or changed to GMT (0+) even without changing UA, it had a hard time getting ID’ed.

d.) I checked my browser language, and it was English (Regional), English (UK) and English (US). I removed the other two and made English (US) as my main language on browser and on OS itself as it most used browser/device language. Naturally, you cannot randomize language as a normal English speaker user is not gonna understand Japanese and vice versa. It seemed to have affected fingerprinting and reduced my uniqueness during individual trials.

5.) After combining all of these things, fingerprintjs could not ID me in any way.

Yes that makes sense thanks.

The trouble is I don’t fully understand the user agent. Mine comes up as this:

“user-agent”: “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36”

I am on a mac, running 10.14.6. I am using Brave. Where did “Safari” slip in there?!

It would be nice if Brave could randomize the user agent, I assumed it would as that seems a pretty simple thing to do to prevent browser identification, and very simple to implement.

Not sure, what does ‘actual’ Chrome do on a Mac? Unfortunately I don’t have one to test with.

Not sure here either, but I think someone mentioned earlier, may just be to avoid site compatibility issues/warnings.

In either case, as Google drag the user base thru the UA Reduction process, I think these things will become less relevant.

1 Like

It has one of the funnies tech backstory https://webaim.org/blog/user-agent-string-history/
Do read it.

1 Like

I see, so maybe Chrome/Brave use some element of Safari due to being run on Mac, hence why Safari gets a mention.

Another thing just occurred to me, in case you guys know anything on it…

In FF for many years I have used Temporary Account Containers. Basically this just opens EVERY tab in a new cookie container. I have had it so long I would feel quite naked without it. If I log into ebay on one tab, click to open a new tab and go to ebay there, it opens in a new container and is logged out like a new visitor (even though my fingerprint is probably recognised, the cookie isn’t). This always ‘felt’ like a very strong defence. Obviously I won’t have that on Brave, how concerned should I be about that, if at all? Appreciate your opinions :slight_smile:

Brave does not have temporary account container feature.

But it has something called profiles. Go to the right hand corner hamburger menu and create a new profile.
It is a manual process and not exactly similar to firefox containers.

Yes, you could do it ‘by hand’ with Profiles as mentioned above. Or you could do some measure of it by doing a lot of browsing in a Private window.

Not sure how much I would enjoy every tab being a completely new container, when visiting the same site that sounds like it would get old very fast. For different sites that is a different story. Although I suspect 1st-party ephemeral storage handles some of this for you I’m not totally up to speed on how it works – definitely curious though.

Yes neither of those solutions would come close really. I am curious that you’re curious! Mainly because I thought plugins/extensions were ‘bad’ now due to fingerprint issues?

It’s fantastic and it would probably get old for some users but I don’t browse like most people, I don’t use any social media, although I do use the web VERY heavily (100+ browser tabs usually!)

It creates a new container with every new tab, UNLESS the tab is opened FROM another container. So for example, if i hit cmd-T (new tab) its a new container, but if I am in ebay and I want to open a few items in new tabs to look at (as I often do with many sites), I just cmd click (or right click open in new tab) and those are all in the same container. I love it. I have 20 ebay tabs open right now ,all logged in and work normally, but if i open a new tab to log into paypal to check my balance, paypal doesn’t ‘know’ about my ebay login or activity as the cookies are stored separately. I also have it set to auto delete cookies from each container once all tabs from that container are closed, plus 15 mins (variable).

Stoic I think was the dev who built it, it’s called Temporary Account Containers. I tried “Multi Account Containers” which is widely regarded as ‘better’ but I disagree strongly, although that is certainly a cool app. The ultimate might be to use BOTH, which can be done and means the sites you use regularly retain their cookies permanently, and the browser recognises any links opened on that domain and immediately shifts to that container. So if you set up a container in Multi Account Container for Ebay, and another for Paypal, and another for YouTube, whenever you open a link to any of those, or browse to it, or even click a link to them from serps, that container is used so that tab has you logged in, yet other sites are treated like temporary account containers.

For me the temp ones do the trick, as I leave myself logged in for months on some sites just by keeping one tab open (pinned), so it really doesn’t cause many issues of constantly logging in. But the nice thing is if i visit amazon to browse some products, then close the tab, those cookies/data are fully isolated and auto deleted 15 mins after i close the tab.

After years of using FF like this, I have to say I am nervous of Brave, if only for the fact that I am not sure how much of my data/cookies can be seen by one site about another site. I am so used to being logged out when i browse to sites, it gives me a shock (and nasty feeling) when I open ebay (as i just did!) in brave to find myself logged in. Yikes! Thats horrible! UNLESS Brave fully isolates all such data anyway. If so, that’s VERY cool. If not, I MAY have to consider staying with Firefox (for some activity at least).

Question: Are you a FF or Brave user?

Try Brave for 1 month and see how it goes. If you do not like brave experience feel free to go back to firefox.
The data is all isolated from other domains in the same browsing session if you turn your settings to aggressive mode (as far as I know).

Both

“see how it goes”? Not helpful. this isn’t about UX, it’s about whats going on behind the scenes and making the best privacy choice before i start using. both brave and FF will go just fine in terms of usability.

Is there any way to get support from Brave actual staff, even paid? I have some questions I would pay for answers to before making the big jump over.

Did you look at the privacytests.org link I shared earlier?

It would be difficult to argue, on balance, that Firefox’s privacy protections are better than Brave’s for most common browser privacy concerns. The eBay login/logout thing is just because the cookie for the site gets deleted when the ephemeral container goes away – if it’s more important to you that every time you visit ‘Site X’ that you appear to be a new endpoint, you will need a lot more protections than either (or likely any, aside from Tor) is going to provide. The linked site is more geared towards protecting your ‘identity’ (using that term loosely) on one site against another which I think is your other question – and this is probably the most common definition – and Brave does do very well here.

You might also want to look at the “Sites that clear cookies when you close them” setting in brave://settings/cookies – I haven’t tried this, but it might partially fulfill this for you, although granted it’s a per-site approach. Some discussion here: Brave clearing cookies when I close tabs - #8 by TheWayOfYahweh

Beyond that – if you have ‘niche’ requirements that you cannot live without, if you don’t find someone to pay for answering more questions, that are more valuable to you than the other factors, and that Firefox solves for you, just use Firefox.

Hi and thanks Jim…

[quote=“JimB1, post:25, topic:423663, full:true”]
Did you look at the privacytests.org link I shared earlier?[/quote]
Yes. It looks good, but without understanding the ins and outs of each of the lines, I am one of those it’s probably aimed at! (i.e. wow, green ticks, that’s ‘good’!)

That’s very useful to know thank you. I don’t want to use Tor so I am looking for the MOST effective at doing that, i.e. maximum possible reduction of my fingerprint BETWEEN Brave and Firefox (understanding Tor is obviously superior but not on the table for me)

That’s a great feature and could definitely be useful for me, for sites I regularly visit but who track users heavily (ebay as an example)

I definitely want to use Brave, I just really want to understand how it compares in terms of fingerprinting protection to Firefox WITH my active extensions (bearing in mind they are a fingerprintable vulnerability in themselves!)

Thanks again

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.