@Deng3h,
Presently, you should get a new fingerprint given the following conditions/actions:
Moving from one site to a different site (measured as eTLD+1). So example.org will get a different fingerprint than example.com or other.org, but the same fingerprint as sub1.example.org. Note that this is determined by the top level page (whats in the URL bar), not the immediate frame.
Moving to a different session (ex. Private browsing vs normal browsing, clearing all data).
Restarting the browser.
The reasoning behind this is that being able to link/identify a user via fingerprinting without crossing those boundaries isn’t useful to trackers (they can already easily re-identify you otherwise), so reloading the page without closing the browser, or clearing data wont reset the fingerprint, because there’d be no benefit to doing so.
Thank you for taking the time to explain the workings of FP as it is currently. Quite insightful. I can confirm suggestion 2 to give a different fingerprint. Currently don’t know how to test suggestion 1. 3 I should just assume should work out of the box (opened too many tabs to test this on mobile data )
Though this must have been recent change in the way Brave handles fingerprinting. A refresh would give a different FP in the previous versions. As would 1,2,3.
Am curious to know why this was removed? Wouldn’t be safer to keep it. To my knowledge, the old method did not break any sites. AFAIK Librefox browser has an FP masking method identical similar to the old one.
Am I missing something as to why this was changed? Esp given condition 1 which is not to my *little knowledge testable.
@Deng3h,
Sorry for the late response.
There was never a point to my knowledge where the browser would give you a new FP on refresh, unless it was a bug we had at some point. But other than that it was not ever the intentional behavior.
Further, after discussing/confirming with our senior privacy researcher, some reasons you wouldn’t want a new fingerprint on refresh:
If each reload/document gets a new fingerprint, then the site could knowingly get multiple fingerprintings, which opens up the possibility of some statistical attacks to “undo” the randomness.
It allows the site to know you’re deploying counter measures, which sometimes causes the site to “retaliate” / remove content / or otherwise attempt to workaround those measures.
Theres no privacy benefit of doing so, as a site that wants to re-identify you across page refreshes will just use a cookie or localStorage rather than your FP.