Description of the issue: Browser easily identified even through TOR; very strong fingerprinting vector. How can this issue be reproduced?
Go to fingerprint.com (or any other website with the same functionality) and take note
Go to the said website through TOR embedded in Brave browser
Check Results
Results will be same unless measures taken prior. (Blocking javascript directly etc.)
Expected result: Fingerprints should NOT match, ever.
Fingerprints also match when juggling private tab and non-private tab. My firefox install somehow is able to make the said fingerprint not-match, no idea how. Have multiple open-source plugins installed on Firefox.
@Dwelled2461 it seems you may have some wrong expectations on a lot of things. For example, Tor is a proxy to help hide your IP address. That’s all it does.
Fingerprint protection in Brave does its thing and a lot of stuff gets randomized. Some things will remain the same. Like it will always show you’re using Chromium, it will show your timezone, etc. But things like your fonts, screen size, and a lot of other little things will be different each time.
So perhaps let me ask:
How are you thinking fingerprint protection is supposed to work?
What are you claiming it’s picking up when you say fingerprints match?
Hello. Talking honest, hand to god here, i do not have any expectations on how Brave does any of it’s things; neither do i care whether Brave just has the option for connecting to the TOR network as “a proxy” to “help hide” anybodies IP address, though i have expectations on the implementation that’s in the browser to at least make itself clearly known to any possible high-risk people that using the implementation that’s in the browser might just be you know… Not private? And possibly at least eliminate a few more fingerprinting vectors by default on routed pages so maybe and just maybe it’s a tiny-tiny bit harder to let’s say, distinguish. Also please don’t say “Oh there is a clear warning on the bottom left of the screen when you fire up TOR in Brave!” as that “warning” doesn’t mention that it’ll quite literally just use the network as a proxy and not at all do anything else.
Umm, it is private though. It comes with various levels of protection and capabilities. I’m asking you to provide more details on what you’re claiming isn’t private or how you believe you’re getting fingerprinted?
@Dwelled2461 What I’m explaining is that Brave does indeed have fingerprint protection and randomizes. The big issue is a lot of assumptions made. I’m one of those people that also had the assumptions and had to make inquiries. I thought fingerprint protection would hide things like which web browser I’m using, my operating system, etc.
But then after speaking with some of the security team, they advised that many sites broke when it was hidden. So some of those minor things like OS, timezone, browser, etc aren’t hidden. Those aren’t enough to individually fingerprint anyone either.
Could you try these steps and give back your findings, please?
Checking here, i don’t know whether any of the listed vectors are the cause for the said issue i’ve addressed here but i must add that i believe this might just be seen as severe, as it’d mean that Brave is doing nought of what’s necessary to keep fingerprinting to a minimum on a platform that’s supposed not to have much of any whenever possible.
What it’s showing is because I’m in the same session. I haven’t exited Brave completely and all. They are trying to say it’s unique based on the IP address and cookies, if you’re allowing the cookies.
IP address gets revealed through your internet provider no matter where you go. Only way to hide that is through proxy or VPN. And even then you have to be mindful about extensions and programs you’re running on your device, as they can “leak” details.
The above is more aggressive for testing. On normal sites I don’t do aggressive fingerprint because sites tend to break.
Main things I’ll make sure to point out in addition:
Tor is just to mask your IP address
Private windows only are to delete your History and cookies upon exit. So it’s only “local” privacy, like if you were worried a family member in your home might see what you did online.
Fingerprinting can cover a lot of various things. The more extensions we use, additional programs connected to the internet or with our browsers, etc will be more options to leak.
Part of what can make the “fingerprinting tests” kind of show different is how Brave will use ephemeral cookies and all. Places might be able to identify us as we visit their sites because we have that temporary storage, but it blocks them from being able to track and identify us across multiple websites.
Sorry, also wanted to ask. When you showed the images you did of your tests, were all of those from today?
Like I mentioned earlier, Brave will randomize info. So as you exit Brave, it should randomize a bit. But especially as you visit on a different day. That would be one of the interesting things to perhaps keep an eye out on as well.
Just created a new profile and left it all at default settings. So first, with no Tor or anything:
So suddenly it’s not allowing for the live demo and instead is trying to push for the free trial. Also it was trying to get me to accept cookies.
Actually typed the above and then started screwing with things. Was trying to test some various ideas. Hence the delay. Sorry, I lose myself in things sometimes.
Out of curiosity, check to see what it’s like for tomorrow. Well, assuming you actually exit Brave and perhaps even shutdown your computer.
I know as had been stated before, they (Brave/Shields) randomize info per session. So if we keep pulling it up while using, it’s going to stay the same or similar.
And if you saw the three links I shared with you earlier, they provide a lot more details on things that can be looked at. If you keep track over multiple days (as I did), you’ll notice what is and is not randomized.
I’ll restart pc now, maybe latest Linux version broke something as the fingerprint stays the same even after restarting browser, i remember it quite literally randomising every session on amiunique
Well, Brave also changed. They went from wanting it to look as unique as possible each time to having a shift of trying to get everyone to kind of look as similar as possible. Ever since that shift, a lot of people have freaked out. And even then they keep changing stuff to find the balance. I forget where we stand fully in 2023. The last big article they wrote was in 2020, which is https://brave.com/privacy-updates/4-fingerprinting-defenses-2.0/
I know I’m still learning, but had at least some from Brave trying to explain things to me a few weeks ago. That’s where I’m trying to answer some things, but not really able to go fully in-depth. Also trying to make sure I’m not going to say anything wrong.
