We Need Anti-Fingerprinting for WebGL Specifically

WebGL is an important feature needed by almost any website that has to render a moderate to high amount of graphics on screen. So, turning it off isn’t an option for most people. If we did want to turn off WebGL outright, we’d probably run NoScript or Tor Browser. Also, anybody who turns off WebGL completely while they browse the internet is going to stick out like a sore thumb. This wouldn’t matter if they were using Tor Browser because Tor users all look almost identical to each other in device fingerprinting. All a bad actor would know is somebody is using Tor; that’s it.

However, since turning this off (WebGL) breaks any website that renders graphics even moderately, a better idea is to spoof it.

The problem is, with even basic Device Fingerprinting, any website running rudimentary code for WebGL can identify your specific graphics card (already alarming), but it’s worse than that. They can also identify the specific manufacturer, the literal company that made it.

This is very bad news for anybody who uses a GPU that is uncommon in the general population. Basically, if you’re somebody using a workstation computer that needs a strong GPU, you’re automatically identified by basic WebGL code. Also, if you’re a heavy gamer, again you’re automatically identified by basic WebGL code.

Device Fingerprinting can also identify your number of CPU cores, or at least the total number. So, if you have a Quad Core running 8 threads, it will see you’re running 8 threads on your CPU. However, they won’t know your CPU’s exact model, manufacturer, etc. For your GPU, on the other hand, they will and it requires extremely basic WebGL code to identify it with high precision.

I understand protection against Device Fingerprinting exists, but it comes with a bunch of default features and WebGL fingerprint protection is only a secondary feature, and none of the features can be customized in Settings. So, to my knowledge, users can’t simply spoof WebGL. They have to accept like 7 other anti-fingerprinting settings. We need to specifically be able to spoof WebGL so that every single website doesn’t know our exact graphics cards.

I can’t stress how important this is for users of workstation computers and gaming computers.

3 Likes

Hi Kyo,

Thanks for the question. I have two answers for your question.

  1. New Fingerprinting Defenses Over All

First is that we are in the process of rolling out a new category of fingerprinting protections that we think will give Brave users the best protections of any browser, bar-none. You can look for an announcement about these in the very near future (very likely this week or next), but the general gist of the approach is that we add subtle randomization to a couple of endpoints used for fingerprinting. This has two benefits. First, it makes that particular endpoint not identifying, and so removes fingerprint surface in a way extremely unlikely to cause web combat issues.

And second (and more importantly), since most fingerprinting works by hashing together a bunch of semi-identify values, randomizing one value will in most cases “poison” the entire fingerprint. In these “fingerprint-by-hash” situations, getting one value randomized ends up providing protection over all possible fingerprinting values, including the graphics hardware identification you mentioned. So, in effect, we won’t need to keep playing “fingerprinting wack a mole” as much for a while.

Again, technical details TBD but incoming very shortly.

  1. All that Being said…

While I expect the above “protection through randomization” approach will greatly reduce the risk involved in the graphics hardware disclosure issue you mentioned, we should still address and remove it. We’ve got an issue to address it. And while the randomization defenses mean this will be a lower priority, it’s still something we will get done as soon as we can.

5 Likes

First off, I wanna say I appreciate you taking the time to construct a detailed response.

I probably shouldn’t have waited 8 days to reply to you. Honestly, I didn’t think I’d get any replies as there’s a variety of important topics I’ve seen other users post about that had no replies. So, I need to check this more often instead of missing everything only to find out 8 days later, somebody responded.

Anyway, other than doing a lot of different things at once, Brave’s device fingerprinting resistance feature in ‘Settings’ does… I don’t know. I’m not sure what it does. Even the documentation is unclear, but I do know it’s currently not customizable (i.e., you cannot select what exactly you wish to spoof, in the case of my topic it would be WebGL specifically).

In the Device Fingerprinting in Settings, it makes sense to block any kind of 3rd Party Device Fingerprinting (same with cookies that are 3rd Party) for pretty basic privacy/security reasons. However, I personally have opted to just block 3rd Party Device Fingerprinting because of the simple fact that I cannot customize what I want Brave to spoof and what I want Brave to keep normal in Fingerprinting Protection.

The general concept I have is that I’m pretty aware that, as a Brave user, most Device Fingerprinting will tell domains I visit that I’m using Chrome with Ad/Tracker Blocking extensions that they cannot detect (they can only detect ‘Chrome PDF’ extension). It will also tell them in ‘User Agent’ that I’m using "KHTML, like Gecko’. That’s fine with me if they know that information. Other users may want higher security than me when it comes to that. In fact, I’d like to make sure the PDF extensions are the ONLY extensions they can see (if I add more extensions in the future).

But, they can also see that I have 12 CPU cores and can identify my GPU down to the literal specific manufacturer. This is a big problem because only two types of computers will have this kind of setup and the general population isn’t generally using machines like this. Workstation Computers and Gaming Computers are the only types of computers that have specifications like mine, which are visible via Device Fingerprinting.

They’re going to know I’m using one of those two types of machines, which very drastically narrows down the pool of possible people I could be. If I want to be anonymous, that will be difficult if they know exact GPU and its manufacturer. I mean it’s bad enough they can see how many CPU threads I’m running, but at least they don’t know the specific CPU model, only the number of physical/logical total threads.

Well, for one thing, my Computer is a workstation computer. Theoretically, I could run almost any game I wanted at 1080p max settings on my computer, too, but I don’t have this hardware for gaming purposes. It’s for work purposes. I work with a lot of graphic animation software, professional video editing software that benefits from having a strong GPU, and I also work with extremely CPU-intensive professional software in non-graphical applications.

I can most certainly be tracked if Device Fingerprinting is the method used. They won’t be able to track me through my IP Address because I use a VPN service and alternate between a lot of different North American servers. There also aren’t any IP leaks in WebRTC on my end, not only because of the VPN, but also because I have in Brave ‘Settings’ to use ‘Default Public Interface Only’, which reveals absolutely no private IP Addresses. Even if that Brave Setting for WebRTC failed me, the VPN is yet another layer of defense to stop WebRTC leaks.

This isn’t just a rambling diatribe, though. I’ve taken a lot of security measures that will make almost every form of tracking useless against me. But, the Device Fingerprinting is a HUGE SECURITY HOLE. It’s a huge PRIVACY hole. Are workstation and gaming computer users REALLY private on Brave if their exact GPUs are being leaked and they can’t customize Device Fingerprinting Protection at all? That depends on whether or not a potential bad actor is relying on Device Fingerprinting as their primary invasive method.

Who runs 12 CPU threaded hardware alongside a strong mid-range GPU? People on workstations or gamers. A gamer running my computer’s hardware would probably be doing so to maximize settings on every 1080p resolution game they play. Gamers wanting to run 1440p and 4k stuff would for sure be running something a lot stronger than my GPU, but the thing is when you work in the field I do, you need the same graphical processing power as a Gamer who is maxing out 1080p game settings. My only defense is a bad actor my think I’m a gamer. So, maybe they get the wrong idea, but that’s simply not good enough of a defense!

But again, this fatal WebGL leak would tell every website who runs a couple dozen lines of WebGL code the freaking manufacturer AND exact GPU. That’s dangerous for the privacy of users.

Let’s face it, I mean… over half of the general population doesn’t even use Desktop PCs or Laptop PCs, regardless of Operating System. Most of the general population is using “Smartphones” for their stuff. So, the very fact somebody is using a PC at all means there’s a good chance they have at least a low-range GPU. Their security is less compromised than mine because more people have low-range GPUs than mid-range GPUs like mine. But I REALLY feel bad for the gamer running high-end or flagship GPUs. Their security is even more compromised than mine. Less than 1 percent of Desktop Computer users are running my graphics card, but for the gamer running some insane flagship GPU doing 4k stuff and VR stuff? Holy crap. You can almost just make a spreadsheet of who they could be if you figured out who bought the GPU. All it would take is another data breach, or worse, simply a bad privacy policy from the GPU vendor selling data to 3rd parties and boom… COMPROMISED.

I feel like the Brave developers ought to be making this WebGL leaking thing a very big priority. Anybody running mid-range GPUs can be tracked and anybody running high-end GPUs can potentially be SPECIFICALLY identified. A bad actor can literally know who the person is if they’re running stronger GPUs than me because those are you 1440p max settings on everything gamers. That is not good at all for user privacy! They’re even more compromised than I am, potentially!

I wish I could contribute to the project; I really do. But, I only know basic C++ coding and intermediate LUA Scripting. I can also do intermediate Python work because it’s so similar to LUA, but I strongly prefer LUA as it’s more intuitive to me. This is the coding I do regularly, which is only to extend the capabilities of the professional software I use, not to develop new software.

I’m not a developer, but I know enough C++ to get by if I run into a basic problem at work and I know how to do almost anything in LUA. But if there’s a C++ coding issue at work that’s more advanced, I have to turn that over to the IT Department. If it’s a LUA problem, I can solve it without having to waste IT’s time. They have a bigger workload than I do, so it makes me an asset if I can reduce that workload, even though I’m not a programmer and it’s not one of my job requirements. My role is important, but it’s not the same as IT’s role.

I’ve never done browser work before, so I wouldn’t even know where to begin in helping the Brave Project. I’ll soon be learning some Javascript and HTML5, again to extend the capabilities of the professional software I use for work. More and more customers are wanting web development projects instead of app development projects. HTML5 has wiped Flash off the map, but that’s a good thing for security reasons. Customers are specifically wanting Javascript and rejecting LUA for web development projects. I don’t know why that is, but I’ve asked IT about it. They say something like “Javascript is better for web development and our standard LUA Scripting is more suitable for client-side work”. Whatever the heck that means! So when there’s web development work to do, now I can’t solve basic scripting problems until I learn JS, which means I’m sending boatloads of easy work over to IT, wasting their time yet again.

This influx of Javascript demands from customers is deju vu all over again; this is just like before I learned LUA and every single new Computer Science hire was doing all my scripting for me. Time to learn JS so that IT doesn’t delegate every web development scripting issue I have to the most junior IT employee!

NONE of my work has ever been browser projects, though!

Hi Kyo,

Thank you for the reply. I appreciate you concern. For what its worth, in practice, web-scale fingerprinting attacks rarely (never?) consider individual values, they try to build unique identifiers from a large number of semi identifiers.

So it’s very unlikely sites are trying to identify you based on your graphics card; they’re instead trying to find people who have the same graphics card AND audio hardware AND how your device does drawing operations in some particular way AND etc.

Brave’s solution to this problem is two fold:

  1. Add some very small randomness, in very narrow ways, to how the browser does audio and drawing operations, and to vary these slightly for each site, and each time you reopen the browser. In this way, the combination of “graphics card + audio hardware + how your machine performs specific drawing operations + etc” is never the same across sites or sessions, preventing identification.

  2. Wherever possible, remove identifying information from the browser, including graphics hardware info. This is difficult because we need to make sure we don’t break sites for users. In this particular case, some sites use this hardware info, and if its not available, downgrade the user experience significantly. So, we’re working on this problem, but its very difficult.

So, we expect our solution in #1 will protect against nearly all (if not all) fingerprinting identification attempts, but, we’re also working on removing other identifying information too, where we can do so w/o breaking sites. So, we’re on the job, moving as quick as we can, but, its tricky.

Hope thats at least helpful to 1) explain why things work the way they do in Brave, and 2) relieve some concern about how trackable / identifiable you are on the web.

4 Likes

@Kyo Just to follow up on this, starting in 1.12, the “fingerprinting blocked (strict)” setting will prevent sites from learning about your graphics card information too.

3 Likes