Closed MinisterFister closed 4 years ago
bsclifton
commented
4 years ago We are already exposing JavaScript which identifies you as a Brave user with navigator.brave.isBrave. You can open a console and try it yourself by pasting in the following:
navigator.brave.isBrave().then(response => console.log(response))cc: @pes10k
MinisterFister
commented
4 years ago Ohhh I thought all that anti-fingerprinting with user-agents was done so Brave always gets detected as Chrome and you guys were avoiding being detected as the "Brave browser"
pes10k
commented
4 years ago @MinisterFister the goal of our fingerprinting protections is to prevent Brave users from being distinguished from each other. Trying to make Brave look and act like Chrome would, ironically, require removing many/most of our fingerprinting protections, since we have to make significant modifications to Chromium to enforce Brave's privacy goals.
pilsnerbeer
commented
4 years ago @pes10k What about canvas fingerprint? (browserleaks.com/canvas). I remember Brave blocking the readout completely, now it reports my browser as 100% unique.
pes10k
commented
4 years ago Yep, thats our new randomization techniques. The below post describes in more detail, but the short of it is that generating a different fingerprint, per site, per session, gives you strong anti-tracking / anti-fingerprinting protections than trying to make everyone look identical (since, in the latter case, your anonymity set depends on the other users of the site, while having constantly changing fingerprints puts you in a constantly changing anonymity set thats not linkable across eTLD+1 or session)
https://brave.com/whats-brave-done-for-my-privacy-lately-episode-4-fingerprinting-defenses-2-0/
pilsnerbeer
commented
4 years ago I see. I tried to re-open the page multiple times in standard/incognito window to see if the readout gets changed everytime the page reloads but it seems to be only changing on browser restart (just tried it). Bromite does the same on mobile, but changes each time I reload the page. Thanks for the link. ;)
pes10k
commented
4 years ago Yep, only per session, per eTLD. The reason this is a better strategy than bromite is that the page will be able to detect and perform statistical attacks against the random values, since they can get new randomized values by reloading the page, injecting iframes, etc.
Having fixed values per eTLD+1, per session gives the same randomization protections, without allowing the site the carry out those kinds of attacks (it also makes detection more difficult)
rifler
commented
4 years ago We are already exposing JavaScript which identifies you as a Brave user with
navigator.brave.isBrave. You can open a console and try it yourself by pasting in the following:navigator.brave.isBrave().then(response => console.log(response))cc: @pes10k
i am sorry for bumping, when this promise can return false?
upd:
i mean is type-check for function is enough typeof navigator?.brave?.isBrave === 'function' ?
pes10k
commented
4 years ago Hi @rifler This will always resolve to true. So yes, you could just as well just check for navigator.brave or if nav.bra.isBrave is a function.
The reason there is an isBrave is mostly to start reserving navigator.brave.* for ourselves. The promise is there so that we can, if needed down the road, have an SDK / async friendly way for the browser to know when JS detecting brave-ness.
Hope that helps!
Step1: Have Brave shields enabled Step2: Go to https://browserleaks.com/proxy Step3: Notice Brave's unbreak list being detected which identifies you as a Brave user