Open pes10k opened 3 years ago
Hi, in light of this research DRAWNAPART: A Device Identification Technique based on Remote GPU Fingerprinting, it is very important that brave implements the protection against WebGL fingerprinting.
Thank you for the link @pachainti . This issue wouldn't affect the technique used in the paper you link to though. Its an interesting paper, and the described technique uses differences of basically-the-clock-speed of seemingly identical (i.e., same model) graphics hardware as a fingerprinting vector. However, even given the authors findings, the technique is not very practical; if im reading it correctly, its does only an okay job of distinguishing between 10 different instances of the same hardware; having more instances as you would on a real world site would push the accuracy down further.
That said, we will block instances of any scripts using this technique we find, and if we observe real-world attackers start improving the technique to the point that it becomes practical and a threat to Brave users, we'll deploy additional randomization-based defenses.
We can add more fingerprinting protection through farbling protections to Brave through the following:
(these changes would be in normal and aggressive settings)
getSupportedExtensions
(something likeEXT_<noun>_<verb>
, happy to come up with what those word lists might look like)WebGLRenderingContext.getExtension
so that it returns a similarly named datastructure (ExtNounVerb
) when queried