Open pes10k opened 3 years ago
pachainti
commented
2 years ago Hi, in light of this research DRAWNAPART: A Device Identification Technique based on Remote GPU Fingerprinting, it is very important that brave implements the protection against WebGL fingerprinting.
pes10k
commented
2 years ago Thank you for the link @pachainti . This issue wouldn't affect the technique used in the paper you link to though. Its an interesting paper, and the described technique uses differences of basically-the-clock-speed of seemingly identical (i.e., same model) graphics hardware as a fingerprinting vector. However, even given the authors findings, the technique is not very practical; if im reading it correctly, its does only an okay job of distinguishing between 10 different instances of the same hardware; having more instances as you would on a real world site would push the accuracy down further.
That said, we will block instances of any scripts using this technique we find, and if we observe real-world attackers start improving the technique to the point that it becomes practical and a threat to Brave users, we'll deploy additional randomization-based defenses.
We can add more fingerprinting protection through farbling protections to Brave through the following:
(these changes would be in normal and aggressive settings)
getSupportedExtensions(something likeEXT_<noun>_<verb>, happy to come up with what those word lists might look like)WebGLRenderingContext.getExtensionso that it returns a similarly named datastructure (ExtNounVerb) when queried