Open BenjaminAster opened 5 months ago
Wow! Great post. I hope this gets more traction with the removal of aggressive anti-fingerprinting.
cc: @ShivanKaul
Thank you for putting these together. Like you pointed out, a lot of these have webcompat risk: we have dropped plans for some of them because it would break too many sites. FWIW we try to avoid permission-prompting the user unless the use-case is essential and privacy harm imminent, since it increases notification fatigue.
https://www.ctrl.blog/entry/brave-user-agent-detection.html
Update (2020-03-31): Brave still doesn’t have its own User-Agent. The User-Agent may be deprecated going forward, however. On a positive note, you can now reliably detect Brave using the following test:
(navigator.brave && await navigator.brave.isBrave() || false)
I did some research on fingerprinting and browser's defenses, and I think there are several pieces of somewhat fingerprintable information that Brave still exposes and that could rather trivially be spoofed/farbled/disabled:
(await navigator.userAgentData.getHighEntropyValues(["platformVersion"])).platformVersion
returns the exact operating system version. On Android, this provides the major Android version (e.g. 12/13/14 etc.) and on Windows, it provides the number corresponding to the yearly Windows release (14.0.0
= Windows 11 21H2,15.0.0
= Windows 11 22H2 etc.). This value could easily be spoofed by always returning the most up-to-date version of the known OS (14.0.0
on Android,15.0.0
on Windows, etc. (I don't know about Linux/MacOS/ChromeOS))await (await navigator.gpu.requestAdapter()).requestAdapterInfo()
.sampleRate
,baseLatency
andoutputLatency
properties ofAudioContext
give information about the system's audio processing capabilities.and sending it a message. This provides a reliable and repeatedly-the-same value, even in incognito (6350 in my case). However, I don't know how different these numbers are on different devices, so the information entropy might be rather low for this one.
await PublicKeyCredential.isConditionalMediationAvailable()
andawait PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable()
APIs returnfalse
for the (probably rather few) users where these authentication methods are not available, making them somewhat unique. Should these methods be overridden to always returntrue
, possibly causing compat issues?performance.memory.jsHeapSizeLimit
returns the JS heap size limit. It is stable across different websites & visits, although I don't know how much entropy this property really has (might be the same for most users; 2,172,649,472 bytes on my machine).new Intl.DateTimeFormat().resolvedOptions().timeZone
returns the true time zone, including city information (e.g. Europe/Vienna for me). This has been discussed several times here and the consensus was apparently that spoofing the value to a normed city per time zone wouldn't work since every country has their own rules regarding daylight savings time, and therefore calendar applications wouldn't work reliably anymore. But wouldn't it be possible here to expose the true time zone with city information after an opt-in from the user? For 99% of websites, having the general time zone (i.e. the offset from UTC) is perfectly enough.