Brave still exposes too much fingerprintable information

[BenjaminAster]

I did some research on fingerprinting and browser's defenses, and I think there are several pieces of somewhat fingerprintable information that Brave still exposes and that could rather trivially be spoofed/farbled/disabled:

• (await navigator.userAgentData.getHighEntropyValues(["platformVersion"])).platformVersion returns the exact operating system version. On Android, this provides the major Android version (e.g. 12/13/14 etc.) and on Windows, it provides the number corresponding to the yearly Windows release (14.0.0 = Windows 11 21H2, 15.0.0 = Windows 11 22H2 etc.). This value could easily be spoofed by always returning the most up-to-date version of the known OS (14.0.0 on Android, 15.0.0 on Windows, etc. (I don't know about Linux/MacOS/ChromeOS))
• WebGL renderer & vendor info (see https://github.com/brave/brave-browser/issues/31229#issuecomment-1913661444)
• WebGPU is currently still enabled in Brave by default. As far as I know, Brave provides no canvas farbling whatsoever for it (only for WebGL and Canvas2D). Also, it is possible to read the GPU vendor and rough architecture via await (await navigator.gpu.requestAdapter()).requestAdapterInfo().
• External Protocol Flooding is still not fixed.
• Audio latency & sampling rate: the sampleRate, baseLatency and outputLatency properties of AudioContext give information about the system's audio processing capabilities.
• Recursion call stack size: One can measure the browser's JS maximum recursion call stack size by creating a web worker looking something like this:

  onmessage = () => {
    let stackSize = 0;
    try {
        const recursion = () => {
            stackSize++;
            recursion();
        };
        recursion();
    } catch {
        postMessage(stackSize);
    }
  };

  and sending it a message. This provides a reliable and repeatedly-the-same value, even in incognito (6350 in my case). However, I don't know how different these numbers are on different devices, so the information entropy might be rather low for this one.

• the WebAuthn await PublicKeyCredential.isConditionalMediationAvailable() and await PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable() APIs return false for the (probably rather few) users where these authentication methods are not available, making them somewhat unique. Should these methods be overridden to always return true, possibly causing compat issues?
• performance.memory.jsHeapSizeLimit returns the JS heap size limit. It is stable across different websites & visits, although I don't know how much entropy this property really has (might be the same for most users; 2,172,649,472 bytes on my machine).
• new Intl.DateTimeFormat().resolvedOptions().timeZone returns the true time zone, including city information (e.g. Europe/Vienna for me). This has been discussed several times here and the consensus was apparently that spoofing the value to a normed city per time zone wouldn't work since every country has their own rules regarding daylight savings time, and therefore calendar applications wouldn't work reliably anymore. But wouldn't it be possible here to expose the true time zone with city information after an opt-in from the user? For 99% of websites, having the general time zone (i.e. the offset from UTC) is perfectly enough.

[LiamPerson]

Wow! Great post. I hope this gets more traction with the removal of aggressive anti-fingerprinting.

[bsclifton]

cc: @ShivanKaul

[ShivanKaul]

Thank you for putting these together. Like you pointed out, a lot of these have webcompat risk: we have dropped plans for some of them because it would break too many sites. FWIW we try to avoid permission-prompting the user unless the use-case is essential and privacy harm imminent, since it increases notification fatigue.

[jermanuts]

https://www.ctrl.blog/entry/brave-user-agent-detection.html

Update (2020-03-31): Brave still doesn’t have its own User-Agent. The User-Agent may be deprecated going forward, however. On a positive note, you can now reliably detect Brave using the following test: (navigator.brave && await navigator.brave.isBrave() || false)