duckduckgo / duckduckgo-privacy-extension

DuckDuckGo Privacy Essentials browser extension for Firefox, Chrome.
https://duckduckgo.com/app
Apache License 2.0
1.26k stars 245 forks source link

The extension forcefully override navigator.hardwareConcurrency #2375

Open kaplun opened 11 months ago

kaplun commented 11 months ago

Description

When using DuckDuckGo Privacy Extension, the extension forcefully overrides the navigator.hardwareConcurrency information provided by the browser. This in turns causes many websites, services and extensions that probe this number to actually under-perform as they are going to assume there are only 2 CPU Logical Cores available instead of the actual number.

Steps to Reproduce

  1. Have DuckDuckGo Privacy Extension enabled
  2. Download e.g. some large files previously uploaded on https://drive.proton.me (Proton Drive employes parallelization in order to optimize download speed and decryption of e2ee files. With the extension enabled network utilization is suboptimal because only one block at a time is downloaded, instead of multiple parallel blocks.

Expected behavior: Given how critical this number is for performance I'd expect as a user to have control whether this value is overridden by the extension or rather the real number of logical cores is exposed

Actual behavior:

Versions

Additional Information

The actual line enforcing this is here: https://github.com/search?q=repo%3Aduckduckgo%2Fduckduckgo-privacy-extension%20hardwareConcurrency&type=code

sammacbeth commented 10 months ago

Thanks for filing this. This is one of our fingerprinting protections - we fix this, and several other hardware values to the same value for all users to make it so this cannot be used for fingerprinting by trackers. Your example on proton.me seems to be a rare example of a site using navigator.hardwareConcurrency for its actual purpose, rather than fingerprinting, and our chosen value for it may be a bit low for most extension users.

I've opened https://github.com/duckduckgo/privacy-configuration/pull/1679 to mitigate the issue on proton.me, and opened a task internally to discuss how to deal with valid usages of this API. If you know of other sites with issues, please let us know so we can mitigate any issues there too.

knumat commented 6 months ago

I just ran into this issue with the Zoom Video SDK for Web (link). This JS library allows websites to embed video chat into a webpage. However, it has limited functionality on machines with limited computing power. Specifically, many features including video resolution (720p/1080p) and virtual background (image/blur) are restricted based on navigator.hardwareConcurrency. There are many references navigator.hardwareConcurrency in this file for various features.

While I know that I can exclude my site in the DuckDuckGo Privacy Essentials options, this SDK could be used on many different sites, and it is not intuitive or user-friendly to have to have to exclude every site. Also, this means that the rest of the DDG PE features are turned off for these sites.

I would suggest raising the number of reported cores from 2 to 8, similar to what Safari/WebKit does (link).