Thorin-Oakenpants
commented
1 year ago what makes you think the fingerprint is unique or that randomizing is any better? rhetorical q, don't answer
and change the VPN server too
This is not purely FPing in the sense of e.g. JS/client-side. Yes, an IP address is a fuzzy FP point of data. TB overcomes this with exit nodes per eTLD+1 + scheme etc, and New Identity (and a VPN has new VPN server or whatever).
And TB/MB sanitize any local data on close or new identity (not sure if new VPN endpoint does the same), so that covers that - and we use FPI to isolate each eTLD+1 etc. So that covers that.
FP.js pro is using client side storage and IP and what I call actual FPing. It's actually very easy to make the hash change, and it's not that sophisticated, but because it's a combination of things, and because people don't understand how FPing works, everyone seems to think it's super duper and gives you a unique FP. People have logged tickets at tor project, at Brave, etc. It's not true.
Now regardless of what the website hash says (e.g, easily changing the hash by resizing the window, as one example), does not mean you can't be linked to previous traffic - FPs are meant to be fuzzy, and there is a whole other science behind linkifying/matching with degrees of certainty on the back-end or after the fact (e.g. think chrome user agents incrementally increasing over time)
you can read Peter's answers from https://github.com/brave/brave-browser/issues/14031#issuecomment-818815209 on down to get an idea: e.g.
- looking at storage to "fingerprint" you (i.e. not fingerprinting at all)
- using IP + useragent (again, not fingerprinting)
And I agree with Peter (we've had a few chats here and there over the years, he knows, this is his field, and mine - and I've even dived into the actual metrics it collects). The site is "mostly smoke and mirrors trying to sell a commercial service" and "they're better at looking good at fingerprinting than actually being good at fingerprinting". If you do nothing, you are unique - and it's not hard to compute that. FPJSpro is nothing magical, and they are simply proving that there is a lot of low hanging fruit.
But up against advanced protections, metric by metric, TB/MB holds up (as far as we can tell - math and science tells us a lot, and lots of testing, but at the end of the day we need to collect some FP's to see how many buckets exist that aren't equivalency, and a survey (1 result per profile) to gauge the actual entropy (i.e not all buckets have the same number of users)
I noticed that fingerprint.com successfully fingerprints Mullvad Browser on macOS Ventura. Even if I change Mullvad VPN servers and keep the default window size without anything modified (no extra extensions). I found a fix: you have to change the window size randomly and change the VPN server too.
Any plans for an optional randomized window size? As the default window size doesn't counter fingerprinting