34

I've been digging in to this and it appears content blockers are no longer a final solution to fingerprinting. Using cloudflare workers or custom subdomains, websites can sidestep all the protections of ITP and content blockers.

The only thinjg I have come up with so far is to create a feature that scans javascript for markers used in fingerprinting libraries, and disallow that code to execute.

    It is easy to build anti-fingerpriting solutions that work with popular fingerprinting demos.

    It is impossible to build anti-fingerprinting solution against a sophisticaed fingerprinter like

    GPU fingerprinting
    https://arxiv.org/pdf/2201.09956.pdf
    https://www.techpowerup.com/291518/researchers-exploit-gpu-fingerprinting-to-track-users-online

    Audio fingerprinting:
    https://www.cs.princeton.edu/~arvindn/publications/OpenWPM_1_million_site_tracking_measurement.pdf
    https://techcrunch.com/2016/05/19/audio-fingerprinting-being-used-to-track-web-users-study-finds/

    If a sophisticated fingerprinter is allowed to run, it will fingerprint the browser.

    Therfore the best solution is to prevent fingerpritner from running. Any other approach is doomed to fail, and can only give sense false sense of protection, when tested with fingerprinting demos that use basic fingerprinting methods, that are easilly avodied.

    There is no perfect solution and we simply avoid to play cat and mouse game played by other browsers, giving users false sense of protection. Our approach, blocking fingerprinters from running, is protecting probably agaisnt 99% of what is used out there.

      Vlad thank you Vlad - yes I understand the above. I agree, also.

      I also understand you don’t have time to play cat and mouse.

      The point is, it’s not a popular fingerprinting demo. It’s a real (and popular) fingerprinting product, in use in the wild, who are able to get around the traditional “not allowing it to run” technique.

      Hopefully you were able to read what I wrote above.

      I was just trying to help Orion be the best privacy focussed browser there can be. That’s what I’m interested in, and I’m sure it’s what draws many users.

      I felt you should be aware that your ”don’t run it” solution (as it is) isn’t watertight, and increasingly this will be the case as these methods get further adoption. Sadly I don’t think 99% protection is a realistic figure anymore, given the discoveries above.

      Maybe I’ll find the time one day to write an extension that mitigates these new methods (subdomain, cloudflare worker), as I think it’s important.

      • Vlad replied to this.
          6 days later

          robrecord

          The point is, it’s not a popular fingerprinting demo. It’s a real (and popular) fingerprinting product, in use in the wild, who are able to get around the traditional “not allowing it to run” technique.

          A difference to understand is that their script is allowed to run on their site because it may not have been flagged as malicious (because it is clearly a technology demo). That does not mean it will be allowed to run in wild, when ad/tracking companies package it into their scripts, which are already well documented and publicly known and a part of many blocklists that Orion uses. This is what I meant by 99% protection.

          Yes, one can incorporate this into new scripts, custom subdomains etc, but these either:

          a) get detected by the broad privacy community fast (if they are impactful/used by a large ad/tracking network it will be in a matter of hours)
          b) if a random small site did this - well there is also no harm because you are likely to not visit it ever (and fingerprinting only makes sense when deployed at large scale anyway, which is what a) considers)

          Because this statement holds true:

          "If a sophisticated fingerprinter is allowed to run, it will fingerprint the browser."

          It is clear that the best and only defense against fingerprinting is to block it (we will be adding feature for custom block list so you can stay up to date in a matter of minutes in the future), and not try to avoid it once it is running with stuff like masking your screen resolution and what not, which are basically just gimmicks as proven by those two whitepapers I linked to earlier.

            6 months later

            Currently if you run the fingerprinting test from the EFF website Orion has a nearly-unique fingerprint. All the tracking protections in the world won't help much when the browser is so unique and easily identifiable.

            Heres the Mullvad browser for comparison:

            Love the work youre doing. Great to see another browser that's not made on chromium

              Merged 2 posts from Make orion less fingerprintable and identifiable.
                2 months later


                Results with most common user agent from useragents.me "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36" set in the browser.

                I wish there was a fine-grained way to allow what .js to run on what sites. I don't mind having to prune a whitelist. Most services can get on alright without JS, and the few that don't I would like the option of not letting 'scripts/tracking.js' run but allowing 'scripts/post-display.js'


                Even without Javascript enabled though the browser is still very identifiable. Surely theres more that can be done so the browser 'blends in'. Mullvad/Tors letterboxing? Braves Fingerprint randomization?

                What does the project need to make it happen?

                • Vlad replied to this.

                  tmp339 Please read the entire thread here for our stance on fingerprinting and why all the methods in other browsers are basically a marketing gimmick.

                      Vlad Are there more resources of GPU fingerprinting complexities?
                      It seems to me that there doesn't exist much research or consensus.
                      I think it would involve alot of advanced mathematics to spoof a GPU fingerprint, and if it could be done for the Orion browser, but that would probably be too complex.

                          20 days later

                          spicysalmon I've called anti-fingerprinting marketing in browsers a gimmick, not the tests. The tests are also largely irrelevant, I do not know of tests that employ tactics uncovered in cutting edge tracking research like inicated here https://orionfeedback.org/d/2450-anti-fingerprinting/5 which most powerful ad-tech that we should be afraid of certainly does. The only protection against fingerprinting is not to allow the fingerpritner to run in the first place which is the strategy Orion employs.

                              9 days later

                              techfreak85 Maybe too much to ask, but reading this thread may give you the answers.

                                  a month later

                                  @Vlad I've read the entire thread. I understand your point. But what I don't understand is why do one thing but leave other things? Orion has GPU fingerprinting protection which is great, but why would you not make it anti-fingerprint for other methods of fingerprinting? Even if they don't matter in your opinion, why not just do it for the sake of making Orion 100% anti-fingerprint browser without any doubts?

                                  • Vlad replied to this.

                                    Soum Because you can't. If a sophisticated fingerprinter (not talking about vanity/promotional tests found on many websites) is allowed to run, it WILL fingerprint you. These are massive corporations with billions to spend doing only that. We are a small team doing million other things. At the cutting edge level, we can not outrun them (and I'd argue no browser vendor can).

                                    The absolutelty best strategy is not to allow the fingerprinter to run in the first place.

                                    • Soum replied to this.

                                        Vlad So are you saying currently Orion is 100% anti-fingerprint because fingerprinter can't run in the first place?

                                        • Vlad replied to this.

                                            Soum No, I am saying that our approach is the best possible. The quantity of fingerprinters stopped with this method will depend on the quality of blocklists (which are now customisable since last release). But this approach does not care about the sophistication of the fingerprinter as long as it is on the blocklist.

                                            • Soum replied to this.
                                                10 days later

                                                Vlad

                                                Since you talk about GPU fingerprinting protection, I was doing tests with https://www.deviceinfo.me on my current browsers: Brave, hardened Firefox dev edition, Mullvad browser, and TOR browser. In short my data is almost completely exposed by Firefox even the hardened one. Brave spoofs and randomizes a lot of the data but not fully stops the expose. Mullvad is like 99% there and TOR 99.99% full anonymize. Check yourself if you want.

                                                Then I thought let's test this on Orion. So I reinstalled Orion (so cool intro video, always good to see it). The conclusion for Orion test is that it's on the same level as Brave (except that it has zero telemetry when compared to Brave)

                                                I might not understand what GPU fingerprinting is but the GPU fingerprinting you talk about isn't helping in stopping the expose of all information regarding my Mac. My local time. Etc. A lot of my info is exposed. What do you think?