Anti Fingerprinting
- Edited
Soum No, I am saying that our approach is the best possible. The quantity of fingerprinters stopped with this method will depend on the quality of blocklists (which are now customisable since last release). But this approach does not care about the sophistication of the fingerprinter as long as it is on the blocklist.
Since you talk about GPU fingerprinting protection, I was doing tests with https://www.deviceinfo.me on my current browsers: Brave, hardened Firefox dev edition, Mullvad browser, and TOR browser. In short my data is almost completely exposed by Firefox even the hardened one. Brave spoofs and randomizes a lot of the data but not fully stops the expose. Mullvad is like 99% there and TOR 99.99% full anonymize. Check yourself if you want.
Then I thought let's test this on Orion. So I reinstalled Orion (so cool intro video, always good to see it). The conclusion for Orion test is that it's on the same level as Brave (except that it has zero telemetry when compared to Brave)
I might not understand what GPU fingerprinting is but the GPU fingerprinting you talk about isn't helping in stopping the expose of all information regarding my Mac. My local time. Etc. A lot of my info is exposed. What do you think?
I do understand Orion's philosophy. However, I don't accept that it's pointless to make these changes. My standpoint is not from a perspective of trying to be unidentifiable; if that was what I wanted, I would be using Tor Browser. I will make that explicitly clear: I am speaking as someone who doesn't care about being fingerprinted.
My standpoint is from privacy: preventing scripts that aren't known about yet from getting anything - and to be more specific, said scripts getting accurate information about me. I care less if a fingerprinter tries to track me, or if it can follow me around the internet, or if it does indeed have a unique fingerprint on me, if the information it ends up having is wrong. I do, however, understand that this can lead to a false sense of security as fingerprinters get better and better.
I think an acceptable compromise would be to have these features, but have them off by default, put somewhere away from the main settings, and made explicitly clear as settings that Orion does not think is truly beneficial to stop fingerprinting (basically an "enable at your own risk" thing.)
JBMagination Can you give an example?
- Edited
This is an important topic, I've read the thread. I went to the GPU article and commenters said that Firefox allows you to turn off WebGL. Is this possible in Orion, is it recommended?
Vlad, how can I be sure I am maximizing Orion's ability to protect our privacy? Simply default settings or more to do?
EDIT: I gather Orion is allowing the test sites to run but won't allow the scripts on real sites to run -- how do I validate this? Is there somewhere in Orion that I can see what got blocked by Orion?
- Edited
For improving privacy. Other anti-fingerprinting methods haven’t been working for me on my iPhone. The fingerprint detector on Coveryourtracks.eff.org keeps returning me the EXACT SAME hashes of canvas, WebGL, etc. fingerprints, whether I use any anti-fingerprinting extensions, or use the Brave browser (which claims to randomise my fingerprint). Why not have the option to simply disable those features altogether (and also have the option to whitelist sites that do really need them)? Epic is the only browser available on iOS that actually does this (coveryourtracks also returned to me a very different hash of canvas and WebGL when I used Epic as a result), but it would be really great to see this feature on Orion 
This is what I got from amiunique.org when using Epic:
I would imagine those options to be in the Settings or in a pop-up opened by selecting an icon on the header or near the tabs. We would toggle on/off various features, and manually enable them locally for or whitelist sites that won’t work without them enabled. Like in Brave, where we can choose to block or enable trackers, phishing, fingerprinting and scripts on individual sites.
It appears to me that Orion doesn’t want to create anti fingerprinting techniques because it would be a maintenance burden, which is a shame. Many of us have shown the techniques employed at the moment (blocklists) go a long way but don’t cover the depth and breadth of the situation. I guess plug-ins might be able to eventually fill in the gaps.
And, I appreciate Orion has to make decisions that are right for them.
I recently reinstalled Orion on my iPhone, and I'm impressed with the browser in many ways. However, upon running Cover Your Tracks, I noticed that the browser has no canvas blocking or WebGL blocking, which makes the browser more fingerprintable.
It's relatively simple to block this. The WebGL fingerprint can be spoofed, and HTML canvas can be disabled altogether.
As of right now, I don't think any other browsers on iOS can do this, but I'm sure it would be quite beneficial if included as a toggle in the settings, as canvas does have some legitimate uses.
Could this be done?
A user could turn on the feature to avoid being tracked across various websites.
- Edited
Hellfire103 Fingerprinters you should be afraid of do not use techniques that are easy to block.
The only thing that works is blocking the fingerprinter itself from running. Everything else is cheap marketing aimed at creating false sense of protection. Orion is the only browser on the market that ships with built in blocker for both 1st and 3rd party ads and trackers.
Vlad Well, but it will break those websites completely now, wouldn't it? I don't know if anyone has employed that technique in the wild yet, but it's a neat circumvention idea. I'm just not sure I described it clearly.
The idea is to hold a common third-party javascript library ransom, so you either have to break the site's functionality completely or agree with whatever that was added in that script.
Vlad Why is it not Orion's job to fix that? I don't see how that follows. I don't mean you need to "take on a job" right now literally, but rather that you do hold this anti-fingerprinting stance (and javascript blocking is being advertised as one of the defining features of Orion), and you do agree that fingerprinting should be avoided, and you also stated that the only reasonable way to do that is by blocking fingerprinter's javascript code from running, so no other ways that you want to consider. If we follow that logic, then when some entity decides to break (easily, at that) your only way of defence then you need to think of a better way, otherwise it makes the type of protection you offer pointless.
I don't see how just shrugging it off can make it work for Orion, or how advertising tracking safety in Orion can hold then. Certainly those entities can care less about their websites being broken in it.
Certainly those entities can care less about their websites being broken in it.
I agree. But I am counting on those entities not showing an infected JS to their users would be something they would care about. It breaking in Orion and Orion users reporting it to them would even help them realize that they are carrying infected, malicious scripts. But it is absolutetly website's job to fix that, not Orion's.
Vlad
You're making two points here:
- It's absolutely the website's job to fix a script hijacking issue, and
- You're counting on website entities to care about Orion users's opinion
Not arguing with any of those two points but simply extending that logic leads us to a conclusion that it's absolutely those entities's job to remove regular fingerprinting and tracking scripts from their products in the first place, given that users are complaining about them left and right, and not only Orion users at that. Which brings us to question why blockers even exist in Orion at all.