36

It appears to me that Orion doesn’t want to create anti fingerprinting techniques because it would be a maintenance burden, which is a shame. Many of us have shown the techniques employed at the moment (blocklists) go a long way but don’t cover the depth and breadth of the situation. I guess plug-ins might be able to eventually fill in the gaps.

And, I appreciate Orion has to make decisions that are right for them.

    I recently reinstalled Orion on my iPhone, and I'm impressed with the browser in many ways. However, upon running Cover Your Tracks, I noticed that the browser has no canvas blocking or WebGL blocking, which makes the browser more fingerprintable.

    It's relatively simple to block this. The WebGL fingerprint can be spoofed, and HTML canvas can be disabled altogether.

    As of right now, I don't think any other browsers on iOS can do this, but I'm sure it would be quite beneficial if included as a toggle in the settings, as canvas does have some legitimate uses.

    Could this be done?

    A user could turn on the feature to avoid being tracked across various websites.

      Hellfire103 Fingerprinters you should be afraid of do not use techniques that are easy to block.

      The only thing that works is blocking the fingerprinter itself from running. Everything else is cheap marketing aimed at creating false sense of protection. Orion is the only browser on the market that ships with built in blocker for both 1st and 3rd party ads and trackers.

          Merged 2 posts from Canvas blocker on iOS?.
            23 days later

            @Vlad So let us imagine a scenario where a multi-trillion-dollar company hijacked one of legitimate scipts, say, jquery, that it self-hosts, to insert a fingerprinting block. Then, suppose, everyone started doing that. What would Orion's response be?

            • Vlad replied to this.

              pibeh Orion has to do nothing that is the beauty of this approach. Such change would immediately be noticed and added to crowd-sourced blocklists that Orion uses and as soon as users update, they would have it blocked completely.

                  Vlad Well, but it will break those websites completely now, wouldn't it? I don't know if anyone has employed that technique in the wild yet, but it's a neat circumvention idea. I'm just not sure I described it clearly.

                  The idea is to hold a common third-party javascript library ransom, so you either have to break the site's functionality completely or agree with whatever that was added in that script.

                  • Vlad replied to this.

                      pibeh Correct, as it should. Those sites would then need to rethink using an infected JS, it is not Orion's job to fix that.

                          Vlad Why is it not Orion's job to fix that? I don't see how that follows. I don't mean you need to "take on a job" right now literally, but rather that you do hold this anti-fingerprinting stance (and javascript blocking is being advertised as one of the defining features of Orion), and you do agree that fingerprinting should be avoided, and you also stated that the only reasonable way to do that is by blocking fingerprinter's javascript code from running, so no other ways that you want to consider. If we follow that logic, then when some entity decides to break (easily, at that) your only way of defence then you need to think of a better way, otherwise it makes the type of protection you offer pointless.

                          I don't see how just shrugging it off can make it work for Orion, or how advertising tracking safety in Orion can hold then. Certainly those entities can care less about their websites being broken in it.

                          • Vlad replied to this.

                              pibeh

                              Certainly those entities can care less about their websites being broken in it.

                              I agree. But I am counting on those entities not showing an infected JS to their users would be something they would care about. It breaking in Orion and Orion users reporting it to them would even help them realize that they are carrying infected, malicious scripts. But it is absolutetly website's job to fix that, not Orion's.

                                  Vlad
                                  You're making two points here:

                                  1. It's absolutely the website's job to fix a script hijacking issue, and
                                  2. You're counting on website entities to care about Orion users's opinion

                                  Not arguing with any of those two points but simply extending that logic leads us to a conclusion that it's absolutely those entities's job to remove regular fingerprinting and tracking scripts from their products in the first place, given that users are complaining about them left and right, and not only Orion users at that. Which brings us to question why blockers even exist in Orion at all.

                                  • Vlad replied to this.

                                      pibeh I am making just the first point. The other point I am making is that it is not Orion's job to fix maliciously infected websites, but to protect its users, which it does.

                                      Blockers exist because most websites on the web are monetized by ads which people do not like. In addition blockers block tracking scripts, which contain fingerprinters, which is what this thread is about.

                                          3 months later

                                          Similar in the way we're able to set a custom User Agent, please also allow the ability to spoof the locale, timezone, and geolocation. This will add greater granularity to privacy with the browser.

                                          Within the same area where a user can change their User Agent, also allow them to also change the locale, timezone, and geolocation to a specified setting.

                                            0xChain Theoretically its tough and advanced js can bypass/detect spoofing (eg. corelate ip, browser languages, system languages with locale, timezone and geolocation).

                                            So if not done correctly, it can make the browser easily fingerprintable, thus reducing privacy.

                                                Merged 3 posts from Allow spoofing locale, timezone, and geolocation.
                                                  5 months later

                                                  tested dozen of browsers on fingerprint.com

                                                  @Vlad you mention advanced fingerprint is impossible to prevent. how come Brave browser wasn't "tracked" on the fingerprint.com website? (unlike Orion)

                                                  thanks! keep up the good work

                                                    2 months later

                                                    0xChain
                                                    In N. America, without VPN or something like tor, I don't see a way to hide geolocation for home user. It is from our IP addresses. TZ go hand in hand with geolocation.

                                                    lkjhfgds
                                                    I tried brave browser, 100% new install (never use it before), did not change any settings, no extension, went to fingerprint.com in both normal mode and private mode, and got the same "visitor id". I did get a different id if I use private + tor. Is there any settings I need to change for the test?

                                                          No one is typing