Anti Fingerprinting

Vlad · Oct 14, 2023

spicysalmon I've called anti-fingerprinting marketing in browsers a gimmick, not the tests. The tests are also largely irrelevant, I do not know of tests that employ tactics uncovered in cutting edge tracking research like inicated here https://orionfeedback.org/d/2450-anti-fingerprinting/5 which most powerful ad-tech that we should be afraid of certainly does. The only protection against fingerprinting is not to allow the fingerpritner to run in the first place which is the strategy Orion employs.

Ttechfreak85 · Oct 24, 2023

I'm confused, since lately even Orion hasn't been blocking the https://fingerprint.com/demo/ demo for me. On the latest version of Orion and everything. Anyone else?

Vlad · Oct 24, 2023

techfreak85 Maybe too much to ask, but reading this thread may give you the answers.

Soum · Nov 26, 2023

@Vlad I've read the entire thread. I understand your point. But what I don't understand is why do one thing but leave other things? Orion has GPU fingerprinting protection which is great, but why would you not make it anti-fingerprint for other methods of fingerprinting? Even if they don't matter in your opinion, why not just do it for the sake of making Orion 100% anti-fingerprint browser without any doubts?

Vlad · Nov 26, 2023

Soum Because you can't. If a sophisticated fingerprinter (not talking about vanity/promotional tests found on many websites) is allowed to run, it WILL fingerprint you. These are massive corporations with billions to spend doing only that. We are a small team doing million other things. At the cutting edge level, we can not outrun them (and I'd argue no browser vendor can).

The absolutelty best strategy is not to allow the fingerprinter to run in the first place.

Soum · Nov 28, 2023

Vlad So are you saying currently Orion is 100% anti-fingerprint because fingerprinter can't run in the first place?

Vlad · Nov 29, 2023

Soum No, I am saying that our approach is the best possible. The quantity of fingerprinters stopped with this method will depend on the quality of blocklists (which are now customisable since last release). But this approach does not care about the sophistication of the fingerprinter as long as it is on the blocklist.

Soum · Dec 8, 2023

Vlad

Since you talk about GPU fingerprinting protection, I was doing tests with https://www.deviceinfo.me on my current browsers: Brave, hardened Firefox dev edition, Mullvad browser, and TOR browser. In short my data is almost completely exposed by Firefox even the hardened one. Brave spoofs and randomizes a lot of the data but not fully stops the expose. Mullvad is like 99% there and TOR 99.99% full anonymize. Check yourself if you want.

Then I thought let's test this on Orion. So I reinstalled Orion (so cool intro video, always good to see it). The conclusion for Orion test is that it's on the same level as Brave (except that it has zero telemetry when compared to Brave)

I might not understand what GPU fingerprinting is but the GPU fingerprinting you talk about isn't helping in stopping the expose of all information regarding my Mac. My local time. Etc. A lot of my info is exposed. What do you think?

JBMagination · Dec 17, 2023

I do understand Orion's philosophy. However, I don't accept that it's pointless to make these changes. My standpoint is not from a perspective of trying to be unidentifiable; if that was what I wanted, I would be using Tor Browser. I will make that explicitly clear: I am speaking as someone who doesn't care about being fingerprinted.

My standpoint is from privacy: preventing scripts that aren't known about yet from getting anything - and to be more specific, said scripts getting accurate information about me. I care less if a fingerprinter tries to track me, or if it can follow me around the internet, or if it does indeed have a unique fingerprint on me, if the information it ends up having is wrong. I do, however, understand that this can lead to a false sense of security as fingerprinters get better and better.

I think an acceptable compromise would be to have these features, but have them off by default, put somewhere away from the main settings, and made explicitly clear as settings that Orion does not think is truly beneficial to stop fingerprinting (basically an "enable at your own risk" thing.)

Vlad · Dec 18, 2023

JBMagination Can you give an example?

RobOK · Jan 31, 2024

This is an important topic, I've read the thread. I went to the GPU article and commenters said that Firefox allows you to turn off WebGL. Is this possible in Orion, is it recommended?
Vlad, how can I be sure I am maximizing Orion's ability to protect our privacy? Simply default settings or more to do?

EDIT: I gather Orion is allowing the test sites to run but won't allow the scripts on real sites to run -- how do I validate this? Is there somewhere in Orion that I can see what got blocked by Orion?

Vlad · Feb 5, 2024

RobOK Yes, clicking the shield icon.

CCynical-Consumer · Mar 28, 2024

For improving privacy. Other anti-fingerprinting methods haven’t been working for me on my iPhone. The fingerprint detector on Coveryourtracks.eff.org keeps returning me the EXACT SAME hashes of canvas, WebGL, etc. fingerprints, whether I use any anti-fingerprinting extensions, or use the Brave browser (which claims to randomise my fingerprint). Why not have the option to simply disable those features altogether (and also have the option to whitelist sites that do really need them)? Epic is the only browser available on iOS that actually does this (coveryourtracks also returned to me a very different hash of canvas and WebGL when I used Epic as a result), but it would be really great to see this feature on Orion
This is what I got from amiunique.org when using Epic:

I would imagine those options to be in the Settings or in a pop-up opened by selecting an icon on the header or near the tabs. We would toggle on/off various features, and manually enable them locally for or whitelist sites that won’t work without them enabled. Like in Brave, where we can choose to block or enable trackers, phishing, fingerprinting and scripts on individual sites.

Rrobrecord · Apr 29, 2024

It appears to me that Orion doesn’t want to create anti fingerprinting techniques because it would be a maintenance burden, which is a shame. Many of us have shown the techniques employed at the moment (blocklists) go a long way but don’t cover the depth and breadth of the situation. I guess plug-ins might be able to eventually fill in the gaps.

And, I appreciate Orion has to make decisions that are right for them.

Hellfire103 · May 3, 2024

I recently reinstalled Orion on my iPhone, and I'm impressed with the browser in many ways. However, upon running Cover Your Tracks, I noticed that the browser has no canvas blocking or WebGL blocking, which makes the browser more fingerprintable.

It's relatively simple to block this. The WebGL fingerprint can be spoofed, and HTML canvas can be disabled altogether.

As of right now, I don't think any other browsers on iOS can do this, but I'm sure it would be quite beneficial if included as a toggle in the settings, as canvas does have some legitimate uses.

Could this be done?

A user could turn on the feature to avoid being tracked across various websites.

Vlad · May 3, 2024

Hellfire103 Fingerprinters you should be afraid of do not use techniques that are easy to block.

The only thing that works is blocking the fingerprinter itself from running. Everything else is cheap marketing aimed at creating false sense of protection. Orion is the only browser on the market that ships with built in blocker for both 1st and 3rd party ads and trackers.

pibeh · May 26, 2024

@Vlad So let us imagine a scenario where a multi-trillion-dollar company hijacked one of legitimate scipts, say, jquery, that it self-hosts, to insert a fingerprinting block. Then, suppose, everyone started doing that. What would Orion's response be?

Vlad · May 28, 2024

pibeh Orion has to do nothing that is the beauty of this approach. Such change would immediately be noticed and added to crowd-sourced blocklists that Orion uses and as soon as users update, they would have it blocked completely.