Revisiting the Browser and Device Fingerprints & Microarchitectural Side-channel Deanonymization Attacks sections about thgtoa HOT 9 CLOSED

The current guidance on browser/device fingerprinting is that users should attempt to randomize their fingerprint? There are some steps provided to configure the browser to 'resist' fingerprinting (No guarantees here). I'm also not so sure that attempting to randomize a device fingerprint is practical either.

Really the best way to defeat such fingerprinting methods is to use Tails with all it's default configurations. This way your browser and device fingerprints are as close as possible to other Tails users.

Do we need to offer differing levels of fingerprinting resistance depending on threat model?

Is compartmentalization of browsing activities enough?

The provided source for Brave being great at fingerprinting resistance is a Brave article? Surely a third-party source would be more appropriate? This article was also last updated Nov 2019, so things have likely changed.

from thgtoa.

Yup so it does need updating. But we can't just say "use Tails".

from thgtoa.

Agreed. This is why I am suggesting a tiered approach.

Example:
Tier 0 - Firefox/Brave with recommended configurations/add-ons
Tier 1 - Tor Browser in a Qubes OS VM
Tier 2 - Tails Live USB with default configurations

from thgtoa.

Yes but ... no ... This part of the guide is listing threats. And listing generally how to mitigate them. But not in details.

Right? There are other sections below for that with details.

What this section need is up to date information about fingerprinting threats. Some little advice like don't change the Tor config. Especially on Tails don't mess with uBlock.

So we need to make sure the threats are up to date, with references and archive.org link. We need to make sure fingerprinting is explained correctly so that ANYONE low or high skilled will get it. But again, this is not a place for a detailed tutorial on anti-fingerprinting. You can list some things but not go too deep in there. You're before the routes start.

And possibly links to appendixes and other sections below who do explain how to harden your browser. These exist for Tor explaining the safety levels. For Brave. For Firefox.

from thgtoa.

You can actually make a PR request btw ... but only a DRAFT PR :)

from thgtoa.

The current guidance on browser/device fingerprinting is that users should attempt to randomize their fingerprint? There are some steps provided to configure the browser to 'resist' fingerprinting (No guarantees here). I'm also not so sure that attempting to randomize a device fingerprint is practical either.

The problem of anti-fingerprinting is that most of it is "add this extension" and results in menial ways of reducing your footprint but raising the likelihood of your being fingerprinted. It's not recommended to add a ton of extensions that make you appear more unique.

Really the best way to defeat such fingerprinting methods is to use Tails with all it's default configurations. This way your browser and device fingerprints are as close as possible to other Tails users.

The best way is to use Tor, at all. Using Tor makes you look like all the other Tor browsers, assuming you don't change the default settings, disable javascript by switching to Safest mode and don't install non-essential add-ons.

Do we need to offer differing levels of fingerprinting resistance depending on threat model?

I agree it's a big problem but not that it should be tiered in the guide as you say. Firefox does a fantastic job of hardening with Arkenfox/User.js in place, and Tor does what it's designed to do without the need for any scripts and extensions (this is harmful to you and your anonymity/OPSEC). The guides out there, which recommend hardening tips, down to the levels you describe, are actually not necessary when you consider using Tor inside Tails and Whonix. That alone will make you less susceptible to fingerprint techniques.

A hardened Firefox is nice but you can switch to Brave which, by default, is good to use out of the box and can still be hardened using our guide or others out there. The options are many. I understand wanting to have a guide section for hardening but it's been done by many others and it's a negligible security increase. Not a bad thing, but not something you have to manually do - just use browsers meant to provide security and privacy like Brave, Bromite, Tor, etc.

Is compartmentalization of browsing activities enough?

This isn't something a hardening guide shows you how to do, because that's up to your threat model; it's highly dependent of your own needs.

The provided source for Brave being great at fingerprinting resistance is a Brave article? Surely a third-party source would be more appropriate? This article was also last updated Nov 2019, so things have likely changed.

https://libreddit.privacydev.net/r/PrivacyGuides/comments/s37xcc/firefox_vs_brave_i_tested_them_so_you_dont_need_to/
https://madaidans-insecurities.github.io/firefox-chromium.html
https://madaidans-insecurities.github.io/browser-tracking.html#configuring-the-browser
https://ffprofile.com/
https://itsfoss.com/brave-vs-firefox/

That information was updated in March so it's fairly recent enough to assume it's the same.

Additionally, some browsers are simply better at things than other browsers at those things. Bromite is better than Firefox on mobile, so I've found. Firefox doesn't provide isolation security and sandboxing like Brave does, and Firefox has better fine-tune controls of your settings than Brave does, while remaining less usable for browsing specific content like Netflix (requires DRM enabled which may be bad for a user threat model).

You should consider that there's no browser that significantly reduces your fingerprint and raises security across your devices. It's simply not feasible to use something like Arkenfox on mobile anyway.

from thgtoa.

Any update @dan-kir ?

from thgtoa.

Any update @dan-kir ?

This is not a small task. I have just wrapped up a review of the Qubes route. Will provide an update on this issue when I have one.

from thgtoa.

I've unassigned @dan-kir and assigned myself to this instead. Wrapping up a PR now. Thanks for understanding.

from thgtoa.