Minimize differences of FP2.js browser fingerprints

[pes10k]

https://valve.github.io/fingerprintjs2/ reports different browser fingerprints on brave-core. This issue is to identify the differences its picking up on.

[ghost]

2fc01ae532f967b3bda3b42520cfb824

userAgent = Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/5
language = en-US
colorDepth = 24
deviceMemory = 8
hardwareConcurrency = 8
screenResolution = 1920,1080
availableScreenResolution = 1853,1053
timezoneOffset = -60
timezone = Europe/Prague
sessionStorage = true
localStorage = true
indexedDb = true
addBehavior = false
openDatabase = true
cpuClass = not available
platform = Linux x86_64
plugins = Chromium PDF Plugin,Portable Document Format,application/x-google-chrome-pdf,pdf,Chromium PDF Viewer
canvas = canvas winding:yes,canvas fp:
webgl = TypeError: Cannot read property '0' of null
webglVendorAndRenderer = null
adBlock = false
hasLiedLanguages = false
hasLiedResolution = false
hasLiedOs = false
hasLiedBrowser = false
touchSupport = 0,false,false
fonts = Arial,Courier,Courier New,Helvetica,MS Gothic,MS PGothic,Times,Times New Roman
audio = TypeError: Cannot read property 'slice' of null

The first thing I noticed is the time zone. And of course the platform in combination with the user agent.

[ghost]

Once this is done it could be part of CI/CD? If it's possible, the Panopticlick canvas fingerprint as part of CI/CD would be cool. Likely it's not necessary to use Panopticlick and it's possible to get the same value from fingerprintjs2.

[pes10k]

We have unit tests for the above already IIRC, so, done and done on canvas fingerprinting. We'd need to figure out what can be done about the full set of FP2.js values before we could CI though

[pes10k]

Summary of initial findings

1. Unsurprisingly, users differ by UA. Can we drop / lie about OS version number in the UA to collapse?
2. some difference on languages. We could collapse some of these (e.g. en-US and en-GB into en and similar options)
3. screenResolution and availableScreenResolution are the big differentiators. Not much we can do here. Possibly, when in 1p FP prevention mode, constrain the view port to well known sizes.
4. timezoneOffset and timezone: ¯\(ツ)/¯
5. fonts differ. Do we have a policy on this? Safari, for example, always returns the default system fonts, no matter what the user has installed. FWIW the panoptoclick paper finds this to be one of the most important items to address (Fingerprinting v3: Font Fingerprinting #816)

[ghost]

Isn't en-US more common than en? Also, isn't it more common for GB visitors to have en-GB than just en?

[ghost]

timezoneOffset and timezone: ¯(ツ)/¯

The obvious idea here is to make the browser think it's in the US/UK timezone. However, the combination of Czech IP with a UK timezone is way more rare than being a Brave user in Czechia.

It seems like the goal of all Brave browsers being indistinguishable can only be achieved if they are:

1. under the same IP (this is a binary flag);
2. changing their IP on each request (this is also a binary flag)

Since there are obvious problems with option 1, the only way instances of Brave can be indistinguishable from each other is if they ran Tor as well. At least in my opinion which I'd love to be proven wrong.

[tildelowengrimm]

Using Tor is a big gun privacy-wise, but it's not a benign solution — it comes with a lot of practical tradeoffs. Someone's IP is always going to be distinct from the next person's, at least for a while. Our general goal is to keep browsers similar to each other, apart from the IP.

[ghost]

keep browsers similar to each other

Do you leak the users country and timezone then, or do you fake it and let the site see that an e.g. Czech visitor is using an English lang & timezone?

[pes10k]

We do not fake that currently, since its likely to break sites

[ghost]

I don't mean currently, I mean what's the right approach if you want to keep browsers similar to each other. Imo it's better to have browsers similar in having a legit IP/browser lang & timezone combination than to have them similar in one specific value such as the browser lang & timezone.

[tildelowengrimm]

Current approach is:

1. Make some small randomization tweaks to break concat-&-hash fingerprinting approaches.
2. Also file separate issues for all the fingerprinting vectors we need to fix.

[pes10k]

Relevant sub issues (where it seems like we might be able to make the end points {more} consistent w/o breaking stuff)

• Fonts: Fingerprinting v3: Font Fingerprinting #816
• UA: Hide operating system in user-agent with fingerprinting protection enabled #701

This approach might also allow us to relax protections on WebGL and canvas and other things that we know are causing web break

[pes10k]

I'm closing this for now, since the default brave settings now return unique fingerprints each time for the default fingerprint2.js settings. Still keeping the child issues (#816, #701, etc) since they're good to address, but I think we're good re FP2.js