navigator.hardwareConcurrency serves as a fingerprinting vector

[riastradh-brave]

We should fix it to a certain number to plug this vector.

However, there's an issue: if a script can (a) run CPU-intensive computations in parallel, and (b) measure time, then the script can estimate the number of CPUs using those two tools. So this goes a little deeper. But we can at least plug the easy fingerprinting vector.

[riastradh-brave]

Related: #2471

[pes10k]

related: #2655

[bershanskiy]

FYI, Mozilla spoofs navigator.hardwareConcurrency = 2 when privacy.resistFingerprinting = true.
Source: https://bugzilla.mozilla.org/show_bug.cgi?id=1360039
Also, I just tested it and it is still the case.

Should this API be removed entirely, removed when shields are on or spoofed when shields are on?

I personally favor complete removal (even with shields down) because I can't think of a legitimate use for it and Safari does not have it (so web compatibility should not be an issue).

[pes10k]

Fixed by #10808

[angryziber]

@bershanskiy just noticed that Brave returns wierd numbers here :-(
The use case is simple: for parallel computations using Workers, you determine the number of workers to run...

[pes10k]

Howdy @angryziber , you might find the specific details here useful #10808

Mainly the thinking is:

1. this is a clear fingerprinting vector; there is just no way we're going to leave it unmodified
2. it doesn't actually affect the number of workers that run
3. Sites should already be conservative with the number of workers they're spinning up; its rare that any site is the only tab open :)
4. If users are on a site they trust, and need to enable uncommon uses on the web (i.e. they really want to lite up all their cores bc of a site they're on), the right thing for them to do in brave is to drop shields

Hope that helps explain the thinking behind Brave's approach!

[angryziber]

@pes10k thanks for the response.

There is actually a difference between apps and web sites. Very specific web-basedd apps sometimes need to spin max number of workers. I am developing one, and it involves quite a lot of computations to analyze year-round shadows for solar roofs. But I guess users need not to forget to remove shields for the apps they rely on?