Vanadium unique fingerprinting

AlexTerrible

Hi, tested on my new 9 the fingerprinting on many websites and it's quite unique so extremely easy to de-anonymise.

How unique is your fingerprinting? Why despite the many pushes from the entire community this continues to be a problem in Vanadium?

The results are quite different using more privacy friendly browsers but on these the security decrease because not built on GrapheneOs.

angela

AlexTerrible

i expect to be banned for this, and am okay with that. Okay with being banned and still mean no disrespect, am grateful for gos development team making gos.

GOS developers often say something like because fingerprinting can always be defeated by highly advanced adversaries that hiding fingerprints or blending fingerprints is not something they prioritize over security. (They will likely contradict this if they see this, as I'm sure I am misstating what they have previously said, possibly by a large amount.)

Even firefox, which does not have great sandboxing, has some simple built in ways to stop fingerprinting for low skill adversaries or dragnet survealence. I have absolutely no idea why, when so many gos users care about privacy, that they don't add in web fingerprint protection by default.

It also seems somewhat incongruent to me, to the point it's concerning. Also, if things are highly randomized, user may be unique but not identifiable, so they may have improved thisand just havent noticed since hsvent tried vandium in a while. Ever time I tested vandium at first I was surprized how it seemd like there was no protection at all.

Considering many apps use webview to display things, webview with vandium may also be providing unique identifiers.

Many Apps have identification techniques inside the App, so it is often pointless to try to be anonymous while using Apps. GOS developers have often indicated since fingerprinting uniqueness is so hard to block in mobile environments they don't want to offee false sense of security for fingerprints. (Probably misstatingwhat they said)

I don't understand it. There are some chromium extensions that can rnadomize values and some are open source. Why would it be hard to fork them an add them in?

But it's a small development team and they have said before it's open source so if you disagree with something learn to code and contribute. There are also other identifiers in GOS that Apps can get and are consistent.

Onlyfun

AlexTerrible is fingerprint consistent through your tests?
I use amiunique.org and everytime it indicates a new unmatched fingerprint/visiter. The informations that the fingerprint consists of seem similar or identical to previous ones. There should be more details involved, but I have no clue how to find those out. Or makes me think amiunique.org is bs.

Suggest some reputable sites for this purpose if possible please. I mean those that not only reveal the fingerprint, but evaluate its trackability.

wuseman

The only solution for all things fingerprinting is to use Tor or something similar.

Even if Vanadium was perfect when it came to all things fingerprinting there are like.. 500k potential other users in the entire world that you’re blending in with. That likely means you’re the only user on your websites that’s using Vanadium.

gvprtskvni

wuseman Brave seems to be better against fingerprinting since it has a much bigger user base. Not sure if there are other drawbacks though.

On the topic of fingerprinting, does anyone know if there is any downsides with setting your system region to a more populated country in the same time zone? Changing the region from, say, Denmark to Germany seems to reduce the fingerprint uniqueness a bit according to https://coveryourtracks.eff.org/

argante

wuseman The only solution for all things fingerprinting is to use Tor or something similar.

Tor, VPNs, and even Nym's Mixnet don't protect against fingerprinting. These solutions only protect your IP.

I think there are three approaches to fingerprinting:
1) Fingerprint randomization – this is what Brave is trying to do
2) Fingerprint repeatability – this is what Tor Browser is trying to do
3) Fingerprint containerization – you use Google Chrome for Google services (gmail, youtube) and nothing else, you use Brave for social media and nothing else, you use LibreWolf for specific forums and nothing else, etc.

Bonus: If you really value privacy, use RSS/Atom through a client like Briar instead of a browser.

AlexTerrible

gvprtskvni
OK but why is GraphemeOs not working on it? Do all the users have such bad fingerprinting rates or am I the only one?

gvprtskvni

AlexTerrible The problem is that not enough people use Vanadium since it's only available on Graphene, which inevitably makes it's fingerprint more unique.

Therefore I tend to use Brave for more privacy invasive websites. If fingerprint.com is anything to go by, it looks like they can't easily fingerprint Brave over longer periods of time and across different profiles with different browser settings.

AlexTerrible

Security over privacy.

userofgos

angela GOS developers often say something like because fingerprinting can always be defeated by highly advanced adversaries that hiding fingerprints

From my observations, people have a hard time comprehending how difficult it is to defeat fingerprinting. Yes there are ways to reduce your fingerprint, but there are also many ways to make your fingerprint more unique (a lot of times this is done in the pursuit of reducing your fingerprint by adding extensions, customising browser settings by changing the default values, etc). Hiding amongst the crowd is the trick, but that also comes with it's challenges. I think argante brought up some key differences in the approaches/goals in dealing with browser fingerprinting.

angela There are some chromium extensions that can randomize values and some are open source. Why would it be hard to fork them an add them in?

In regards to browser extensions, sure they may have cool/desirable "privacy" features, but they more often than not contribute as another way to uniquely identify you. The more extensions you add the more unique you become. You also increase the potential attack surface with each extension.

angela There are also other identifiers in GOS that Apps can get and are consistent.

This is not a GrapheneOS specific issue, but an issue with Android.

FlipSid

A old thread, but I believe still valid.
https://www.reddit.com/r/GrapheneOS/comments/ciizae/vanadium_and_bromium_privacy/
Best bet, on GrapheneOS, is to use Vanadium.

de0u

angela Even firefox, which does not have great sandboxing, has some simple built in ways to stop fingerprinting for low skill adversaries or dragnet survealence.

I'm not sure I know exactly what is meant by this. Is it possible to provide an example of a low-skill tracking adversary? What is meant by "dragnet surveillance" -- is it possible to provide an example of an organization that does it? How do we know how well Firefox's "simple techniques" work? 80% of "dragnet surveillance" actors are thwarted?

angela There are some chromium extensions that can rnadomize values and some are open source. Why would it be hard to fork them an add them in?

Here again I'm not sure I understand the question. Perhaps it would take just an afternoon to pop a Chrome extension into Vanadium, but which one? How about carefully reading the code to make sure it's secure? How about testing it? How about checking periodically to see how the original extension has changed?

angela It also seems somewhat incongruent to me, to the point it's concerning.

I guess if it seems that one developer spending one afternoon could cause Vanadium to evade 50% of "dragnets", that might seem incongruous. But I suspect the situation is more like permanently consuming 10% of a developer would evade 5% of "dragnets" (though, again, I'm not sure what those are).

Meanwhile, if only because people keep asking for anti-fingerprinting measures to be added to Vanadium, I honestly suspect the GrapheneOS developers have weighed their estimate of the costs against their estimate of the benefits. How confident are you that they're wrong?

FlipSid

angela
Don't have much to write, but since I've been on GrapheneOS I did much searching, inkl. Browser Informations. Here are 2 old threads that maby will shed some light into your concern:
https://www.reddit.com/r/GrapheneOS/comments/bg03np/browsers/
https://www.reddit.com/r/GrapheneOS/comments/ciizae/vanadium_and_bromium_privacy/
For me, as a "noob", this makes more sense than just using some extension and magically having 50% better fingerprinting resistance, or privacy.
But of course the Internet full of content promoting this stuff. If you search for it. Yon find it.
Personally I'm sure the Devs did a good job and know what there doing regarding the OS and Vanadium

DeletedUser433

Vanadium does have some fingerprinting resistance. Also it's largely impossible to completely hide your fingerprint. If it's that important you should use Tor or Brave

It's worth noting that the Vanadium canvas / WebGL / audio fingerprints match 100% with Chrome on the stock OS for the same device family (based on SoC). This is a good thing. In general, Vanadium avoids site visible changes at the moment. This means not shipping some of the anti-fingerprinting features because it makes the browser more easily fingerprinted due to having those features.

(EFF's fingerprint test) is a poorly designed, inaccurate service and is misleading you. You should ignore it. The service also tries to push bad ideas from the EFF from the same school of thought as the useless Do Not Track feature, such as disabling content blocking if sites promise not to track you. Some of what they want like disabling filtering when a site promises not to track is just insane. It's full of misleading political nonsense, the service encourages privacy theatre and it lacks a scientific approach with technical rigour. Rather than improving privacy, browsers are gaming these services just like other benchmarks.

FlipSid

Onlyfun Suggest some reputable sites for this purpose if possible please. I mean those that not only reveal the fingerprint, but evaluate its trackability.

Check out the links I shared above your post. You'll find valuable information in them

LGgos

Correct me if I'm wrong but doesn't everyone show up as "unique" on those fingerprinting sites these days due to randomisation in the canvas data that browsers spit out?

Or are we all just wasting our time trying to be private/anonymous?

TrustExecutor

LGgos This.

job_shredder69

Like many have already suggested. Tor Browser for privacy, and Chromium based browser for security or mixed of privacy and security. Simply put, compartmentalize your browsing ie Firefox or forks for general stuff and Chromium or forks for logins.

An oldie, but goodie, https://madaidans-insecurities.github.io/browser-tracking.html

Hope that helps.