@User2288 The 2 posts you've made here are incredibly wrong and you're also giving harmful, extremely dangerous advice. Using a browser without security patches for vulnerabilities being actively exploited in the wild is a horrible plan for anyone. User generated content exists as do all kinds of XSS and other vulnerabilities in websites so even if you fully trust sites with control over your devices, that approach does not make sense at all. It's also highly unlikely you're only browsing those 'trusted' sites and not opening links from them.

People using a niche browser or non-default settings can be fingerprinted based on that alone, and especially in combination with what's remaining. You have an incorrect understanding of how fingerprinting works and how protections against it work. Also not clear why you're claiming Vanadium has no anti-fingerprinting. You're describing doing things which give you an incredibly unique fingerprint where you completely stand out from every other user simply based on your extensions and how you use them.

You're describing doing the opposite of what you would be doing if you were minimizing fingerprinting.

You've derailed this thread with a whole bunch of misinformation and off topic tangents.

    Adblocking is not a privacy or security feature. It is merely for convenience. Badness enumeration generally does not work.

    Depending on the implementation, having an adblocker may increase attack surface. See this for an example:

    https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css

    As for fingerprinting resistance, if your threat model calls for it, the Tor Browser is your only option. Brave's resistance is only enough to fool naive scripts - more sophisticated ones like https://fingerprint.com/ can fingerprint it as usual. It's resistance is only nice-to-have, not something you can seriously rely on if this is the threat model.

    Like @GrapheneOS said, what you are doing is the exact opposite of what you should be doing if fingerprinting is a concern. A crucial part of this is not using such a niche setup that you are the only one using it. Take for example, the Tor browser has 3 different privacy mode which changes NoScript configurations. You cannot use the safest mode, but you don't wanna do all the way down to the safer or standard mode. You go ahead and make your own NoScript configuration. Does that make you stick out from the rest of Tor Browser users? Yes it does.

    As for what threat model a browser without fingerprinting resistance or adblocking would acceptable for - a lot of them, especially ones where you already login to an account that identifies you - banking, work, LinkedIn, GitHub and so on. I personally use Edge for most of these tasks for example, because with them security is what matters.

      GrapheneOS The 2 posts you've made here are incredibly wrong and you're also giving harmful, extremely dangerous advice

      I'm not giving any "advice" at all. I was merely answering @TommyTran732 's question and only sharing my thoughts out loud with the intention of open and friendly discussion so whats incorrect can be pointed out and falsehoods explored, and concepts challenged, with the aim of reaching a better collective understanding. Afterall any "bad" argument can be pulled apart and its falsehoods exposed for the betterment of everyone. One thinks out loud amongst "friends" to have them point out his faults. Assuming we are friends, and not here to just tear each other apart.

      GrapheneOS You've derailed this thread with a whole bunch of misinformation and off topic tangents.

      I haven't, I only answered a question. I didn't make any of my comments from the second post in the first one. I am responding to his inquiry, not voluntarily going off on a tangent. Him asking me why, is perhaps the tangent. Please be a little more fair in your assessment.

      I don't know what you think this was, I thought I was having a friendly discussion with some people. Not a campaign of "misinformation".

      GrapheneOS ou're also telling people to use a far less secure device for their web browsing.

      I'm not telling people anything.

      Thanks for your response @TommyTran732 .

      I find this a very meaningful discussion to further pursue and at the very core of why we're all here. I do have a few questions and counter arguments to make. But, for the sake respecting @GrapheneOS wish and of not venturing outside the scope of the subject of this thread any further I'll stop my responses here and perhaps discuss in a separate thread.

      Thanks for the link @TommyTran732, it was an eye opening read.

      I'll just say, wouldn't using vanadium as you described then give a unique fingerprint of you to all those sites, and every other site you go to?

        User2288 Vanadium will appear the same as any other Vanadium on the same device model, and we don't support a lot of device models. The screen resolution and performance of the device (both CPU and GPU) are essentially enough to identify the device on their own. Main language, time zone and your IP / DNS resolver are the main differentiation between users. If you change site-facing settings, that makes you stand out more. There is not really anything that Vanadium can do beyond completing state partitioning (in progress) and providing a way to set a standard language (US English) and time zone (perhaps UTC) as an override. Trying to hide other ways of differentiating between device models via GPU will amount to almost nothing. With a lot of changes, perhaps certain device models we support could appear the same to websites in most ways, but we don't support a lot of device models anyway. It can be easily detected which browser is used based on how it behaves. The more we change, the easier that is to detect. This is why a very niche, barely used browser trying to do anti-fingerprinting features ultimately doesn't work. Nothing can compare to the userbase of a browser like Chrome or Safari. Anti-fingerprinting works best in an enormously widely used browser. Getting rid of ways to detect device model only helps if it's used across many device models. Unless we normalize screen resolution somehow, there is no point.

          TommyTran732 Brave's resistance is only enough to fool naive scripts - more sophisticated ones like https://fingerprint.com/ can fingerprint it as usual.

          Just posting to adress this point in particular. I'm not sure this is a good example of the limitations of Brave's fingerprinting resistance. See the discussion here: https://github.com/brave/brave-browser/issues/20268. If I understood correctly, it seems that fingerprint.com's demo isn't actually very sophisticated and while it may look impressive, it is probably not very precise in practice. Or at least that was the case some time ago.

          I'm not saying Brave's anti-fingerprinting is flawless either.

          The major problem facing an unsophisticated user, such as I, is our inability to distinguish BS from “real” information.

          We therefore have to rely on the folks who have deep and firsthand knowledge of the project, and regard all others with suspicion.

            Good discussion here ...

            to use a PWA I can't use incognito mode, or it forgets log in/2fa, etc...

            But PWA is still a webpage, utilizing all the web tracking tools (ie. Tracking pixels, etc). That don't get cleared on exit

            So any other site visited in the same browser can following those pixels tracking my usage/tastes outside the PWA

            So it seems I'd need a dedicated browser only for PWA apps .. OK, that's fine. But if Brave is able to lock down further than Vanadium it sounds better for quick non-followed searches, and Vanadium is the default browser for opening links, its extra security is needed there, but in incognito mode...

            So I need to install a third browser just for PWA (and the increase in attack surface that comes with that) ... I'm looking for a better option.

            If there a way to have multiple installs of Brave (with different settings, not sharing cookies, tracking pixels, etc..). On a single profile?

            Currently I have to use a second profile to accomplish this

              matchboxbananasynergy

              Interesting, I'll have to keep an eye out for this .. .

              When I think of cloning, they would still share states though? . . . ie: shared cache/storage/install parameters .. so a tracking pixel set on one, would be inherited to the other

              Guess we won't know until it's released and we can test the implimentation.

                Graph_Curious No. To my understanding, they'll be distinct. For example, you'll be able to log into one account on one instance of the app, and to another account on the other instance of the app. It doesn't just apply to browser apps, but all apps.

                  • [deleted]

                  GrapheneOS Hi, we had this discussion last night on twitter and indeed it is a complicated subject. But on GrapheneOS, the best solution to navigate while being blended in the biggest mass would be to use Google chrome? Would using it on GrapheneOS make it unique or is it better to stay on vanadium? What is the best solution to be invisible? (A bit to close the topic once and for all)

                  I think anyone who thinks that they can truly “be invisible” is chasing fairies in the moonlight, but that’s just my opinion.

                    • [deleted]

                    • Edited

                    OpenSource-Ghost Yes, but we can't count on the digital fingerprinting of a completely modified chomium browser... That's either chomium or vanadium in my question. Plus brave includes a von and crypto stuff so not good

                      • [deleted]

                      And brave is not in version 112 at the moment

                      Does anyone know whether it is possible to install Vanadium on a non-GrapheneOS system? Or is there a decent fork of it?