Blastoidea a few people not from the GOS project have said here that you should use chrome to blend in, but given the feedback I understand that they have deleted their accounts. it's too bad. there are not many ways to make something understood. if you want to gain privacy, it's simple: it depends on what you do with it. you can have a very private life on chrome.

  • [deleted]

yourmother Maybe because it's only available on GrapheneOS?

Hi guys,
interesting topic and discussion here, which got me curious, so I've made some tests. Please see my blog post for the results in case you're interested, it's all a bit long to post it here as a newbie I think...
And to the GrapheneOS team: thanks for your wonderful work!
Cheers,
Wolfgang

    wjl thanks for taking the time to do some testing. Are you sure you want to share your IP and location that publicly? I don't know your threat model, but redacting IP and location wouldn't change the points you want to get across, so I assume it's unnecessary and potentially harmful data to share.

    Edit: Unrelated, but you should check if your German website needs a site notice (German "Impressum"). I wanted to see if the location data you shared are consistent with your notice address, but didn't find any. Would be annoying if a greedy lawyer wanted to cash in on your hobby.

      N1b Thanks for your concern. I use GMX as an email provider sometimes, so my/our IP is in those mail headers as well. That IP doesn't resolve very well via geoiplookup.net or even maxmind (mostly), so no worries. And even if that was all public, it's the same with about every company or privateer in the world... I guess the triangulation of LTE or 5G is more of a problem, so I'm grateful for such wonderful things like GOS...

      • N1b likes this.

      N1b About the imprint: I have an "About" section which doesn't list our address but a way to reach me via email, so those greedy lawyers may come ;) I'm running that domain since some 20 years or so, long before those "must haves" were invented...

      wjl Do you run a Pi-Hole or do you have a DNS based ad blocker set on your mobile? Otherwise I cannot understand the big amount of trackers Vanadium blocks in your setting.

        Themble I'm also interested in this...

        Also, it would be a good thing to test Brave on mobile as well.

        • wjl replied to this.
        • wjl likes this.

          Themble - sorry, my fault, and you are absolutely right. I have updated my blog post over at https://wolfgang.lonien.de/2023/07/curious-and-interesting-results/ - please see the updated part at the bottom.

          ivicaivica - I have made a test with Brave on mobile as well while I was away, and after my new and additional tests with Vanadium I did another one with Brave and the same setting which I had in Vanadium. Please also see my updated blog post, link above.

          Sorry for (my own) intial confusion - hope I could clear this up a bit by now.

          Cheers,
          Wolfgang

            wjl You should not be using a Pixel 3a anymore. It's a highly insecure end-of-life device not supported by GrapheneOS anymore. You shouldn't present it as if you're using official GrapheneOS anymore.

              cgro0550 Canvas fingerprinting has absolutely nothing to do with the display. It's based on the browser and GPU hardware/firmware/driver. It does not vary across the same device model running the same OS version. It's the same between GrapheneOS and the stock OS within the same browser and is the same across most Chromium-based browsers since they implement the canvas in the same way.

              Graph_Curious hi brave does nothing more than vanadium for privacy, it's the opposite: all grapheneos users have vanadium. if you were on Android you would have to use chome to be confidential and on iPhone you would have to use safari. however brave gives you a sense of privacy because it blocks ads. Keep vanadium and don't change anything in the settings if you want to be confidential

                Paflechien brave does nothing more than vanadium for privacy, it's the opposite: all grapheneos users have vanadium. if you were on Android you would have to use chome to be confidential and on iPhone you would have to use safari

                I disagree and think what you are talking about is anonymity, not privacy, and it is only true in case you don't give identifying data away in the first place. Using the Tor Browser and good OPSEC (like not changing Browser settings beyond setup or not logging in to any online accounts) could effectively make you disappear in a mass of identically looking users, but it's nothing that Vanadium, Brave, Chrome or Safari sets out to do. Vanadium is arguably the most secure browser out there by default, but not the most private or anonymous. Brave does block some ads by default, which in some cases increases privacy compared to Vanadium. Whether Braves anti-fingerprinting measures are really effective against modern tracking methods is also arguable. Personally I prefer Vanadium and DNS ad blocking via VPN, but different setups come with different advantages...

                Here's a month old post of mine that tries to explain the difference between security, privacy and anonymity:
                Security to me means protecting your data/assets against unauthorized access. Privacy means controlling the (meta)data you give away (and ideally giving away as little as possible). Anonymity would be the ability to hide in a mass and not be identifiable, even if some of your data can be seen. While all three can empower/enable each other, they are mostly independent.

                Edit: Added information

                Thank you for your reply GrapheneOS

                I know that the kernel and firmware updates from that Pixel3a were from last year August or so, and that it's not officially supported by GrapheneOS anymore - sorry in case it sounded wrong, never meant that.

                And although it's a bit off-topic in this thread (maybe we can start another one for this?), I'm a bit reluctant to send perfectly working hardware to the landfill, and the same will apply to my daughter's Pixel 4a 5G coming November or so. We both love the headphone jacks, so for her a 7a wouldn't be a good replacement. So what would be your advice for older hardware, without kernel and firmware support from companies like Qualcomm and Google? "Giving away" such hardware only puts the problems on others' shoulders...

                  wjl [...] I'm a bit reluctant to send perfectly working hardware to the landfill [...]

                  It's a very real issue. But these days so much of the device is software, including firmware, that the device can't be "perfectly working" if the software is vulnerable to remote exploit.

                  To their credit, Google is trying to move the needle with longer support for their newer hardware. Interestingly, moving more parts of the device in-house is part of that - similar to Apple. Part of the problem with buying parts from a bevy of suppliers is that software for the device as a whole ends up at the mercy of all of those parties. Over time the landscape may improve. One thing that could help would be for a phone manufacturer targeting longevity (such as Fairphone) to sit down with the GrapheneOS team to get some solid security advice, and make changes accordingly.

                  As a practical matter, once a device falls out of GrapheneOS support if you have low-security uses for it you might look at some other platforms such as DivestOS.

                    de0u As a practical matter, once a device falls out of GrapheneOS support if you have low-security uses for it you might look at some other platforms such as DivestOS.

                    That is very good advice I think - especially because the dev of DivestOS also recommends GrapheneOS for those who can easily afford new Pixel devices... thanks!