So when using a VPN and vanidium, a tool such as creepjs is able to accurately fingerprint the device, and knows the real IP of my device.

Note that when checking typical DNS/IP check tools such as mullvad or iVPN DNS leak test there are no leaks. The device shows as connected to the correct VPN DNS and has the VPN IP. But Creepjs is able to establish a fingerprint that contained my real, undisguised IP.

Why is this the case? On iOS using Firefox focus etc, this fingerprinting doesn’t work, and even then so, the actual IP is not known. I tried this on my iPhone and the IP leak doesn’t happen, so how does this happen with vanadium?

Does anybody understand the tool creepJS and how it is able to do this? My IP fingerprint persists even if I change the IP. Note that in IOS this doesn’t happen, the “analysis” section changes on IOS but remains my real IP on grapheneOS.

    Backwards876

    I tried to replicate this. GrapheneOS, Vanadium browser, using VPN,... creep.js does NOT leak my real IP.

    Maybe the VPN app you are using on GrapheneOS is split tunneling and not applied to Vanadium and/or WebView properly.

    Backwards876

    Creepjs is able to establish a fingerprint that contained my real, undisguised IP.

    If this is the test: https://abrahamjuliot.github.io/creepjs/
    Then I do not see my undisguised IP.
    I do get this:

    FP ID: be991d0fa716a28e398bdcffa1e52146b3904890917368f64212a9a85dff79b0

    Fuzzy: cdb22bc2c3441f28270947ceb784b42cffd188968e266efdc4c6000000000000
    Diffs: cdb22bc2c3441f28270947ceb784b42cffd188968e266efdc4c6000000000000

    Analysis
    network: 37.120
    tokens: 350
    hidden fingerprint: secret
    org:
    M247 Ltd.
    M247 Ltd
    Sweden
    Europe/Stockholm

    Which seems appropriate for protonvpn
    The fingerprint does seem to persist

    Please see the above image. This is my actual ISP, despite using both mullvad and iVPN separate.

    Can't reproduce. I'm connected to a Mullvad VPN server using the official Wireguard app, with wireguard configs provided by Mullvad. Creep.js is correctly detecting Blix, not my home ISP.

    Can anybody think of a root cause for this? All test tools do not show an IP leak.

    Could this be that I have visited the website without a VPN and as a result it remembers me?

      Backwards876

      Can you show your VPN connection info. Also results of ipinfo.io at the same time, in the same browser on a different tab.
      It still looks like Vanadium isn't using your VPN at all.

      Graphite I've tried this- reinstalled (clear all cache, install etc) with a new server and this seems to have worked. Obviously the fingerprint persists but the ISP does not leak.

      Thank you!

      I still think the fingerprinting issue is a bit difficult, because firefox focus on iOS can defeat creepJS, so why can a privacy browser on a privacy OS not defeat it?

      (Loving the OS by the way!)

        Backwards876 IIUC Vanadium first and foremost strives to be a security browser; increasing the "privacy" is a longer-term goal. Focus is an unknown in terms of security - a malevolent site, or malevolent link on a good site may be able to compromise Focus - where Vanadium would maintain integrity.
        (Yes, it would be nice if the fingerprint did not persist; if it could be randomized.) :-)

        Backwards876 the fingerprint persists but the ISP does not leak.

        Should be marked solved.

        Anti-Fingerprinting is a losing battle. Against basic fingerprinting... Vanadium does ok, So does Brave. CreepJS uses everything in the arsenal and manages to persist the same Fingerprint ID for all the browsers I've tried.

        Tor Browser was even fingerprinted with CreepJS... if I manually enable Javascript of course. And that is really the best defense. Don't run Javascript. For those websites that we need JS to run, we have to accept the possibility of fingerprinting.


        For me, the risk of tracking across multiple websites is mitigated through a crazy approach that can be a hassle sometimes... multiple browser apps. I've got Vanadium, Brave, and 3 separate releases of Firefox. A fingerprint on one, even if persistent, does not match the others. So it's effective against the cross-site tracking we are worried about here.

          Graphite

          I disagree!

          Mullvad browser (tor based) in a 1920x1080 window defeats creepjs.
          Librewolf in 1920x1080 defeats creepjs.
          Firefox focus on iOS defeats creepjs if a long enough time gap is left.

          This wasn't my primary focus of the thread so I agree this can be marked solved. Fingerprint resistance is certainly achievable but is a much more complicated issue for people far more intelligent than me!

            • [deleted]

            Backwards876 what was your point and what is your threat model, who are you trying to hide from? I was following this thread and now I lost my own....

            Backwards876

            It should be telling that you have to use 1920x1080 resolution on a desktop browser to reliably defeat fingerprinting.
            Mobile phones, especially Android, are easier to fingerprint because of the variety of screen sizes and native resolutions.
            That variety makes them unique with high confidence.

            I still call it a losing battle. Just because CreepJS can't do it today (last update 10 months ago), doesn't another tool can't. CreepJS purpose is only is to shed light on weaknesses and privacy leaks among modern anti-fingerprinting extensions and browsers. See their limited set of test browsers.
            It's not really an "all inclusive" test that suggests that 'if this tool can't do it, you're safe'.

            Also keep in mind that if a website/attacker cannot get a unique Fingerprint ID, but you are using a very unique browser, you may become a target of interest anyway. In the pursuit of defeating fingerprinting, many people make themselves stand out in other ways.