Vanidium IP leak- Creep.js

Backwards876

Please see the above image. This is my actual ISP, despite using both mullvad and iVPN separate.

Relaks

Can't reproduce. I'm connected to a Mullvad VPN server using the official Wireguard app, with wireguard configs provided by Mullvad. Creep.js is correctly detecting Blix, not my home ISP.

Backwards876

Can anybody think of a root cause for this? All test tools do not show an IP leak.

Could this be that I have visited the website without a VPN and as a result it remembers me?

Graphite

Backwards876

Have you cleared data on the Vanadium app info? Reinstalled Vanadium?

Graphite

Backwards876

Can you show your VPN connection info. Also results of ipinfo.io at the same time, in the same browser on a different tab.
It still looks like Vanadium isn't using your VPN at all.

Backwards876

Please see the two below images.
https://ibb.co/bLH0VM6
https://ibb.co/dgJMYWF

I have changed the VPN sever several times, exact same results. All through vanadium browser

Backwards876

Graphite I'll try this now, and a new VPN server

Backwards876

Graphite I've tried this- reinstalled (clear all cache, install etc) with a new server and this seems to have worked. Obviously the fingerprint persists but the ISP does not leak.

Thank you!

I still think the fingerprinting issue is a bit difficult, because firefox focus on iOS can defeat creepJS, so why can a privacy browser on a privacy OS not defeat it?

(Loving the OS by the way!)

newbie24689

Backwards876 IIUC Vanadium first and foremost strives to be a security browser; increasing the "privacy" is a longer-term goal. Focus is an unknown in terms of security - a malevolent site, or malevolent link on a good site may be able to compromise Focus - where Vanadium would maintain integrity.
(Yes, it would be nice if the fingerprint did not persist; if it could be randomized.) :-)

Graphite

Backwards876 the fingerprint persists but the ISP does not leak.

Should be marked solved.

Anti-Fingerprinting is a losing battle. Against basic fingerprinting... Vanadium does ok, So does Brave. CreepJS uses everything in the arsenal and manages to persist the same Fingerprint ID for all the browsers I've tried.

Tor Browser was even fingerprinted with CreepJS... if I manually enable Javascript of course. And that is really the best defense. Don't run Javascript. For those websites that we need JS to run, we have to accept the possibility of fingerprinting.

For me, the risk of tracking across multiple websites is mitigated through a crazy approach that can be a hassle sometimes... multiple browser apps. I've got Vanadium, Brave, and 3 separate releases of Firefox. A fingerprint on one, even if persistent, does not match the others. So it's effective against the cross-site tracking we are worried about here.

Backwards876

Graphite

I disagree!

Mullvad browser (tor based) in a 1920x1080 window defeats creepjs.
Librewolf in 1920x1080 defeats creepjs.
Firefox focus on iOS defeats creepjs if a long enough time gap is left.

This wasn't my primary focus of the thread so I agree this can be marked solved. Fingerprint resistance is certainly achievable but is a much more complicated issue for people far more intelligent than me!

mmobder

Graphite CreepJS uses everything in the arsenal and manages to persist the same Fingerprint ID for all the browsers I've tried

Cromite works OK - CreepJS couldn't fingerprint it with webgl/webrtc/etc turned off and browsing working fine.

[deleted]

Backwards876 what was your point and what is your threat model, who are you trying to hide from? I was following this thread and now I lost my own....

Graphite

Backwards876

It should be telling that you have to use 1920x1080 resolution on a desktop browser to reliably defeat fingerprinting.
Mobile phones, especially Android, are easier to fingerprint because of the variety of screen sizes and native resolutions.
That variety makes them unique with high confidence.

I still call it a losing battle. Just because CreepJS can't do it today (last update 10 months ago), doesn't another tool can't. CreepJS purpose is only is to shed light on weaknesses and privacy leaks among modern anti-fingerprinting extensions and browsers. See their limited set of test browsers.
It's not really an "all inclusive" test that suggests that 'if this tool can't do it, you're safe'.

Also keep in mind that if a website/attacker cannot get a unique Fingerprint ID, but you are using a very unique browser, you may become a target of interest anyway. In the pursuit of defeating fingerprinting, many people make themselves stand out in other ways.

Backwards876

Graphite Thank you for this reply. I actually agree with you, very good explanation, I really appreciate it!

DeletedUser115

Backwards876 In addition to what already discussed here, CreepJS gives the same fingerprint ID on two phones of the same model with same settings. Regardless the IP address. It's a naive fingerprinting approach only useful for research and raising awareness of fingerprinting techniques but not usable for commercial use.

Backwards876

DeletedUser115 this wouldn’t be an issue if the “visit number” reflected this. For example on Librewolf browser, you would see 300+ visits, indicating the browser fingerprint is identical across multiple users.

Vanadium doesn’t do this. The visit number reflects the true number of times I’ve visited the website uniquely. This is therefore a unique fingerprint?

You can’t possibly tell me nobody using vanadium has done this before? So I’d expect it to indicate that many users had visited before hand, if many users had in fact shared the same non unique fingerprint as me.

DeletedUser115

Backwards876 I did some testing with Vanadium and other browsers before, see https://github.com/evalda-dev/articles/wiki/Fingerprinting-tests