Expand more on fingerprinting limitations in general, not just for Brave

[4jor]

Currently, the Brave section writes that it has

rather ineffective fingerprinting resistance (has gaps making the mitigations bypassable)

However, anti-fingerprinting attempting to thwart naive fingerprinting scripts just need to obfuscate fonts, screen size, and other obvious metrics.
arkenfox/user.js#1274

If someone wants to block fingerprinters beyond naive ones, Tor Browser would be a better fit. Therefore, I believe Brave's fingerprinting resistance is effective for most users.

[RKNF404]

However, anti-fingerprinting attempting to thwart naive fingerprinting scripts just need to obfuscate fonts, screen size, and other obvious metrics.

This was already discussed in #6.
I will repeat what I stated there:

This is hope-and-prayer approach to resisting fingerprinting. It doesn't work in practice. It's an assume-good-faith mentality, when trying to resist fingerprinting, which is an assume-bad-faith approach.
If you think trackers aren't putting in the effort to try and fingerprint you, then why sacrifice security for it. If you think they are putting in the effort, then avoiding "naive scripts" is not a valid approach.

If someone wants to block fingerprinters beyond naive ones, Tor Browser would be a better fit. Therefore, I believe Brave's fingerprinting resistance is effective for most users.

Sure, but Tor isn't good for security. Fingerprinting resistance is not the primary focus of this guide, security is.

My point to dismiss the fingerprinting resistance is so that people do not use Brave for that reason. There are other way more important considerations to take before fingerprinting is a concern. If it is a concern, a VM with Tor is sufficient, otherwise there are bigger considerations that Brave does not meet.

[RKNF404]

Anyway, I will not be removing reference to Brave's FPR limitations.

[4jor]

I made this issue because I thought you had conceded your argument after I pointed out Thorin's affilation with the Tor Project. Here's my clarification on your previously stated points:

assume-bad-faith approach.
If you think trackers aren't putting in the effort to try and fingerprint you, then why sacrifice security for it. If you think they are putting in the effort, then avoiding "naive scripts" is not a valid approach.

They don't need to put in the effort:

If you do nothing on desktop, you are already uniquely identifiable - screen, window and font metrics alone are probably enough - add timezone name, preferred languages, and several dozen other metrics and it is game over. Here is a link to the results of a study done in 2016 showing a 99.24% unique hit rate (and that is excluding IP addresses).

why sacrifice security for it

Ideally, there would be no need to sacrifice security for it, considering that it isn't hard or security-conflicting to implement simple anti-fingerprinting that protects almost every user.

[RKNF404]

I made this issue because I thought you had conceded your argument after I pointed out Thorin's affilation with the Tor Project.

No, their position on this does not affect my own. I don't think they are an expert, well researched and knowledgable though.

Ideally, there would be no need to sacrifice security for it, considering that it isn't hard or security-conflicting to implement simple anti-fingerprinting that protects almost every user.

That's the thing, using Brave is a security regression compared to Chrome or Edge, and the company behind the browser does not put in the effort to remedy that. I explicitly say it isn't the worst option but isn't worth using over other decent options, like Chrome.

The purpose of this guide is to account for privsec, and Brave objectively does not hold up well on that scale. The fingerprinting resistence isn't important to that, as I said, and doesn't achieve enough to warrant a recommendation for it or a removal of that critique.

[4jor]

I agree with the general conculsion made on Brave and its privsec, but saying that Brave's fingerprinting resistance is ineffective, while every other browser aside from the Tor Browser doesn't meet that desired effectiveness (which most people don't need and Brave doesn't advertise as fulfilling), still makes it inconsistent in my opinion.

[RKNF404]

I see the point. I can add a section on fingerprinting, or be more explicit about how most browsers have very poor if any mitigation(s) for fingerprinting.

[4jor]

Some relevant resources (aside from the arkenfox guide which I already linked):

• The Tor Browser manual's anti-fingerprinting section
• Mullvad Browser's fingerprinting section
• Archive of Divested Computing's browser comparison tables (hasn't been updated in some months)

[4jor]

A couple more notes that may be useful:

• Any working browser has access to Startpage Anonymous View, which may be useful against naive fingerprinting scripts, especially on browsers without built-in fingerprinting protection. Although, it causes lots of site breakage, and it only works on sites searchable on Startpage as well as the links from those sites.
• Here are Vanadium's, Cromite's, Safari's, and Firefox's sections on fingerprinting resistance
• GrapheneOS has stated that Brave currently has stronger protection for fingerprinting than Vanadium