Brave is NOT fingerprint resistant enough

We need to talk about this.

One of the most recommended browsers for privacy is Brave Browser, being featured as a good alternative for Chromium.

But… does it really protect you enough?

Sure, there needs to be a balance between a convenient browser and a privacy-protecting browser.

Hang with me for a minute and let’s see what’s going on.

What is fingerprinting?

In a simple way:

Fingerprinting is how websites detect who you are without having to actually finding out who’s behind your IP address.

It allows any site know who you are, even with a VPN and a “private” browser.

Automatically, when you access a website, it could also detect:

  • Your operating system – up it’s specific kernel version.
  • Your browser – and it’s specific version.
  • Your device type – if you’re on mobile or desktop.
  • Your timezone – to estimate what part of the world you’re in.
  • Your GPU unique ID – to detect exactly what GPU card you’re using via WebGL.
  • Your content filters – if you have any custom adblocking filters, it can fingerprint you.
  • Client Hints – the new version of User Agents, that render fake UA’s useless.
  • Other unique IDs – such as Canvas, cookies and more.

That’s why, even if you use a VPN, a website is able to know EXACTLY who you are.

Facebook, Google and Amazon don’t need to know your real IP address, or turn on your webcam to know who you are…

…they only need to know the same person that logged into your Facebook account one day, went on to read a news article in another website on the other day. And so on.

Is this a real threat?

Short answer: YES.

25% of the 10,000 of the most popular websites are using it to track you:

And more will, because doing it is easy – it’s all done through APIs like whatismybrowser, made to detect Client Hints.

This is important to understand:

Just because you’re not seeing ads, it doesn’t mean you’re not being tracked.

If a website has the reason and the willpower to correlate your activities, it’ll do so.

Brave’s claims on fingerprinting

Brave says on their own website that they do protect your fingerprint by default.

You can reduce the effectiveness of fingerprinting by using a browser, such as Brave, that has anti-fingerprinting features. Source: brave(dot)com/glossary/fingerprinting/

Unparalleled privacy - Shields against tracking and fingerprinting. Source: brave(dot)com

According to Brave’s GitHub:

“Brave includes two types of fingerprinting protections, (i) blocking, removing or modifying APIs, to make Brave instances look as similar as possible, and (ii) randomizing values from APIs, to prevent cross session and site linking (e.g. making Brave instances look different to websites each time).”

Seems pretty nice. Let’s test it.

Testing Brave’s fingerprint resistance

For this test, I used:

My Brave Browser configs:

  • Aggressively block ads and trackers
  • Block fingerprinting on
  • Block third party cookies
  • Forget site when I close it by default

For the results, I’ll use these icons:

:lock: → means protected
:drop_of_blood: → means uniquely identifies me
:droplet: → means can’t do much about it

The results were as follows:

Browserleaks (Brave)

:lock: IP, DNS leak, etc.: safe
:lock: Canvas: randomized and changes in different tabs
:drop_of_blood: WebGL: my exact GPU model (but randomized ID)
:drop_of_blood: Client Hints: Brave version, Linux + Kernel version, CPU architecture
:drop_of_blood: Fonts: all fonts detected, unique ID (even between sessions)
:drop_of_blood: Resolution: specific to my device (no letterboxing - though it’s advanced)
:droplet: Blocklists: all adblocking lists detected

Those aren’t some good results if you REALLY want to resist fingerprint.

Maybe it will stop standard tracking through ads, but definitely not the new generation of fingerprint tracking.

Let’s test Mullvad Browser for comparison.

My Mullvad Browser configs:

  • Security Level: standard
  • Everything is default

Browserleaks (Mullvad Browser)

:lock: IP, DNS leak, etc.: safe
:lock: Canvas: randomized with every refresh
:lock: WebGL: randomized, not showing GPU model
:lock: Client Hints: disabled
:droplet: Fonts: some detected, same of all Mullvad Browser users
:droplet: Resolution: letterboxxed
:droplet: Blocklists: all adblocking lists detected, same of all Mullvad Browser users

This is pretty much the best you can do “out of the box” to protect your fingerprint.

The next step would be to use uBlock in hard mode, “blocking all and allowing some”.
That’s something Brave doesn’t allow you to do, and would improve your protection even further.

Example of fingerprinting tracking (even with VPN)

Let’s put this in perspective. Imagine this scenario:

:white_check_mark: You’re connected to Mullvad VPN, purchased anonymously with Monero.
:white_check_mark: You connect to a VPN server, giving you the (example) IP “123.123.123.123”.
:white_check_mark: You’re using Brave Browser with shields on and in strict mode to browse the web and access your accounts.

So far so good, right?
After all, dozens of people share that VPN IP, and they can’t link it to you directly.

The problem is: fingerprinting narrows it down a lot.

For example, let’s imagine start by making a purchase on Amazon.
This is what Amazon’s tracking system knows about you:

IP System Timezone User Agent / Client Hint GPU Blocking Lists
123.123.123.123 Linux, kernel version 6.0.1, desktop Los Angeles Brave Browser version 131, Linux, x64, desktop NVIDIA GTX 1080, unique ID XXXXXX Easylist, SponsorBlock

Oh… well, that doesn’t look so good. That’s, like, 100% unique.

But maybe if we change our VPN servers and reopen our browser session… that helps with privacy, right?

:white_check_mark: New IP: 131.131.131.131
:white_check_mark: Cookies and cache on Brave cleared

Then, you access Wired to read some news. This is what their tracking system knows about you:

IP System Timezone User Agent / Client Hint GPU Blocking Lists
131.131.131.131 (new) Linux, kernel version 6.0.1, desktop Los Angeles Brave Browser version 131, Linux, x64, desktop NVIDIA GTX 1080, unique ID XXXXXX Easylist, SponsorBlock

F##K! Changing the IP didn’t help. Why?

Because fingerprinting doesn’t depend on how well hidden your IP is through your VPN, or how much you clear your cookies and cache.

:door: It depends of how many “doors” your browser leaves open to the website to track you.

Sometimes, it does so for the sake of functionality or compatibility. After all, Brave doesn’t want their users to get mad that a website isn’t working properly and go back to Chrome.

But that comes at a cost.

Now imagine all those websites sharing the same tracking system, building your profile.

They’ll have a table similar to this:

Domain IP System Timezone User Agent / Client Hint GPU Blocking Lists
Amazon 123.123.123.123 Linux, kernel version 6.0.1, desktop Los Angeles Brave Browser version 131, Linux, x64, desktop NVIDIA GTX 1080, unique ID XXXXXX Easylist, SponsorBlock
Wired 131.131.131.131 Linux, kernel version 6.0.1, desktop Los Angeles Brave Browser version 131, Linux, x64, desktop NVIDIA GTX 1080, unique ID XXXXXX Easylist, SponsorBlock
YouTube 131.131.131.131 Linux, kernel version 6.0.1, desktop Los Angeles Brave Browser version 131, Linux, x64, desktop NVIDIA GTX 1080, unique ID XXXXXX Easylist, SponsorBlock
PrivacyGuides 131.131.131.131 Linux, kernel version 6.0.1, desktop Los Angeles Brave Browser version 131, Linux, x64, desktop NVIDIA GTX 1080, unique ID XXXXXX Easylist, SponsorBlock

If your IP is the only thing changing, it’s easy to guess you’re the same person behind a VPN.

Now, if you were using something like Mullvad Browser, they would have less data about you.

What do I think about it

I don’t think Brave is a terrible browser, and the purpose of this isn’t to hate on it.

Everyone should be allowed to choose what browser suits them the better.

I agree that Brave comes with many great things: it’s fast, pretty, reminds you of the good part of Chromium, the extensions, etc.

But we need to be clear on what Brave accomplishes, and what it doesn’t.

Currently, Brave does not protect your fingerprint in a satisfying way against the new generation of trackers, unless you disable javascript globally.

Mullvad Browser, on the other hand, does that. It gives you the security and privacy of the Tor Browser, without Tor itself.

Anyway… this is all open to discussion! :slight_smile:

Thank you for reading!

11 Likes

Honestly boring thread. This has been discussed countless of times before.

See our recommendations:

For the strongest anti-fingerprinting protection, we recommend using Mullvad Browser in conjunction with a VPN

4 Likes

Hello @ph00lt0 ,

Certainly. But I did attempt to bring new things in this thread, such as:

  • an actual test w/ browserleaks
  • a contextualized/real-life based scenario
  • a logic to why Mullvad Browser has superior anti-fingerprint features

Because, even though anti-fingerprint is an important privacy feature, it’s NOT a criteria on current PrivacyGuides web browser recommendation.

As a result, Brave Browser is recommended as a private browser.

That’s why I think threads like this are important. To bring awareness and context. To avoid letting people have a false sense of security/privacy.

Okay! Feel free to contribute

5 Likes

Well, the very short answer is:
If you want FP resistance use Tor.

At least the big corporations will always be several steps ahead in FP and the browser companies will play catching up until something changes fundamentally in the way browser engines are designed.

FP resistance in the browser is “nice to have” but don’t rely on it in any way.

3 Likes

Actually in a testing. I think tor browser is more effective than just mullvad or at least if you unless uniquieify your location on a VPN but still tor. https://fingeprint.com will still know your ID regardless if you use mullvad or maybe even brave (and could’ve been a better test than whatever that was). I encourage the website to be the test for fingerprint as it has strict techniques over whatever test was conducted.
I have found also that and a different VPN location (or Just Tor) + Brave’s ad and tracking blocking, fingerprint and “Forget me when I close the site” by default all on it is also a good way to combat the fingerprinting. It did in fact trick fingerprint.com

1 Like

Actually Brave is not “the” recommended desktop browser.
Mullvad browser is what we recommend for normal browsing, with a properly configured firefox for stuff you log in to.

Brave is there for users who need a chromium based browser for competability or security reasons. Its the only one with somewhat okay fingerprinting protection.

Tor browser is what is recommended if you need your browsing to be anonymous.

5 Likes

Hey @Valynor ,

Or Mullvad Browser.

I think the test here proved that you can reach an acceptable level of FP resistance with Mullvad Browser without going through the Tor Network.

A regular user could use MB for “regular browsing” and have a better degree of fingerprint protection, instead of Brave.

Judging by threads here in the community, like people asking if Brave has better fingerprint resistance than Firefox, I think explaining this is relevant.

Wouldn’t you agree?

EDIT: Yes, I do think Tor Browser achieves an even greater level of privacy/anonimity. But it goes above the purpose of regular browsing with VPN many people are used with.

This applies to privacy in general.

Big corporations like Google are always pushing down new standards (like Client Hints in all Chromium-based browsers, changing to Manifestv3 in Chrome and causing uBlock to stop working, etc.).

Tracking us is financially interesting for them, so they’re investing hard in it.

2 Likes

If you enable uBlock hard mode in Mullvad Browser, you can defeat fingerprint.com unique ID. Try this. Set uBlock Origin to advanced mode, disable 3rd party frames, scripts. You don’t need to disable the first party JS. Try it and tell me if it works. Every time you close and open Mullvad Browser, the ID will be a new one.

I see. That’s what I would recommend, too. Mullvad as a general-use browser, and Firefox for logins and account usage.

But I do think many people will default with Brave because it “feels like home” if they’re coming from Chrome.

Brave has become very popular. So I think making people aware of this fingerprinting aspect of it is important.

Because again, there are threads here in this own community where people thought Brave could have a more hidden fingerprint because it’s based on Chrome. :stuck_out_tongue:

3 Likes

While uBlock Hard Mode or even medium mode dramatically reduce the numbrr of websites you connect to, it does nothing against fingerprinting. As long as everything comes from the website, it wouldn’t be blocked. d

1 Like

have tested it, initially it swapped out a fingerprint but this was before using the method, after realizing it nets the same ID. I tested your theory and it did not beat the fingerprint.com unique id. I would say using tor browser would be better in this case and ill test that theory.

Edit: bare stock tor browser with safer preset is more effective than mullvad browser (mostly without the vpn and even with the uBlock workaround) itself.

Is it a good idea to change the blocking mode? See uBlock Blocking Mode · Issue #37 · mullvad/mullvad-browser · GitHub

Brave takes a randomisation approach to fingerprinting resistance rather than a crowd approach like TOR / Mullvad Browser so it isn’t really directly comparable.

2 Likes

If you’re using Mullvad Browser, no.

1 Like

@becritical Thanks for sharing.

I think you should have a better attitude.

6 Likes

Yes, which is why I was asking whether changing ublock origin’s mode is a good idea, as it might make you stand out.

Given this, would it be better to use Brave or Arkenfox for websites where I log in ?

You probably can, but this just mean they use third-parties for the tracking (99.9% nowadays use CDNs).

So it doesn’t inherently prevent fingerprinting, but it can help. At great sanity costs though…

From testing I did a while ago, when you do this test and don’t rotate your IP, then you will be obviously uniquely identified.

You shouldn’t need to even change uBO mode to see it.

Quick test I did (video will expire in 2 days): Watch Screencast_20241128_131237 | Streamable

4 Likes

uBO is for defence in depth and convenience, but is not central to thwart actors trying to uniquely identify a user.

First party or third party tracking doesn’t matter if you have browser fingerprinting resistance and a non personal IP address.

4 Likes

In regards to that website, it cannot adequately test your fingerprint, in addition to many others. (Source)

Moreover, it is not recommended to change anything in Mullvad Browser, or at least nothing aside from the browser interface, for instance the bookmarks toolbar, is fine.

2 Likes