Is it Possible that Brave has Stronger Fingerprinting Protection than Firefox?

Introduction

This is something I’ve been thinking about for a couple years now, and I wanted to get y’alls thoughts on it.

After following the privacy space for several years, I cannot even count the number of times I have heard something, generally speaking, along these lines:

Brave provides better privacy and fingerprinting protection than Firefox by default, but it has weaker protections than hardened Firefox or Librewolf
I've been a Firefox user myself for a long time. But I can't help but wonder, is the wisdom that hardened Firefox is more resistant to fingerprinting actually true?

Firefox, Brave, and Pool Size

Part of what gets me—and this question was somewhat reinvigorated for me when Brave recently removed its Strict fingerprinting protection in favor of a single toggle, citing that hardly anyone used the strict mode—is that I can't help but shake the feeling that just using a hardened version of Firefox (or Librewolf) might shrink the crowd you're blending in with too much.

Mobile

I especially worry about this with mobile. I am aware Privacy Guides doesn't currently recommend Firefox for Android because:
On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla's engine, GeckoView, has yet to support site isolation or enable isolatedProcess.

Though, this is not my question. Strictly from a fingerprinting sense, and I am the first to admit I have nothing to back this up whatsoever, so do tell me if this sounds like nonsense, I can’t shake the feeling that like, by the time you’ve gone through the trouble of downloading Firefox for Android, enabling Resist Fingerprinting, turning on UBO, maybe even using it on hard mode… you might be one of a very small number of users visiting a website who matches that profile.
By comparison, I have a much easier time imagining that the pool of users who clicked the “on button” for Brave’s now one-size-fits-all fingerprinting protection is probably going to be a bit bigger.

Perhaps my gut feeling here is colored by the fact that I have run into several folks in day to day life who are using Brave, but I haven’t run into many others besides myself who use Firefox, and I have never run into another Firefox for Android user.

Desktop

I have an easier time imagining a larger pool when it comes to desktop Firefox than mobile. But I ultimately end up with the same kind of question. I would imagine a large portion of Firefox's install base isn't using RFP. I see Firefox all the time installed on university workstations, I've seen it on public computers, I've seen it in many places where RFP wouldn't be used. Not to mention anyone that has Firefox for *any* other reason besides privacy. I think it is fair to say that Firefox's total marketshare is not representative of the number of users who are using RFP.

It's no secret Firefox in itself would stand out compared to Chromium, though perhaps that is not the case strictly compared to the Brave flavor of Chromium. Nevertheless, I have the same type of question here; by the time you use Firefox with RFP, UBO, and maybe some other privacy related settings, isn't it possible that you've singled yourself out just by the nature of being part of a presumably very small pool? It seems like the pool of people who use Brave with its, again, pretty much one-button fingerprint protection might be larger. Or is the pool for Firefox not as small as I am imagining?

Different Methods of Fingerprinting Protections

One potential wrinkle I see is that Brave's fingerprint protections are randomization based. As opposed to TOR-Style fingerprinting protections which try to make everyone look the same, Brave intentionally makes everyone look unique.
One might naturally ask "what crowd are you thinking that you're blending with, if everyone looks unique?"

And indeed, point well taken, but they can still see you are a chromium user, as opposed to a Firefox user, for example. I know it is also possible to tell that you’re a Brave user. To the extent that Firefox might single you out as one of a very very small group of hardened Firefox users on a given site, it doesn’t necessarily follow in my mind that Brave’s randomization based approach would not still benefit from looking like “one of many Brave users,” even if you look like a different Brave user each time. Intuitively, that would seem to be the best of both worlds, at least to me. You blend in amongst a crowd of Brave users, but aren’t identified as any single repeating one. As opposed to potentially being narrowed down to maybe even a handful of hardened Firefox + UBO users if you go on a less mainstream site.

A similar question—not quite the same, but addressing the same point—was answered last year, where a PG team member pointed out:

There is no crowd of “Chrome users” to blend in with, because you can’t blend in to a crowd filled with completely unique browsers. (A study published in 2017 demonstrated an approach that could uniquely identify 99.24% of users, without even taking into account their IP address.)

Using a privacy browser like Firefox with Arkenfox tweaks cannot make you stand out more, because when you are already completely unique, becoming “more unique” is impossible.
That certainly sounds true since that question was asking about blending in with chromium generally. As I understand it, that study was talking about identifying "normal" users uniquely, e.g. the average chrome or Firefox user with no protection. And indeed, you cannot blend in with "chrome users generally," because there is no crowd, because they are all unique, and statically so.
That logic does not seem to fit exactly when it comes to looking like other Brave users though, or at least, it does not intuitively make sense to me, given that you can blend into a crowd of randomized brave users and look like "just another brave user with fingerprint protection."

But the idea that "Using a privacy browser like Firefox with Arkenfox tweaks cannot make you stand out more, because when you are already completely unique, becoming “more unique” is impossible" does not address the fact that if you're only one of a handful of people using a privacy browser on a given site, then you're unique enough, no? That is to say, I'm not sure what good it would do if only a handful of people with FF + UBO + RFP visited that site in the first place, which seems like a particularly acute worry to me with FF for Android.

Pool Size Isn't Everything

I should also note, to conclude, that I am also aware that pool size is not everything when it comes to fingerprint protections. Even IF it were the case that Brave had a larger pool, perhaps Brave's privacy protections would be so lackluster, that it wouldn't even matter whether you have a pool. It does not appear that that is the case though, at least to me—unless there is something I don't know about.

Conclusion

Anyway, if anyone has actually read this far, thank you. I'd appreciate your thoughts on the matter. The one sentence summary is basically: Does Firefox + RFP + uBO, especially on Mobile, have a small enough pool, that just by using it you are invalidating all of those protections, and does Brave, with one-button fingerprint resistance avoid this issue?
5 Likes

I have some useful links for you on the topic, but I’m running out the door right now. Later today, I’ll circle back and share them.

1 Like

Fingerprint resistance on mobile definitely goes to Brave by virtue of its superior choices and popularity alone. The problem with Firefox is it also easily places tools to further shoot yourself in the foot like Ublock origin filtering customization vs Brave’s monolithic AdBlock engine. But most importantly the ability to install add-ons diminishes any fingerprinting you may have done with Firefox’s FRP.

2 Likes

Yes, but it all depends on how you use the features Firefox provides. If you follow PG and arkenfox’s recommendations to not install any add-ons besides uBlock Origin, then you won’t have that issue. Also, if you are really aiming for fingerprint protection, you should probably use Mullvad Browser or Tor Browser.

1 Like

The customization of uBlock Origin’s features alone presents a problem. E.g it may not be as accurate but you can try to infer enabled filter lists Content Filters and Proxy Detection - BrowserLeaks and OP’s bias was on mobile devices where Mullvad may not apply and Tor browser simply has different goals to Brave and Firefox.

1 Like

Sure, I was simply trying to point out that more options does not necessarily correlate to worse privacy. I personally find a lot of value in being able to configure a piece of software the way I want.

This kind of gets to the core of my question though. Lets say you do it right; you use Firefox with RFP and a pristine, untouched UBO config. Furthermore, let’s say you never fullscreen your window so that you aren’t singling yourself out as the RFP user not using the default RFP window size.

Alternatively, let’s say you use a pristine Arkenfox config, or maybe Librewolf with no unnecessary configurations.

One might say these are different types of goldilocks zone Firefox configs; but it just feels to me that the pool of other users in the goldilocks zone is probably pretty small. If you venture off of the central traffic hubs of the internet like Amazon, Google, etc. and onto even large sized but not mega-giant sites, might it not be the case that you might be one of only a handful–or even fewer–such users using an “optimal” privacy setup? And were that to be the case, if only a handful of other such users visited some particular site, then it isn’t clear to me that you are better off than a Brave user who combines strong fingerprint protections in its own right with what might be a larger crowd to blend in with.

This isn’t to say that Brave users cannot similarly shoot themselves in the foot. They can, such as customizing filter lists to make themselves unique, for example. But I cannot help but suspect the pool of users who simply turned on the one button “fingerprint protection” toggle is probably going to be larger than any one of the different types of goldilocks zone Firefox configs. I would imagine this to be true even if we divide it by “standard” and “aggressive” adblocking configs.

This seems to me like it would go doubly true with mobile. Though I do not have any data (though at least as far as I know, I am not certain anyone else has more reliable data either, though I would absolutely love to be proven wrong here), surely the subset of users who use Android FF + RFP + UBO, even untouched and in the mobile goldilocks zone, has to be very, very small. Same for Mull users. The privacy community in and of itself is pretty small.

If you combine this issue of “even if you do it perfectly, you might still put yourself in a small pool” with the very real issue of not only you shooting yourself in the foot, but other users shooting themselves in the foot reducing the overall pool of people to blend in with, this seems to produce a problem that Brave might have an easier time avoiding.

Of course, I don’t have numbers. I wish, I truly wish there were reliable metrics for people using privacy settings, although almost by definition there will not be. But since, as far as I know (and I welcome anything to the contrary) such reliable metrics don’t exist, all I can do, and all I think anyone can do, is go based off experience and what conclusions one can draw from them. And at least for me, in my experience, I have a much easier time believing the Brave pool of fingerprint resisting users is going to the be the larger pool. I certainly welcome a solid argument to the contrary, as I am currently a Firefox user both on desktop and, despite PG recommendations, on mobile. But I am not certain that this is the best approach privacy wise, hence this thread.

Ignoring mobile for a moment, certainly for anonymity there is no alternative to TOR, and Mullvad browser may be the best available option for non-TOR privacy browsing. But I don’t think this has to be an all or nothing game, and I think it is worthwhile considering whether or not Firefox or Brave, arguably the two champions of privacy browsers for normal browsing, might offer stronger protections for everyday.

1 Like

Fingerprinting was once called supercookies. If your cookies are not deleted that is even easier to indentify you came back to site again, as your unique id is allready written in the cookies, no need to check IP or Fingerprinting at all?

My understanding is that preventing advanced fingerprinting would be very difficult with either Brave or Firefox + RFP. And is somewhat out of scope for what these browsers seek to accomplish.

Firefox has great strong built in anti-fingerprinting protections, but they are disabled by default, and included mostly for use in the Tor Browser (and Mullvad Browser), defeating advanced fingerprinting is somewhat out of scope for Firefox (and out of scope for projects like Arkenfox as well).

My understanding of Brave’s approach appears to have the goal of preventing basic fingerprinting (“naive scripts”) to the extent that is possible but not at the expense of usability (and because strong fingerprinting protection necessitates usability tradeoffs that Brave is unwilling to subject users to, their current approach probably can’t ever achieve more than a modest level of fingerprinting protection which falls short of defeating advanced fingerprinting. (edit: this paragraph is even more true now that Brave has opted to drop support for aggressive fingerprinting protection)

My takeaway from the reading I’ve done (in the context of fingerprinting and desktop browsers) is that if resisting advanced fingerprinting is a priority, nothing can compare to using a purpose built browser (e.g. Tor Browser and Mullvad Browser on desktop, not sure what would be the best option for mobile).

As to the links I promised earlier:

  1. I’ve found this particular Arkenfox Wiki page to be one of the better shorter and somewhat simple, explanations of some of the factors to consider, and what you can/should realistically expect.
  2. But the link I most wanted to share is this discussion, there is lots of good info scattered throughout, If you are not interested in reading through that whole discussion, at least read this comment and the one directly above it (from the creator of Arkenfox, who is also a Tor Core Contributor)
  3. Additionally (and optionally) This discussion has some discussion of Firefox’s two anti-fingerprinting features (RFP, and FPP) and what the near future will look like.
6 Likes

Supercookies and fingerprinting are two different things. Supercookies are data (usually identifiers) stored on visit and readout on revisit in flash storage, HSTS flags, etags and other state. It’s a form of stateful tracking.

Stateless fingerprinting, on the other hand, does not store anything on your device. It basically uses data the browser voluntarily provides like the user agent string and especially does calculations or other tests whose result depends on your OS, hardware, browser configuration, extensions and other differences between browser instances to distinguish them from each other as good as possible. It’s a statistical form of tracking.

While fingerprinting can be used for tracking, trackers often prefer stateful tracking or other non-fingerprinting forms (e.g. URL-tracking) because it’s not a statistical form and has been reliable for the majority of users for many years.

5 Likes

But there is no need to spoof all fingerprinting related data if you are logged in or your cookies are not deleted? You allready said that is you here again?

There is still a need for it. Imaging your browser has good state partitioning, so cross-site tracking by state is mitigated. Fingerprinting could still be used to make the connection for cross-site tracking.

1 Like

Fingerprinting was once called supercookies. If your cookies are not deleted that is even easier to indentify you came back to site again, as your unique id is allready written in the cookies, no need to check IP or Fingerprinting at all?

Cookie Protection on Firefox and Brave

Certainly, fingerprinting is far from the only form of tracking on the internet. All the fingerprinting protection in the world will make no difference, for example, if you quite literally log in to a site to identify yourself.

In my case, I sanitize all browser and site data every time the browser is closed and use Temporary Containers for Firefox anyways. That handles being re-identified by the site itself; as for third party cookies, Firefox’s Enhanced Tracking Protection mode blocks those.

On Brave’s side, while there isn’t a container system (I’ve heard using separate profiles is a thing some users on Brave do, but that seems somewhat different), Brave does have the ability to sanitize on closing the browser, as well as the “Forget me when I close this site” option which wipes cookies and site data when you close the site. So that’s Brave’s answer to being re-identified by the site. It can also block third party cookies as well, like Firefox.

Benefits of Fingerprinting Protection even with Cookies

With all of that said, fingerprinting protection is beneficial regardless of the status of cookies on your browser. Broadly speaking, fingerprinting can be used to construct a static identity for you on the internet that can follow you around between sites, even to sites you've never visited before.

Fingerprinting is also particularly insidious, because unless you use a browser with fingerprinting protection, it is difficult to change your fingerprint such that it is not recognizable. It's always possible for you to simply wipe your cookies when you want to. But without fingerprinting protection, you cannot do the same thing with your online fingerprint as easily.

All of that is to say, fingerprinting protection is a beneficial and important thing to have, regardless of your login state on a specific site or whether or not you are clearing cookies.

6 Likes

Thank you for your response.
I have actually seen this excellent thread before, but it’s been quite some time, and I was certainly overdue to re-read it. Once again, I appreciate it.

I’ve taken the opportunity to read it closer than I have before, and will use this post to attempt to digest what he is saying and think out loud a bit; I do believe, like you said, that these links are very relevant to my question.

The Arkenfox Wiki

The way I understand the Arkenfox wiki's fingerprinting basics section is essentially as follows:
  1. There are two methods of fingerprint protection.
    1. Randomization
    2. Blending in with the crowd
  2. Naive scripts are those which can be fooled by randomization
    1. The more randomization, the better the chance that you'll fool a naive script; in other words, cover as many metrics as possible and hope the naive script buys it
  3. All randomization is detectable, however
  4. The scripts that can detect and see through randomization are advanced scripts
    1. There are different levels of sophistication advanced scripts
    2. But regardless, fooling an advanced script requires a crowd.

Advanced fingerprinting scripts require a crowd, and naive ones require covering enough metrics that they buy in to your randomized values.

As the Arkenfox wiki points out—and I think is well known—since the TOR browser is the only browser that both: (1) covers enough metrics and (2) has a sufficient crowd:

Only Tor Browser can confidently address advanced scripts

On the contrary:

The best any other browser can confidently do is fool naive scripts

The Thorin Thread

When Thorin addresses the pertinent question of:
Is firefox's RFP really that much better than Brave's approach?
He notes, consistent with the Arkenfox wiki, that:
There are two answers: either script is naive or it isn't

Thorin's Answer To The First Question

Beginning with the first answer (naive scripts), Thorin seems to suggest that Brave has the edge over RFP:
Answer 1: Both RFP and Brave have randomizing. If a script is naive then no crowd is required to hide in.
Brave randomizes more items. That's it. Probably likely that brave sucks in more scripts that may get through

This reinforces his statement earlier in the thread:

RFP is randomized. Brave is randomized. Brave randomizes more items. The more randomized items, the greater the chance a script swallows the poison pill and becomes a naive script and thus doesn't track you. End of story.
It's interesting that Thorin seems to think that Brave might have the edge in terms of naive scripts. Both RFP and Shields are evolving products, though. Brave has had several blog posts in the interim between Thorin's post from late 2022 until now, within which Brave enumerates the various improvements they've made to their Shields. One particularly big one I remember was font fingerprinting protection.
I don't know as much about the changes that Firefox has made in RFP since then--despite using Firefox as my daily driver--but all that is to say that I am curious whether or not Brave still randomizes more items, especially now that Brave has retired its Strict mode fingerprint protection.
To the extent that the best either Firefox or Brave can confidently do in the first place is fool naive scripts, this seems to be a rather crucial point.

Thorin's Answer To The Second Question

I think this is probably the more interesting of the two questions Thorin addresses, though perhaps the less relevant of the two, since Brave and Firefox are more targeted at naive scripts in the first place.

I don't think anyone well versed in the privacy browser ecosystem would disagree with the statement that TOR is required to confidently deal with advanced scripts, as the Arkenfox wiki notes and as Thorin himself implies when he notes that if your threat model is high, TOR is the only way to go. Certainly, this is common knowledge.

With that said, neither Arkenfox nor Thorin seem to suggest that TOR is the only browser which can defeat advanced fingerprinting scripts, just that it is the only browser which can confidently do so.

I think it it is precisely this distinction that serves as the backdrop for why Thorin goes on to discuss how Brave and Firefox fare in terms of advanced scripts, noting the difference in crowd between RFP and Brave Shields.

Thorin writes that:

If a script is not naive, then a crowd is required.

Brave's shields is on by default, and I believe Brave has 50mn users - so that's all excellent.

RFP on the other hand is not enabled by default

This is along the same lines of what I was thinking about too in this thread. I believe that what Thorin is pointing out here is that by nature of default settings, the RFP pool is probably much smaller than the Shields protection pool. However, I think something that Thorin isn’t mentioning here, and this is probably because Thorin’s post is about desktop, is that on mobile, this disparity is probably exacerbated by the difference in popularity between Brave mobile and Firefox mobile.

The mobile vs desktop distinction aside though, Thorin further indicates that:

Brave is slowly adding more and more metric protections, and the more they add, the harder and more costly it gets for fingerprinters.

But only RFP has gone anywhere near enough.

Once again, I find myself wondering how the two browsers stand in terms of metrics covered now over a year after Thorin’s post. Is RFP still the only thing that has gone anywhere near enough? Or have the several improvements to Shields that the Brave team have added since then pushed it over the line?

Ultimately though, it seems like what Thorin is getting at is that RFP has the metrics, Brave has the crowd, and if your threat model isn’t high enough to warrant TOR, then either of them will suit your needs, as is summarized in his own words when he writes:

So ultimately, if your threat model is that high .. USE TOR BROWSER .. otherwise, get on with your life. If you use FF use RFP (if it suits) or at the very least CanvasBlocker (just canvas and audio will do). If you use Brave, you have Shields

Conclusion

In the end, while Thorin's post and the Arkenfox wiki are both incredibly informative and, in my opinion, amongst the best literature we have on this topic, I do think they leave me with a few key questions.
  1. Thorin seems to suggest that Brave is superior in terms of naive scripts by virtue of randomizing more metrics relevant to naive scripts. Is this still true today? When one considers that Brave and Firefox are ultimately only able to confidently fool naive scripts anyway, then any advantage in fooling naive scripts is probably dispositive of my entire question. That is to say, whether or not Thorin is right about this, and whether it still holds true if he is, is probably the most critical question for my thread here today.

  2. Is it still the case that only RFP has gone "anywhere near enough" in terms of metrics covered for advanced scripts? Or have the advancements in Shields that Brave has made in the ~year and a quarter-ish since Thorin's post brought Shields closer to the "enough metrics" line?

    1. If, as Thorin indicated, Brave has the crowd advantage over RFP—which seems intuitive and was indeed my own leaning, and the impetus for me making this entire thread—then whether Brave (1) is still not covering anywhere near enough metrics; or (2) now covers enough metrics to have crossed the "enough metrics" line would be highly pertinent to deducing a conclusive answer to my question here.

  3. Specifically for mobile, to the extent that there is likely a much wider gap between Brave Shields users and Mobile FF + UBO + RFP users, does the scale tip in favor of Brave? Thorin's comparison itself seemed, again, to say "FF has the robust protection, Brave has the pool," therefore "pick which one you like." I wonder if a substantially larger disparity in pool size between Brave and Firefox for mobile would tip the scales in Brave's direction.

  4. I am not an Arkenfox user myself. I have, however, tried it in the past and read through the comments on the Arkenfox config, as the Arkenfox wiki says you should. It appears to be the case that RFP does not utilize all of its protections on Firefox in the same way it does for TOR. Arkenfox renables some protections, like RFP letterboxing, for example. To what extent is Thorin's post assuming Arkenfox/Tor style RFP compared to default RFP for Firefox?

Anyway, this once again ended up a long post—conciseness has never been my forte. I do think it is a complex topic and worthy of consideration in depth, though.

I do still believe there remain questions unanswered as to how Brave and Firefox fare when compasred to each other, particularly in the context of their potentially disparate pool sizes , as well as whether Brave still has the advantage that Thorin suggests in terms of naive scripts after removing its strict mode, Thorin’s posts and the Arkenfox wiki are both excellent in narrowing down the distinction between naive and advanced scripts and when the crowd issue matters as opposed to when it does not.

4 Likes

@anon26231689 Wow! Your posts are very informative! Thanks!

I have my concern with Tor. It might not be directly related to the fingerprint protection, but wouldn’t Tor make the users stand out because everyone would know they use Tor, i.e. ISP would know you connect to Tor, and the destined server would know you come from Tor’s exit node?

I see this Quora to be very interesting:

Moreover, Tor users are a rare breed, as there are only around 4M running Tor currently. But the real problem could be the number of Tor nodes that is only around 8K, of which only 2-2.5K are running exit nodes, while guards/entry nodes are around 4K, see: Servers – Tor Metrics.

What if half of those nodes are running by the government agencies or malicious actors, or both? See: Malicious Actor Controlled 23% of Tor Exit Nodes.

This is not even count for the fact that Tor is based on Firefox ESR, which is not a secure browser, i.e. not even have to compare to Chromium, as not all of Firefox stable release’s security patches are ported to Firefox ESR, even the ones that are listed as high impact are missing in ESR.

I find this article very interesting regarding the risk of using Tor:

It’s said that:

[Tor Browser Bundle] collapses state-level targeting of browsers to a small set of Firefox versions; TBB is the most risky browser you can possibly run

— Thomas Ptacek (paraphrasing Bruce Leidl)

What’s your opinion on this?

1 Like

On my part, after coming across this site:
https://madaidans-insecurities.github.io/index.html
Where you will find this Article:
https://madaidans-insecurities.github.io/browser-tracking.html
Daniel Micay (or whoever wrote this article here):

Says that:
“We recommend against trying to achieve browser privacy and security through piling on browser extensions and modifications. Most privacy features for browsers are privacy theater without a clear threat model and these features often reduce privacy by aiding fingerprinting and adding more state shared between sites. Every change you make results in you standing out from the crowd and generally provides more ways to track you. Enumerating badness via content filtering is not a viable approach to achieving decent privacy, just as AntiVirus isn’t a viable way to achieving decent security. These are losing battles, and are at best a stopgap reducing exposure while waiting for real privacy and security features.”

I haven’t been worried about it much, since on mobile I’m on GrapheneOS for 2 months now and use Vanadium for almost everything. Brave for a few things.
Since there is no way for me to know that it is working and I’m reducing “brainf.ck” in my life :slight_smile:
On enumerating badness:
https://www.ranum.com/security/computer_security/editorials/dumb/
Goes for trackers as well.
Sometimes I will start to worry about it again…Then I come back to the link and let it be again :slight_smile:
But @anon26231689 thank you for the information. It is still very interesting topic for me.

1 Like

edit: my interest, and focus is primarily desktop browsers, my comment was mostly written in that context. most concepts probably apply to mobile browsers also, but some won’t


You wrote a nice distillation/overview of a complicated subject. You and I interpreted a few things differently, which I’ll touch on, but overall I think we largely have a similar takeaway with a few key differences.

Summarizing my takeaway (which I believe are mostly in agreement with yours):

  1. If preventing fingerprinting is important to you. There are only two strong options, (both based on Firefox + RFP): Mullvad Browser w/ VPN, or Tor Browser. And the choice between these two will come down to whether you need anonymity (Tor) or just privacy (Mullvad w/ VPN)
  2. Anything else falls short and will at best be able to defeat naive scripts. In that context, Brave may have a slight edge in the context of randomization and naive scripts. While Firefox’s RFP is technically more capable and covers more metrics (which is crucial for advanced fingerprinting) Brave’s approach which protects less but relies a bit more heavily on randomization may trick more naive scripts (which is good, because at this level naive scripts are all you should expect to defeat with Brave or FF at this point).
  3. So, if anti-fingerprinting is a priority for you, use a browser purpose built for that, and put up with the usability tradeoffs inherent in that. If not, protection will be at best limited. And because the effectiveness of either Brave or Firefox is at best mediocre and probably pretty similar, it probably shouldn’t be the deciding factor, other privacy concerns should be given more weight as well as overall personal preference.

Or reduced to a single sentence: If fingerprinting protection is a priority, Tor or Mullvad, if it is less of a priority, Brave or Firefox + RFP can offer some llimited protection (limitation are Firefox + RFP doesn’t have enough users for large crowds, and Brave doesn’t cover enough metrics for there to be crowds).


Now addressing some of the places we didn’t come away with the same understanding:

Thorin seem to suggest that TOR is the only browser which can defeat advanced fingerprinting scripts, just that it is the only browser which can confidently do so.

Mullvad Browser would also be included in this category. It had not been released at the time of the comment you quoted. I think Firefox + RFP is also theoretically as capable in technical terms, but not in practice, the issue with FF+RFP is not enough users opt-in to form crowds, and too much variation in configuration/extensions/etc among Firefox users.

Sidenote: I did get Arkenfox + uBO to defeat a fingerprinting script that both MB and TBB also passed. Brave could pass in strict mode but failed in standard mode, and unfortunately strict mode is about to be discontinued).

I know you just read it but I want to reiterate this snippet from the Arkenfox wiki:

The best any browser can confidently do, excluding Tor Browser and Mullvad Browser, is fool naive scripts. In Firefox the best tool for that is RFP - it is performant, does not leak real values, and has timing mitigations against side channel attacks

Moving on to:

[Firefox + RFP] has the metrics, Brave has the crowd, and if your threat model isn’t high enough to warrant TOR, then either of them will suit your needs

*Or Mullvad Browser. But if your threat model is not high enough to warrant Tor Browser or Mullvad, I don’t believe you should be spending a lot of time and effort thinking about fingerprinting because you are choosing between different degrees of mediocre. Or as Thorin put it (in the context of naive scripts):

If your threat model is that high … [use Tor Browser or Mullvad] … otherwise, get on with your life
There is nothing wrong or better about either of them [Brave or Firefox]

When you say:

Brave has the crowd

I think this may be a partial misunderstanding, or at least it differs from my understanding, going back to some of the “rules”:

  • If you do nothing on desktop, you are already uniquely identifiable (there is no “crowd” to blend in with)
  • The best any browser can confidently do, excluding Tor Browser and Mullvad Browser, is fool naive scripts
  • Fooling naive scripts does not require a crowd
  • Defeating advanced scripts requires a crowd, the larger the better

Brave’s userbase does not constitute a crowd (nor does Firefox’s) and Brave doesn’t cover enough metrics to create effective crowds (Firefox’s RFP can, but its user base is tiny so the crowds are probably too small), But crowd size is less relevant for the naive scripts Brave is capable of protecting against, and only matters within a context for which Brave is not recommended.

I believe, the comment about crowds was brought up specifically in the context of:

And Brave has a default shield, and one day will maybe add enough metrics

Basically Brave’s policy of enabling shields by default becomes an advantage IF they get serious about addressing advanced fingerprinting in the future, and cover some of the metrics they have been unwilling or unable to cover so far. But then covering those metrics would put them in the same position as Firefox is in with RFP, they can’t really enable it by default because the usability penalty for this level of protection would likely alienate many users.

So it is sort of a catch-22 (Brave’s shields being on by default could be beneficial IF they covered more metrics, but the only reason they are able to have it on by default without upsetting or confusing users is because it is moderate and doesn’t cover all the metrics needed to be effective against advanced fingerprinting)

As to whether enough metrics are covered now, I think the answer is still no. If it did, you would likely notice, because there will be more obvious points of friction and irritation (as with Mullvad Browser, and Tor Browser) the most obvious of which would be letterboxing (or if you use dark mode losing dark mode would be quite obvious). You could also try a few tests yourself (take success with a grain of salt, but I believe failure does = failure)


Not to complicate things further but there are two (and a half) other factors to consider:

  1. Both Brave and Firefox block known fingerprinting scripts using traditional methods, so the fooling of naive scripts would be a second layer of defense if the script is not blocked outright.
  2. Firefox has actually been working on a second anti-fingerprinting feature called FPP, its more mild than RFP, and it will likely be enabled by default initially in private browsing mode, and possibly for everyone in time. My guess is that FPP will eventually become Firefox’s answer to Brave’s approach of a middle of the road solution that offers mediocre protection, but breaks less of the user experience. It will not replace RFP, it will complement it, and users will have the choice. Because it’ll be on by default, at least in PB mode, and possibly for users that enable ETP strict mode, it might enable effective creation of crowds in Firefox (but like Brave that would depend on whether enough metrics are covered) at least it should combat naive scripts. I believe the idea is that protections present in RFP will gradually make their way into FPP when the are deemed acceptable for a more general userbase, and RFP will continue to exist for Tor, Mullvad, and Firefox users who choose to enable it. Here is a link where FPP is discussed (also a note for Arkenfox users, FPP will be replacing RFP as the default in the near future).
  3. Brave is losing its strict fingerprinting protection mode :frowning:
4 Likes

You’ll stand out like a sore thumb in many contexts, but the goal is to stand out like a sore thumb in exactly the same ways as a large number of other users. (as to the ISP yo can protect against that)

I don’t think there is really any practical alternative to this approach where anonymity matters, since mainstream browsers, including mainstream privacy-centric browsers, don’t really have real crowds to blend in with.

Once again, I appreciate the time you’ve taken to write an informative and helpful response. I find that all too often comparisons of these two browsers in particular tend to devolve into arguments, making it difficult to find proper discussions like this.

About Mullvad Browser

I agree with everything you said about it; I was only leaving it out because Thorin did (which, as you said, is because it wasn't around while he was posting). In retrospect, perhaps I should have included it in my post because someone reading this in the future without the context might find its exclusion perplexing. But your response took care of that, so all is well.

While I don't use Mullvad browser myself (in part because I don't use Mullvad VPN, and in part because my threat model just doesn't really call for it), it's truly some great work that the TOR project and Mullvad have done with it.

About the Thorin Article

Honestly, I think we are more in agreement in our interpretations than my own post might have let off. But to the extent that our interpretations do differ, it isn't particularly material. However interesting the question of "how well do Brave and Firefox hold up to advanced scripts" may be, I believe we are all in agreement—Thorin, yourself, and myself—that both Firefox and Brave are the wrong tool for the job. In any practical sense, the focus for these browsers must and can only be on naive scripts, at least unless some major change takes place in the future.

As to the Question At Hand

I do think this discussion has cleared up one key way in which I had been thinking about the issue in the wrong way, though.

As I understand it, until fairly recently, Firefox for Android only allowed installation of a limited list of extensions aside from the nightly variant. Moreover, only the nightly variant allowed access to about:config (I believe this is still true). Therefore, I do not believe there was a way to enable RFP on any Android variant aside from Nightly until recently (using Mull being another option).

Unlike the main variant for which Google Play indicates 100M+ downloads, the Nightly version only has 1M+; and since I believe the next step up is 5M+, that gives us a general range of how many people might have had RFP enabled for Android (excluding Mull users, but there cannot be too many of them). Even generously putting the number at 5 million, 5 million users is rather small in internet-land.

While I was not attempting to argue that naive scripts require a crowd, I was imagining a scenario where I might be one of only two or three—or maybe even the only—Firefox for Android with RFP users who might visit a site. And I was imagining that in that case, I could be fingerprinted as "that one RFP user."

This, however, is not the proper way to look at it. Since a naive script will swallow randomized or otherwise spoofed values anyway, some fingerprinting script wouldn't see me as "that one RFP user," since I would be seen as a "different RFP user" every time.

Some Other Thoughts

Ultimately, I think I am satisfied with the conclusion that I don't need to jump ship from Firefox to Brave. This is good, because while I like Brave and often recommend it to my friends who want a browser that "just works and feels like Chrome," I personally much prefer Firefox as a user. This is part of why I use it on both desktop *and* mobile, in spite of Privacy Guides' (and other credible sources') warnings about its reduced security. But that is a question for another day.

I do certainly like to see Firefox's work with FPP. I've been following that for a little while and am excited about the implications it will have for better fingerprinting protection for all.

As for online tests, while they should be taken with a grain of salt like you said, I have tried many of them over the years. As it stands, my Firefox setup defeats most of the online tests I've tried, including fingerprint.com's which you linked, both on desktop and mobile.
In the past, I have also found that Brave with Strict mode would pass many (but not all) of the ones that Firefox could pass, but unfortunately, they fail with the new mandatory standard mode. Such a shame that Brave decided to get rid of its stronger protections!

The only online test I have consistently failed on Firefox (and Brave, of course) is creepJS. Naturally, I have tried throwing Mullvad browser at it (despite being a Proton VPN user) and Mullvad had no issue defeating creepJS. I do wonder how Arkenfox would fare; in the brief time I used Arkenfox, I didn’t think to try it.

This is perhaps a topic for another day as well, but at least topically related to how you mentioned Brave and Firefox block known fingerprinting scripts outright when they can, I happen to use uBlock Origin in hard mode on both desktop and mobile. Though that in and of itself could probably make me stand out in the same way that messing with filtering lists might, it blocks a tremendous amount of scripts and other internet nasties. And indeed, even creepJSwhich I am unable to defeat on Firefox when it runs, fails to even complete its analysis in the first place with uBlock Origin on hard mode unless I let it through (it does still run on medium mode).

Though even hard mode uBO hard mode won’t block first party fingerprinting scripts (hence the need for the browser itself to do some work), I do have to wonder if this ends up catching a lot of fingerprinting scripts on its own, as I imagine many sites would use 3rd party scripts to fingerprint users, and all of those should be caught by uBO in hard mode.

In any case, thank you again for your informed and thorough responses, and to everyone else who responded. I am glad to see that my days with Firefox won’t need to end any time soon!

2 Likes

I’m curious what makes you feel this way, considering it seems you have a strong interest in preventing fingerprinting and Mullvad Browser is one of only two browsers that excel in this area?

I do certainly like to see Firefox’s work with FPP. I’ve been following that for a little while and am excited about the implications it will have for better fingerprinting protection for all.

I hope for a future where FPP is enabled for all users by default (that’d mean a userbase of ~200 million to form crowds from), and a goal of protecting as much as possible without breaking the user experience (more or less like Brave’s standard mode).

Personally, at this point in time, I feel Brave in standard mode is the best “light touch” / “middle of the road” solution in terms of not affecting usability at this point in time. Firefox’s approach with RFP goes further and covers more but causes me more frustrations (as does Brave’s soon to disappear strict mode, which I’ve found more troublesome lately than in the past).

So I really like the idea of the dual-track approach Firefox is taking with RFP and FPP, especially considering it’ll be possible to choose what you use for normal mode and private browsing mode independently. And maintaining both simultaneously allows the developers to tailor each feature to a distinct group of threat models rather than forcing compromises.

As for online tests, while they should be taken with a grain of salt like you said, I have tried many of them over the years. As it stands, my Firefox setup defeats most of the online tests I’ve tried, including fingerprint.com which you linked, both on desktop and mobile.
In the past

That is great news! (and pretty surprising to me) I didn’t expect desktop Firefox (Arkenfox + uBO) to be able to pass that test, I especially didn’t expect that Firefox on Android would pass.

Maybe I’m misunderstanding something, but I like the fingerprint[.]com test compared to some others, as it seems to be a fundamentally different (and more practically relevant/useful test) compared to some of the other more popular tests.

If I understand it correctly whereas some of the other popular tests (amiunique, panopticlick) are assessing your “uniqueness” in a crowd of self-selecting users who take the test, Fingerprint[.]com’s test is not as affected by self-selection bias since it is not reporting uniqueness, it is attempting to identify you across sessions/site visits in the way that an actual fingerprinter would (which makes sense considering that they are an actual fingerprinting company). It seems like a better indicator of whether a browser can be tracked across sessions in the wild.

With that said, I only first learned of this test a few days ago so I could be missing some big caveats.

I do wonder how Arkenfox would fare; in the brief time I used Arkenfox, I didn’t think to try it.

I keep a Firefox profile devoted to stock Arkenfox + stock uBO (which is an Arkenfox recommendation) so I’m happy to test this out for you.

I happen to use uBlock Origin in hard mode on both desktop and mobile

I use uBO in medium mode. I think the benefits to security and traditional forms of tracking justify its use already, regardless of its impact on fingerprinting if you can handle the usability tradeoffs. But as you mention, in terms of fingerprinting, it may have substantial benefits (and some risks) to fingerprinting as well (edit: medium mode doesn’t seem to be enough for creep.js but hard mode is, this surprised me). If a fingerprinting script isn’t even allowed to run, it seems pretty impossible for that script to fingerprint you, and because (by default) we both have 3rd party scripts blocked, I’d imagine that substantially cuts down on the ways our browsers can be fingerprinted (with the exception of first party fingerprinting).

I’ve gained a good amount from this exchange, learned some new things, and really appreciate your approach to this discussion (on a subject that, as you noted, is both complex and nuanced). Thanks for that!

1 Like