Hi! So I’ve been thinking about switching to android, but I’ve been wondering about the effectiveness of anti fingerprinting on both OSes (a very important thing for me) after reading this here and here. My previous impression was always that Safari is the next best thing after Firefox + RFP/FPP and Brave. Is this true, or is Safari actually better at protecting against naive fingerprinters than brave?
Here are some excerpts:
“Fingerprints can be used to track the user across websites. If successful, it defeats tracking preventions such as storage partitioning and link decoration filtering.
There are two types of solutions to this problem:
- Make the fingerprint be shared among many users, so called herd immunity.
- Make the fingerprint unique per website, typically achieved via randomized noise injection.”
This is something that I never understood. “Herd immunity” is only relevant when talking about advanced fingerprinters because you will need to blend in a crowd to avoid them, but neither safari nor brave, nor firefox for that matter, can deal with them, so why are they always talked about regarding these browsers. For example, the brave recommendations warn against customizing its filterlists, “Using extra lists will make you stand out from other Brave users” but why should this matter for any browser except for mullvad and tor?
“Our tools:
- Use multi-hop proxies to hide IP addresses and defend against network and geographic position fingerprinting.
- Limit the number of fingerprintable web APIs whenever possible. This could mean altering the APIs, gating them behind user permissions, or not implementing them.
- Inject small amounts of noise in return values of fingerprintable web APIs.”
“1. To make it more difficult to reliably extract details about the user’s configuration, Safari injects noise into various APIs: namely, during 2D canvas and WebGL readback, and when reading AudioBuffer samples using WebAudio.
2. To reduce the overall entropy exposed through other APIs, Safari also overrides the results of certain web APIs related to window or screen metrics to fixed values, such that fingerprinting scripts that call into these APIs for users with different screen or window configurations will get the same results, even if the users’ underlying configurations are different.”
“Here are some examples of features we have decided to not yet implement due to fingerprinting, security, and other concerns, and where we do not yet see a path to resolving those concerns:
- Web Bluetooth
- Web MIDI API
- Magnetometer API
- Web NFC API
- Device Memory API
- Network Information API
- Battery Status API
- Web Bluetooth Scanning
- Ambient Light Sensor
- HDCP Policy Check extension for EME
- Proximity Sensor
- WebHID
- Serial API
- Web USB
- Geolocation Sensor (background geolocation)
- User Idle Detection”
Sorry for the long post 