Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fingerprinting 2.0: User Agent - follow up to 9190 #12097

Closed
LaurenWags opened this issue Oct 12, 2020 · 2 comments
Closed

Fingerprinting 2.0: User Agent - follow up to 9190 #12097

LaurenWags opened this issue Oct 12, 2020 · 2 comments
Labels
feature/shields/fingerprint The fingerprinting (aka: "device recognition") protection provided in Shields OS/Desktop privacy privacy-pod Feature work for the Privacy & Web Compatibility pod QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Yes release-notes/include
Milestone
1.17.x - Release #1

Comments

@LaurenWags
Copy link
Member

Per #9190 (comment), #9190 should be tested with 1.17.x when all of the code has landed.

Test plan for both Desktop and Android (per #9190 (comment)):

per @pes10k comment:
i've added a user-agent row to https://dev-pages.brave.software/farbling.html

Things to check:

  1. using an android device, hit the "generate fingerprints" button, then click on one of the hash values in that row and make sure that in the popup it says "android device" and not any particular device model
  2. in "strict" blocking, you should get different fingerprints across top-level origins and sessions (there aren't a huge number of possible random values here, so if you see an identical fingerprint (for the user-agent row only), its worth checking on the sibling page or on another session to see if you get another fingerprint then)

Original issue description

This is a sub-issue of the larger fingerprint defense reorganization issue: #8787

User Agent String

NavigatorID.userAgent

default protections:

  • for devices with OS version numbers, always report MAX(current minor version number, latest version number as of build)
  • (only for android) don't report device name in UA, only return "android device" (same as what DDG browser does)

max protections:

  • return chrome default UA for each platform
  • At end of UA, add [0, 5] additional whitespace characters, as determined by eTLD+1 seed (only for JS reflected value)

(other notes for future consideration)
In default mode, we could probably get by safely with adding [0, 5] additional whitespace characters, as determined by eTLD+1 seed (only for JS reflected value), but for the first time out, lets be very very conservative with the UA and not make any "clever" changes like that.

Also, we could probably get by with adding [0, 3] additional whitespace characters between UA segments, but again, for the first change, lets be conservative.
@LaurenWags LaurenWags added privacy feature/shields/fingerprint The fingerprinting (aka: "device recognition") protection provided in Shields QA/Yes release-notes/include OS/Android Fixes related to Android browser functionality privacy-pod Feature work for the Privacy & Web Compatibility pod OS/Desktop labels Oct 12, 2020
@LaurenWags LaurenWags added this to the 1.17.x - Nightly milestone Oct 12, 2020
@LaurenWags LaurenWags mentioned this issue Oct 12, 2020
Closed
@LaurenWags
Copy link
Member Author

LaurenWags commented Oct 29, 2020
edited by btlechowski
Loading

Verified passed with

Brave | 1.17.55 Chromium: 86.0.4240.111 (Official Build) dev (x86_64)
-- | --
Revision | b8c36128a06ebad76af51591bfec980224db5522-refs/branch-heads/4240@{#1290}
OS | macOS Version 10.14.6 (Build 18G6032)

Verified test plan from description

Using https://dev-pages.brave.software/farbling.html and https://dev-pages.bravesoftware.com/farbling.html, confirmed:

When FP = strict, the "User Agent" row has the same values in each column and the values differ between the two pages strict 1
If I relaunch and generate fingerprints again, when FP = strict, the "User Agent" row values differ from previous session (values are not retained on each page per session). Note, issue description notes limited values so duplicate values are possible strict relaunch

Logged #12392 as a follow up for the Worker column value not matching the other values in the User Agent row. Note, this value is the same as when FP = standard or shields are off.

FP=standard standard
Shields off shields down

Verification passed on

Brave 1.17.62 Chromium: 86.0.4240.185 (Official Build) dev (64-bit)
Revision 37e6f852ed18086458552039ad26421aa9fc7acc-refs/branch-heads/4240@{#1377}
OS Windows 7 Service Pack 1 (Build 7601.24544)

Verified test plan from description

Using https://dev-pages.brave.software/farbling.html and https://dev-pages.bravesoftware.com/farbling.html, confirmed:

When FP = strict, the "User Agent" row has the same values in each column and the values differ between the two pages

image

If I relaunch and generate fingerprints again, when FP = strict, the "User Agent" row values differ from previous session (values are not retained on each page per session). Note, issue description notes limited values so duplicate values are possible

image

Encountered #12392

FP=standard ![image](https://user-images.githubusercontent.com/34715963/98424221-5b5b7800-2091-11eb-9dc7-0376bd79e6ea.png)
Shields off

image

Verification passed on

Brave 1.17.59 Chromium: 86.0.4240.183 (Official Build) dev (64-bit)
Revision 0b568b034b8f7994697cb341eeca5979b84151cc-refs/branch-heads/4240@{#1374}
OS Ubuntu 18.04 LTS

Verified test plan from description

Using https://dev-pages.brave.software/farbling.html and https://dev-pages.bravesoftware.com/farbling.html, confirmed:

When FP = strict, the "User Agent" row has the same values in each column and the values differ between the two pages
image image
If I relaunch and generate fingerprints again, when FP = strict, the "User Agent" row values differ from previous session (values are not retained on each page per session). Note, issue description notes limited values so duplicate values are possible
image image

Encountered #12392

FP=standard
image image
Shields off
image image

@srirambv srirambv mentioned this issue Nov 11, 2020
Closed
@srirambv
Copy link
Contributor

Removing Android label as a followup issue #12638 is logged

@srirambv srirambv removed the OS/Android Fixes related to Android browser functionality label Nov 11, 2020
@LaurenWags LaurenWags mentioned this issue Nov 18, 2020
Closed
@kjozwiak kjozwiak mentioned this issue Feb 10, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature/shields/fingerprint The fingerprinting (aka: "device recognition") protection provided in Shields OS/Desktop privacy privacy-pod Feature work for the Privacy & Web Compatibility pod QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Yes release-notes/include
Projects
None yet
Milestone
1.17.x - Release #1
Development

No branches or pull requests
3 participants
@srirambv @LaurenWags @btlechowski