New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

User-Agent reveals too much information #130

Closed
vabole opened this Issue Feb 4, 2017 · 20 comments

Comments

Projects
None yet
@vabole

vabole commented Feb 4, 2017

Brave's User-Agent reveals:

  • Android version,
  • phone model
  • phone build

For a privacy respecting browser that is way too much. Most of the time, those three pieces of information, combined with the IP address are enough to accurately fingerprint a user.

For comparison, Firefox for Android only reveals Android version, Orfox reveals none of the above.

I believe that a privacy respecting browser should only reveal the information necessary to render pages correctly and nothing more.

@freebrowser1

This comment has been minimized.

freebrowser1 commented Mar 23, 2017

Use agent should be configurable so the user (him|her)self can determine it.

@nexx512

This comment has been minimized.

nexx512 commented Apr 3, 2017

Making it fully configurable might lead to an issue that you need to update the browser version in the UA string manually on every browser update. But removing the android version and especially the system build would dramatically reduce the uniqueness for fingerprinting.

@srirambv

This comment has been minimized.

Collaborator

srirambv commented Jun 26, 2017

@e3b

This comment has been minimized.

e3b commented Oct 13, 2017

I'm curious: Why isn't this a higher priority? Not only does this make fingerprinting easy; it also reveals which known security holes I'm vulnerable to (like those that have been disclosed and patched in the latest Android release, but not on my outdated version, or that are unique to my phone model).

Is there any way someone without coding skills can contribute to this getting fixed?

@niij

This comment has been minimized.

niij commented Dec 9, 2017

I agree with the previous posters. Setting the UA on Android to the phone's Model+Build is just too unique. There are thousands of Android devices, so if you're not using a common one then you're leaving a pretty unique fingerprint. I vote to have the "fingerprint protection" enable a UA that respects privacy, at least while still being usable. Sending Android+Browser Version vendor seems like a good compromise on security to me.

There's no practical reason for a privacy respecting browser to be sending my phone's model number+build in the UA string, especially when finger printing protection is turned on.

Thank you!

@Exagone313

This comment has been minimized.

Exagone313 commented Dec 31, 2017

I looked a bit in the code how to do it.

The android.webkit.WebSettings object has a method setUserAgentString(String userAgent) to set the full User-Agent as it seems.

Unfortunately I can't submit a PR because WebSettings is used at multiple places in Java, and I don't know if the C++ code would have something to do too.

Also, I don't know if the navigator.userAgent JavaScript object property would have to be modified as well (probably not, but do test this please).

@AnotherLife

This comment has been minimized.

AnotherLife commented Mar 4, 2018

"Making it fully configurable might lead to an issue that you need to update the browser version in the UA string manually on every browser update."

That's a non-issue. Especially on a browser that can't play most YT embedded videos, reddit's embedded gifs, Twitter's embedded videos ...

@misaka00251

This comment has been minimized.

misaka00251 commented Mar 7, 2018

I'm wondering too... Why isn't this a higher priority?
And why these developers don't care about that?

@Lululalu

This comment has been minimized.

Lululalu commented Mar 20, 2018

+1. This should be a high priority.

@tomlowenthal

This comment has been minimized.

Member

tomlowenthal commented Apr 3, 2018

At the privacy meeting today, we agreed the following.

Short term: change the version/model/build to a fixed string on all devices. That continues to let us look like Chrome without revealing anything about the user device.

Medium term, if we get user reports of this breaking sites, we'll re-evaluate. @too4words & @snyderp will run some simulated tests to see if they notice anything which could indicate broken sites. If we don't see evidence of things breaking, we'll just keep incrementally updating the version strings to keep pace with a current template.

The version string we picked was an up-to-date Pixel 2, so the string should be Mozilla/5.0 (Linux; Android 8.1.0; Pixel 2 Build/OPM1.171019.013) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36 — though the Chrome version should track our equivalent Chrome version.

@niij

This comment has been minimized.

niij commented Apr 3, 2018

@flamsmark thank you!

@Lululalu

This comment has been minimized.

Lululalu commented Apr 4, 2018

@flamsmark Why do you need to mention a device at all? It could be like Firefox or Firefox Focus, or Orbit, no mention to device at all.

@Exagone313

This comment has been minimized.

Exagone313 commented Apr 5, 2018

To have a User-Agent close to Chrome's one? This is just for those (bad) websites that use buggy filters based on User-Agent, don't overthink it. Using Brave will probably still be a way to fingerprint you.

@tomlowenthal

This comment has been minimized.

Member

tomlowenthal commented Apr 5, 2018

@Lululalu Right now, we're trying not to look too different from Chrome. The Brave userbase is still small enough that we think being distinctively Brave makes someone stand out too much. If we didn't include anything in those parts of the UA, we'd be obviously not Chrome. Fixing that string lets us blend in with Chrome users, but without revealing any additional info or making Brave users more distinguishable from each other.

@Lululalu

This comment has been minimized.

Lululalu commented Apr 5, 2018

@flamsmark thank you for the explanation.

@melizeche

This comment has been minimized.

melizeche commented Apr 6, 2018

@flamsmark Finally! Thank you guys for your hard work!

@MegaArthur

This comment has been minimized.

MegaArthur commented Apr 6, 2018

So I guess we've been finally heard. Thank you.

@my-github-login

This comment has been minimized.

my-github-login commented Apr 16, 2018

This is great news, I resisted commenting too much on this but it's a great addition to the Android version for the reasons mentioned above. I for one have a unique phone / brave combo that on all finger printing tests I'm always the only version which isn't ideal.

Any ideas which version this will appear in? I thought I am up to date but panopticlick is still seeing my actual phone in the user agent rather than a pixel 2.

@Clouted

This comment has been minimized.

Clouted commented Jul 25, 2018

Not only is the user agent not updated for mobile, it also leaks audiocontext here https://audiofingerprint.openwpm.com/

Despite fingerprinting protection on both in settings and as a shield. Sucks, could have been a possible solution for me if those two things were rectified.

@samartnik

This comment has been minimized.

Contributor

samartnik commented Aug 23, 2018

This will be fixed in #712

@samartnik samartnik modified the milestones: 1.0.55, 1.0.56 Aug 23, 2018

@samartnik samartnik modified the milestones: 1.0.59, Backlog Sep 24, 2018

@srirambv srirambv added the QA/Yes label Nov 10, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment