Skip to content

Stop modifying WebRTC Web APIs when fingerprinting protection=strict #11310

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
pes10k opened this issue Aug 18, 2020 · 9 comments · Fixed by brave/brave-core#6454
Closed

Stop modifying WebRTC Web APIs when fingerprinting protection=strict #11310

pes10k opened this issue Aug 18, 2020 · 9 comments · Fixed by brave/brave-core#6454
Assignees
@pes10k @pilgrim-brave
Labels
feature/shields/fingerprint The fingerprinting (aka: "device recognition") protection provided in Shields OS/Android Fixes related to Android browser functionality OS/Desktop priority/P3 The next thing for us to work on. It'll ride the trains. privacy QA Pass - Android ARM QA Pass - Android Tab QA Pass - Android x86 QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Yes release-notes/include webcompat/not-shields-related Sites are breaking because of something other than Shields.
Milestone
1.14.x - Release #1

Comments

@pes10k
Copy link
Contributor

pes10k commented Aug 18, 2020

Right now, if you set fingerprinting protections to strict, the following JS APIs are removed or rendered useless:

These APIs are not fingerprinting related; this implementation is largely because Brave used to use the fingerprinting setting to control a number of non-fp related things too (to avoid jamming up the shields UI).

We should stop modifying these methods based on fingerprinting setting, and rely on the global WebRTC setting to control the privacy properties of these methods
@pes10k pes10k added privacy priority/P3 The next thing for us to work on. It'll ride the trains. webcompat/not-shields-related Sites are breaking because of something other than Shields. OS/Android Fixes related to Android browser functionality OS/Desktop labels Aug 18, 2020
@pes10k pes10k added the feature/shields/fingerprint The fingerprinting (aka: "device recognition") protection provided in Shields label Aug 18, 2020
@cjwijtmans
Copy link

Are you sure? https://browserleaks.com/webrtc

@pes10k
Copy link
Contributor Author

pes10k commented Aug 19, 2020

@cjwijtmans sorry, im not sure I follow your question. Can you try rephrasing?

@cjwijtmans
Copy link

cjwijtmans commented Aug 19, 2020
edited
Loading

Because its clear webrtc is used in multiple ways to fingerprint. I was actually surprised on android brave browser it was able to pull up wan and lan ip adress which will work even on vpn. At this point i dont even trust brave.

@pes10k
Copy link
Contributor Author

pes10k commented Aug 19, 2020
edited
Loading

Sure, understood. I'm not following the connection to this issue though. This issue is specifically not about getting IP information from the WebRTC system (which is already controlled through a global shields setting). This is about whether you can get fingerprinting information through these methods unrelated to ip addresses.

@cjwijtmans
Copy link

Predicted your response, anyway. All i said is that currently even the wan and lan information can be used for some basic fingerprinting making VPNs useless. Are you completely ignoring device id enumaration? There is a reason webrtc is rendered useless, its a huge privacy leak. Do you even know what are you talking about? No wonder random privacy filters and fingerprinting plugins are doing a better job than brave currently.

@pes10k
Copy link
Contributor Author

pes10k commented Aug 19, 2020

These comments are not related to the issue here, so I will not respond further.

For anyone else who comes across this, device enumeration fingerprinting is being handled in #8666. WAN and LAN IP information is already handled through other shields settings. This issue is not related to either of those topics.

pes10k added a commit to brave/brave-core that referenced this issue Aug 19, 2020
@pes10k
dont change webrtc behavior based on fingerprinting settings, fixes b…
b70dd8e 
…rave/brave-browser#11310
@pes10k pes10k mentioned this issue Aug 19, 2020
Merged
32 tasks
@pes10k
Copy link
Contributor Author

pes10k commented Aug 19, 2020

For a QA plan, all thats needed is to go to https://browserleaks.com/webrtc and make sure that you see the public (not local) IP when fingerprinting = strict

@pes10k pes10k added this to the 1.14.x - Nightly milestone Aug 20, 2020
@LaurenWags
Copy link
Member

LaurenWags commented Aug 28, 2020
edited by btlechowski
Loading

Verified passed with

Brave | 1.14.67 Chromium: 85.0.4183.83 (Official Build) dev (64-bit)
-- | --
Revision | 94abc2237ae0c9a4cb5f035431c8adfb94324633-refs/branch-heads/4183@{#1658}
OS | macOS Version 10.14.6 (Build 18G3020)

Verification passed on

Brave | 1.14.69 Chromium: 85.0.4183.83 (Official Build) dev (64-bit)
-- | --
Revision | 94abc2237ae0c9a4cb5f035431c8adfb94324633-refs/branch-heads/4183@{#1658}
OS | Windows 10 OS Version 1903 (Build 18362.1016)

Verification passed on

Brave 1.14.71 Chromium: 85.0.4183.83 (Official Build) dev (64-bit)
Revision 94abc2237ae0c9a4cb5f035431c8adfb94324633-refs/branch-heads/4183@{#1658}
OS Ubuntu 18.04 LTS

@kjozwiak kjozwiak mentioned this issue Sep 15, 2020
Closed
@srirambv srirambv mentioned this issue Sep 15, 2020
Closed
5 tasks
@srirambv
Copy link
Contributor

srirambv commented Sep 16, 2020
edited
Loading

Verification passed on OnePlus 6T with Android 10 running 1.14.82 x64 RC build

Verification passed on Samsung Tab A with Android 10 running 1.14.82 x64 RC build

Verification passed on Nexus 6P Emulator with Android 7 running 1.14.82 x86 RC build

@srirambv srirambv mentioned this issue Sep 17, 2020
Closed
36 tasks
@srirambv srirambv mentioned this issue Sep 21, 2020
Closed
@srirambv srirambv mentioned this issue Jul 16, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pes10k pes10k

@pilgrim-brave pilgrim-brave

Labels
feature/shields/fingerprint The fingerprinting (aka: "device recognition") protection provided in Shields OS/Android Fixes related to Android browser functionality OS/Desktop priority/P3 The next thing for us to work on. It'll ride the trains. privacy QA Pass - Android ARM QA Pass - Android Tab QA Pass - Android x86 QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Yes release-notes/include webcompat/not-shields-related Sites are breaking because of something other than Shields.
Projects
None yet
Milestone
1.14.x - Release #1
Development

Successfully merging a pull request may close this issue.

dont change webrtc behavior based on fingerprinting settings brave/brave-core
7 participants
@pes10k @cjwijtmans @srirambv @LaurenWags @btlechowski @GeetaSarvadnya @pilgrim-brave