Fingerprint.com Resistance

[FabioWidmer]

Until a few days ago Mullvad Browser was one of the only desktop browser that out of the box was able to receive new fingerprints when visiting fingerprint.com (a service used to track people across websites) and deleting browser data in between. Unfortunately, now the service is again able to identify users across multiple installations of Mullvad Browser on the same device. Tor is still able to get unique fingerprints at every restart. I think it would be important that Mullvad Browser is able to protect users against such services as it reduces privacy drastically.

@Thorin-Oakenpants

[Thorin-Oakenpants]

What makes you think receiving new fingerprints each visit means you are protected? What makes you think getting the same fingerprint means you aren't? Unless you know what they are measuring and how they are measuring then you're making huge assumptions. It's also important to know why - because a lot of FP data is only there to help correlate, not to define

[FabioWidmer]

If all users or at least a big amount of users would get the same fingerprint, receiving the same ID would be considered as being protected. The website fingerprint.com shows you how many visits you had and from where. It shows that not all Mullvad Browser users are getting the same ID and just a different IP isn't enough for getting another ID. When I get the same fingerprint across different installations and normal/private windows just because I'm using the same device I regard that as being a problem. There is nothing you can do to get a new ID on your device which means different websites can track you and connect for example all your requests to your name just because you logged in on one website. On their website they make statements about how accurate they are. How they are doing it is just partly visible as they have a free version which is available here. As Tor is the browser with the highest protection I checked what happens there and every change of identity gives you a new ID which means they are changing certain browser data which is not the case with Mullvad Browser.

[Thorin-Oakenpants]

If all users or at least a big amount of users would get the same fingerprint, receiving the same ID would be considered as being protected

Getting a unique ID each time can also be considered protection - i.e you're not stable enough to link traffic

On their website they make statements about how accurate they are.

FPJS is commercial, they are up-selling themselves. First they use state and IP tracking which is not pure fingerprinting, but it is fair game. And IP is totally part of a fingerprint. But you known this because we sanitize on close (no state) and I assume you're changing your IP address

It is not hard to get 95% of (worldwide) users with a unique ID - if you do nothing you are unique and all really doesn't take much - most users do nothing. To get some more, say to 99% isn't hard either.

As Tor is the browser with the highest protection I checked what happens there and every change of identity gives you a new ID which means they are changing certain browser data which is not the case with Mullvad Browser

Tor Browser is not changing any browser data with new identity - it is only changing your IP address - it doesn't even sanitize any state data - you need to close the browser session for that.

which is not the case with Mullvad Browser

MB doesn't have a new identity - if you mean changing your IP address, then again, that has nothing to do with sanitizing any state data. You need to close the browser for that.

^ edit - and FPJS is using state tracking to supplement their demo (AFAIK, haven't checked in a wee while)

[Thorin-Oakenpants]

There is nothing you can do to get a new ID on your device which means different websites can track you

But having a stable fingerprint can also mean you are protected

tl;dr: stop making assumptions and try to understand what is collected and how, and is the test flawed (some are on various test sites) - some sites always report unique because they don't detect randomized canvas, some sites may report not unique (because they detect canvas is randomized and cater for that by recording the canvas hash as "random" or whatever). So who is right - are you unique or not unique. And this isn't even mentioning that the sites in question have tainted, wildly skewed data sets.

once again - test sites and commercial salesmen cannot be trusted

[FabioWidmer]

Getting a unique ID each time can also be considered protection - i.e you're not stable enough to link traffic

I agree - that's what I'm saying from the start. It should be unique every time or stable across all or at least a big number of users.

Tor Browser is not changing any browser data with new identity - it is only changing your IP address - it doesn't even sanitize any state data - you need to close the browser session for that.

When using the "New Identity" button in Tor you will get a new circuit and it deletes your state (https://support.torproject.org/glossary/new-identity/). When it works in Tor it should probably work in Mullvad Browser as well.

[Thorin-Oakenpants]

It should be unique every time or stable across all or at least a big number of users

Which one then? See, you don't know. The test is meaningless unless you know what and how shit is measured - capisce? And it's a very small data set - maybe no-one with Tor Browser exactly like yours (language, inner window size, platform architecture .. etc .. ) has visited, or maybe you luck out and someone did - the point is you don't know. TB users are not all alike, there are literally 1000s of different fingerprints

When using the "New Identity" button in Tor

Well, f**k ... I was explicitly told by a TB dev a couple of years ago that it didn't - I just tested - must have changed - my bad. MB does the same (except the new IP part)

correction: mis-remembered, the TB dev and I were talking about new circuit