panopticlick reports unique-ish fingerprint for brave even with FP turned on

[diracdeltas]

in browser-laptop, panopticlick used to always reported the same value for canvas fingerprint across all instances of Brave.

in brave-core, it appears to be showing unique-ish values depending on the computer that is being used for testing.

either panopticlick/fingerprint2.js has improved or we have regressed

STR:

1. go to https://panopticlick.eff.org/ with fingerprinting protection set to block all
2. test your browser
3. note the canvas fingerprinting result
4. repeat 1-3 on a different computer
5. it should have the same result

[diracdeltas]

needs investigation. seems that internally most (but not all?) of us get cf04c1dcb26ef79705764e5c22d0e711 as the canvas hash value

[ghost]

Panopticlick uses https://valve.github.io/fingerprintjs2/ for JS fingerprinting. That page (consistently) shows 2fc01ae532f967b3bda3b42520cfb824 as my FP, with FP protection set to block all. Note that you might need to disable ad & tracker blocking for the JS file to load (due to its name).

_{(I use version 0.56.15)}

[pes10k]

@Shifterovich what value do you get for https://panopticlick.eff.org/ with FP protection on?

[ghost]

Canvas FP? cf04c1dcb26ef79705764e5c22d0e711.

Is the idea that FP protection should only make sure the canvas FP is the same, or should also the FP calculated like this https://valve.github.io/fingerprintjs2/ be the same?

[pes10k]

For this issue / at the moment, just trying to make sure EFF reports the same value. FP2 considers a wider range of values. Once we're sure everyone looks the same on Panopticlick, will tackle FP2.js, as reported by https://valve.github.io/fingerprintjs2/

[ghost]

BTW is that FP Brave-specific or is it more generic? Identifying the browser as Brave using that FP is not wanted.

Once we're sure everyone looks the same on Panopticlick, will tackle FP2.js

Again, note that Panopticlick uses FP2.js. Almost ideal case scenario is that the combination of all those values is consistent on all Brave instances. Ideal case scenario is that the combination wouldn't be Brave-specific to not allow identifying to browser as Brave.

Identifying the browser as Brave is not an issue when a large enough userbase is reached, like Tor has.

[pes10k]

@Shifterovich the diff is that the FP reported by EFF is just the Canvas FP, which is just one input to the browser fingerprint generated by FP2.js. Having identical FP2.js browser fingerprints is the ideal, but difficult (maybe impossible) because of hard-to-fake attributes (view port dimensions, color depth, etc). But, working to get as close as possible.

Closing this issue Since EFF is reporting identical canvas FPs. Will open another issue trying to nail down FP2.js differences