Librem 5 - Browser/App Fingerprinting


#1

Hey team. I’m not as technical as some of you. But my understanding is that many “apps” on the librem 5 will actually not be native apps at all. Rather they will just be buttons that link to a HTML sight. So for example the “facebook app” might just be a link to the Facebook website, and hopefully it will remember my username and password, and hopefully it will be completely separated from other similar HTML based “apps/links” (so they can’t share cookies etc).

But my question is this - what about browser fingerprinting??

If I have a link/app to facebook and a different link/app to twitter, will both those sights see exactly the same browser fingerprint? And then what if I visit a sight using my actual browser, will that be the same finger-print again? If they see the same finger-print, this is a threat to my privacy even if the two sights can’t share cookies!

Browser fingerprinting is one privacy threat that I never have figured out how to avoid short of the tor browser, so I’m really excited to hear what people have to say about this.

I would never sign into facebook on my current phone and I especially would never put a native facebook app on any phone, but if the librem 5 has put appropriate protections in place I might finally be able to see facebook on my phone, right?


#2

Android has actually a number of ‘isolated’ webbrowsers for facebooking. Eg. https://github.com/tobykurien/WebApps/blob/HEAD/README.md

(I don’t use it).
Accessing Facebook from the same browser and regular websites will probably always be prone to browser fingerprinting attacks. Using a different ‘profile’ could help but will still expose the same browser characteristics, e.g. llanguage, screen resolution, accept headers and other things…


#3

Dancing with the devil. Wanting all the “good”, avoiding the bad.

Logging in, presenting them your name plus public IP in a convenient package.
Why would they need cookies or fingerprinting if you tell them directly who you are and what your current IP is?

Tor or VPN could help a bit if used carefully but it seems a bit futile. I’d rather block all Facebook and advertising domains than trying to outsmart them and never be sure how successful I am.


#4

Not only the browser, but YOU.

Much the same way they can finger print you by the way you move your mouse, your typing habits, and how you swerve your cursor to click on something. They can track you down simply by the way you swipe your finger. What browser you use is only another factor.

Snidely Whiplash says: “Nyah, ah aahhh.”


#5

Firefox has a “resist fingerprinting” option. It remains to be seen whether that or similar will be available.

As others have said, fingerprinting is used for anonymous web sites, sites that you use without explicitly identifying yourself.

If you are interested in browser fingerprinting you can get tested here: https://panopticlick.eff.org/ (assuming that you trust the EFF).

It looks to me though that if you have already enabled “resist fingerprinting” then in some aspects that confuses the above test and gives you more information bits than is strictly correct.


#6

Caliga this misses the point.

I am going to identify myself on some websites. For example when I sign into facebook or when I do online shopping with my own credit card. Of course, these are cases where I am INTENTIONALLY revealing my identity. But the point is this: if those websites record my fingerprint, and then I use the same fingerprint for other browsing, my identity could potentially be UNINTENTIONALLY revealed.


#7

Basically freddy’s concern is about whether the “web apps” share the browsing sessions/cookies/etc as the other web apps as well as the Epiphany/Gnome Browser, if I understand it correctly.

I have a vague recollection of someone in this forum saying that the Epiphany web apps have a distinct and separate storage for this kind of data, either per app or at the very least separate from the main browser session.

So this should alleviate this concern.

One source:


(see comment: https://fedoramagazine.org/standalone-web-applications-gnome-web/#comment-481690 )


#8

I think this is correct, I tried “Web” on PC, logged in to twitter in browser. Then when I made an “app” out of it, and started said app. I had to log in again.
Meaning, each “installed” webapp has its own storage for cookies/localstorage++, separated from the browser.

Fingerprinting can happen though, it will still send the same capabilities and user-agent.
This bothers me with Purebrowser, there arent that many of us using it, and at the end of the user agent it proudly says “Purebrowser”. Not so anonymous then…


#9

That can be fixed though. Any browser worth its salt allows you to change the user-agent.

If you are going to run a dedicated environment for a given web site, you can even tune the fingerprint to what is relevant e.g. if web site doesn’t care about list of installed fonts then don’t allow that list to be available (so you would start with the most vanilla environment and add only what is needed to make the web site work - if someone else can’t already tell you what is needed and what is not needed).