Lemongrab @ Lemongrab @lemmy.one

Posts

18

Comments

890

Joined

2 yr. ago

Your system webview is for in app usage. You aren't browsing the web using your system webview (generally). You can't blend into a crowd if you have no anti-fingerprinting. Firefox does this through RFP by normalizing settings between users, and on mobile there is partial support for screen size normalization through letterboxing. Vanadium isn't special, it is hardened chromium with some specific patches. You cannot form a crowd without special a lot of anti-fingerprint patching. See my other comment for details.

Firefox is missing per-site process isolation. This is theoretical an attack vector in the presence of multiple other major vulnerabilities. It has never been shown to be an attack vector in real world vulnerabilities. Don't call Firefox's sandboxing crap if you don't know why people have said that.

You can't blend in with a crowd of vanadium users with the amount of data points given away by the browser. Your fingerprint will be decernable from other users. Without actual anti-fingerprinting, which theoretical can allow for a crowd only when fingerprinting of user browsers results in the same fingerprint ID, the best you can hope to do is thwart naive fingerprinting. Vanadium doesn't have any anti-fingerprint built in, so the slightest differences between user can be used to easily fingerprint. Vanadium also has no strong method of in browser content blocking (eg an adblocker like uBlock) which is required on the modern web to remove JS tracking scripts (or straight allow and deny lists for specific web contents). Adblock is cyber security: https://www.ic3.gov/Media/Y2022/PSA221221

Examples of metrics include, but are not limited to, the following: Timezone, system and browser fonts (often automatically fetched by websites as a remote font that is cached by the browser), language, screen metrics (DPI, height x width, refresh rate, pixel ratio), canvas, CSS fingerprint, useragent, browsing mode (standard/private), video autoplay policy, audio device fingerprinting, installed plugins, cookie policy, device theme, and of course IP.

As a graphene OS vanadium user, assuming that the browser stays default, you would still have screen, audio, other hardware metrics, canvas (this one is a killer), IP, user agent (differences in installed versions of plugins and vanadium itself), timezone, remote Fonts, and others. Fingerprinting is an insane science which needs actual protection against to even begin hoping to create a crowd.

See some more details below.

Info on fingerprinting (about choosing a desktop browser but still relevant info): https://www.privacyguides.org/en/desktop-browsers

Browser comparison: https://divestos.org/pages/browsers

Fingerprinting test site: https://abrahamjuliot.github.io/creepjs/

Dont use system webview as your default browser. Webview is used by apps, your browser can and should be changed if privacy is your goal. Vanadium may be hardened, but it lacks any fingerprinting protection.

Standard for this old meme text format.

Vanadium doesn't have good/any fingerprinting protection. Cromite or Mull would be better, Tor would be best.

Lol

And then agree with whatever you said, even if it was wrong.

QEMU is so good though

Each are data points that together contribute to your total fingerprint. TZP tells you a lot of these data points, and fails ones that dont match Firefox Resistant Fingerprint masked data. Creepjs does much of the same but without gearing towards Firefox.

Generally fingerprintable things include:

Do not track signal.
Private browsing mode.
Timezone.
Useragent.
Canvas noise.
Installed fonts.
Font sizes.
Browser built-in plugins.
Some extensions.
WebRTC.
Theme.
Cookies.
IP address.
Local IPs (website can execute an ip scan and fingerprint).
Window viewport size.
Full screen mode viewport sizing.
Page/font color settings.
Operating System (impossible to mask because of differences in rendering on platforms).
Browser App name & icon. System TTS synthesis engine.
DOM modification fingerprinting (like that used by many extensions). Mouse speed.
Keyboard behavior.
Stylometric fingerprinting.
And many more.

For Firefox based browsers: https://arkenfox.github.io/TZP/tzp.html

For all browsers (more generalist): https://abrahamjuliot.github.io/creepjs/

No, I was just adding some stuff and was too lazy to edit my comment

To the bone!

If you ain't Rock and Stone, you ain't coming home!

alcoholic noises

Oh, it was so much fucking fun. More fun than it looks, which is saying something. Not to make you more jealous lol

Does it allow for a screenshare feature like what you describe with guiscrcpy?

Actually he is a grand wizard ...

$10/month, right? Not terrible but expensive nonetheless

But it directly says to disable enhanced tracking protection. Weird fuck up.

LLMs have shown time and time again that simple crafted attacks can unmask the training data verbatim.

I hope it isn't just a fine. A fine is just the cost of doing business. We can't let them get away with using capital to do crimes.

The EU is not a hero. It does better than the bare minimum and look great when compared to the US and other fascist countries. The EU keep talking about banning encrypted messaging and installing backdoors into encryption. They also aren't uniform in their application of privacy laws. Not that US companied aren't terrible (they are) but so are all companies. When money is the goal, all that results is the insatiable hunger to leech every possible source of capital and destroy our inalienable rights to reach their impossible goals.