Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Friday June 17, @12:22PM   Printer-friendly [Skip to comment(s)]
from the be-brave-and-strong dept.

Protecting Against Browser-Language Fingerprinting:

Brave has further strengthened its fingerprinting protections by preventing users from being identified based on preferred browser language. Starting with version 1.39, Brave randomizes how your browser informs sites of what language(s) you've set as default, and what fonts you have installed on your system. This expands Brave's existing fingerprinting protections, already the strongest of any popular browser.

When you visit a website, your browser needs to tell that site your default language(s). This helps the site present content in a language you can understand. Browsers do this both explicitly (for example, with the Accept-Language header, and the navigator.language and navigator.languages Web APIs) and implicitly (for example with the fonts you have installed on your system).

However, as with so much online, features meant to improve your experience often just expose you to more risk. In this case, trackers can use your language preferences (both implicit and explicit) to fingerprint you, identifying you across sites and browsing sessions.

Brave's unique "farbling" features already provide the best fingerprinting protections of any popular browser. These add small amounts of randomization into identifying browser features—enough to confuse and defeat trackers, but not so much that they break sites. With this latest release, Brave has expanded "farbling" protections to language preferences, too.

[...] With these new protections against browser-language fingerprinting, Brave now reduces and randomizes the information available in these APIs. And we've incorporated these as default protections, via Brave Shields.

By default, Brave will only report your most preferred language. So, if your language preferences are "English (United States)" first, and Korean second, the browser will only report "en-US,en."1 Brave will also randomize the reported weight (i.e., "q") within a certain range.

Currently Brave applies font fingerprinting protections on Android, macOS, and Windows versions. Brave does not apply these protections to iOS versions for two reasons: platform restrictions prevent us from doing so; and WKWebView already includes similar, although not quite as strong, protections3. Brave does not apply these protections on Linux because of difficulties in determining which fonts are "OS fonts" for each distro.

Total Cookie Protection

Firefox rolls out Total Cookie Protection

Starting today, Firefox is rolling out Total Cookie Protection by default to all Firefox users worldwide [...]. Total Cookie Protection is Firefox's strongest privacy protection to date, confining cookies to the site where they were created, thus preventing tracking companies from using these cookies to track your browsing from site to site.

[...] Total Cookie Protection works by creating a separate "cookie jar" for each website you visit. Instead of allowing trackers to link up your behavior on multiple sites, they just get to see behavior on individual sites. Any time a website, or third-party content embedded in a website, deposits a cookie in your browser, that cookie is confined to the cookie jar assigned to only that website. No other websites can reach into the cookie jars that don't belong to them and find out what the other websites' cookies know about you [...].

I wonder if "farbling" and "Total Cookie Protection" will also become identifying features...?


Original Submission

Display Options Threshold/Breakthrough Reply to Article Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 1, Insightful) by Anonymous Coward on Friday June 17, @12:28PM

    by Anonymous Coward on Friday June 17, @12:28PM (#1253983)

    Cause just around the corner is Google's fix for all of us.
    One ring to bind em' eh?

  • (Score: 0) by Anonymous Coward on Friday June 17, @01:07PM (4 children)

    by Anonymous Coward on Friday June 17, @01:07PM (#1253991)

    How do we know that Brave, Vivaldi, Opera, etc... aren't collecting and selling our data instead of Google? Admittedly there's still a tiny bit of value selling your soul through a small time data broker instead of the most evil privacy invader in the US tech industry. But no thanks, Brave.

    • (Score: 1, Touché) by Anonymous Coward on Friday June 17, @03:34PM (2 children)

      by Anonymous Coward on Friday June 17, @03:34PM (#1254014)

      >Poo-pooes closed source web browser
      >Runs systemd on his Linux/Binary-blob kernel

      • (Score: 2) by maxwell demon on Friday June 17, @06:29PM (1 child)

        by maxwell demon (1608) on Friday June 17, @06:29PM (#1254051) Journal

        Do you have a crystal ball to see what this specific AC poster uses as Linux init system, and whether the corresponding kernel is self-compiled?

        --
        The Tao of math: The numbers you can count are not the real numbers.
        • (Score: -1, Troll) by Anonymous Coward on Friday June 17, @10:47PM

          by Anonymous Coward on Friday June 17, @10:47PM (#1254094)

          Do you have a crystal ball to see what this specific AC poster uses as Linux init system

          Don't need a crystal ball, when you got an editor with crystal balls! I just use janrinok for all my AC identification needs.

          For example, this AC post is made by me, and I don't run systemd. See? Infallible!

    • (Score: 0) by Anonymous Coward on Saturday June 18, @06:08PM

      by Anonymous Coward on Saturday June 18, @06:08PM (#1254244)

      what are you talking about?

        "Brave is a free and open-source web browser developed by Brave Software, Inc. based on the Chromium web browser. " wikipedia

  • (Score: 1, Insightful) by Anonymous Coward on Friday June 17, @02:25PM (4 children)

    by Anonymous Coward on Friday June 17, @02:25PM (#1254000)

    When you visit a website, your browser needs to tell that site your default language(s). This helps the site present content in a language you can understand.

    How about no? What happened to showing a default language and in a corner of the page showing a flag, and if you click on it, then you may select a different language?
    Who thought the best idea would be to open pandora’s privacy-raping box by defining browser headers for everything and their grandmother’s dirty secrets?
    By the way, almighty Google does not seem to rely on "English by default" headers in my single-use browser profiles spawned in one click, but on my (VPN's) IP address geolocation. So again, why the header?

    • (Score: 3, Insightful) by Anonymous Coward on Friday June 17, @09:46PM (3 children)

      by Anonymous Coward on Friday June 17, @09:46PM (#1254081)

      I share your rage at the industry for finding every trick they can to invade privacy. But if you live in Germany, France, Denmark, India, China, or any other place with a large mix of languages you don't want to click "set my preferred language to German/Dutch/Swahili/Tamil/Finnish/Cantonese" on each of fifty different websites. You want to have it set once in your browser and be done.

      • (Score: 2, Informative) by Anonymous Coward on Saturday June 18, @12:16AM

        by Anonymous Coward on Saturday June 18, @12:16AM (#1254108)

        So many websites already register a ccTLD for every language they support, the header is often useless. And for those that only want one TLD, a simple /fr or whatever my language code is does the trick quite easily.

        And I just did the test. If I go to Google.fr (something that everybody interested in the French version will do), it won't show me their French language version, or my browser header's version, but again my IP-geolocated version.
        If I go to digikey.fr, they do show me the French version. If I go to digikey.com, I get a one click pop-up to select between my geolocation and English.

        So again, I wonder who uses the language header for actual language selection rather than spying.

      • (Score: 2) by canopic jug on Saturday June 18, @09:22AM (1 child)

        by canopic jug (3949) Subscriber Badge on Saturday June 18, @09:22AM (#1254194) Journal

        But if you live in Germany, France, Denmark, India, China, or any other place with a large mix of languages you don't want to click "set my preferred language to German/Dutch/Swahili/Tamil/Finnish/Cantonese" on each of fifty different websites. You want to have it set once in your browser and be done.

        Except that's not how it actually works any more, at least with Google properties. Back when there were still people to contact there, I convinced them to restore that behavior to their services. However, a few weeks later the language capacity broke again and from that time on, it has stayed that way. It does not matter which official or unofficial language I put in the browser, Google's properties keep serving the only one I did not choose. It sure looks like they have decided based on national borders to override language preferences.

        On other sites in other countries, when multiple language editions exist, those too ignore the browser's language settings and one must click on some asinine icon, usually a hostile flag, to change the language settings for that one session.

        So the point of this rant is that the browser's language settings seem to now be ignored for the most part, unless they are quietly used for fingerprinting and tracking.

        --
        Money is not free speech. Elections should not be auctions.
        • (Score: 0) by Anonymous Coward on Saturday June 18, @02:32PM

          by Anonymous Coward on Saturday June 18, @02:32PM (#1254223)

          I stand corrected (no sarcasm). Thank you.

  • (Score: 1, Interesting) by Anonymous Coward on Friday June 17, @02:59PM (4 children)

    by Anonymous Coward on Friday June 17, @02:59PM (#1254005)

    After a separate cookie jar, to get rid of fingerprinting, how about:

    Publish a few standard sets of features are are implementable on a variety of platforms.

    A user can choose a specifc set to tell the web page he has.

    Then everybody's fingerprint is one of the few standard sets.

    Perhaps that means the browser can't use every last feature available at the user's computer, but good enoguh beats what we have now.

    • (Score: 4, Interesting) by Anonymous Coward on Friday June 17, @05:12PM (3 children)

      by Anonymous Coward on Friday June 17, @05:12PM (#1254028)

      You forget one thing: the people that are gatekeepers on these browsers are the same people who want to be able to fingerprint you.

      And be careful about unintended consequences as well; I'll refer to the GDPR Cookie Consent banner. People are lazy and will click the "make this question go away, which button does that in the quickest way possible" in nanoseconds.
      For those who do take the time to click the wise button instead of the lazy button, there will be messages of "this website doesn't work if you don't let us rape you" which will carve off another 75% of people who will now just click the "OK, fine, even though you're not lubed up" button.

      My prediction is that you'll end up with something that's _not_ good enough and probably worse than what we have right now.

      The solution is to outlaw targeted advertising and impose actual hurting(*) fines on violators-of-the-spirit thereof. _That_ is the real solution!

      (*): Forfeiting of any and all direct and indirect revenue generated via the outlawed behavior plus a fine of XX% of revenue of the company. Toss in personal liability for those who signed off on the practice for good measure. I don't care that this might kill a company, companies do not have a presumed right to existence, nor to their business model. Maybe a couple of examples would be a good thing.

      • (Score: 1, Interesting) by Anonymous Coward on Saturday June 18, @12:18AM (2 children)

        by Anonymous Coward on Saturday June 18, @12:18AM (#1254112)

        GDPR implementation has been clarified recently. Now it's correctly implemented almost everywhere with the same number of clicks (often one) to accept all or reject all.

        • (Score: 0) by Anonymous Coward on Saturday June 18, @12:05PM (1 child)

          by Anonymous Coward on Saturday June 18, @12:05PM (#1254208)

          And how many years did that take?

          • (Score: 2) by janrinok on Sunday June 19, @07:33AM

            by janrinok (52) Subscriber Badge on Sunday June 19, @07:33AM (#1254356) Journal

            True, it would have been nice to have this years ago - but the point is that we DO now have it. Progress might be slow, but this story and the one here about net neutrality in Europe [soylentnews.org]show that change is taking place to protect internet users rather than the businesses that wish to control it.

            --
            We are always looking for new staff in different areas - please volunteer if you have some spare time and wish to help
(1)