Brave Browser gets language and font fingerprinting privacy protections
The team that is behind the Brave web browser added two more fingerprinting protections to the browser to improve user privacy on the Internet. The first protects against using the preferred languages feature for fingerprinting, the second the available fonts.
Brave includes an array of fingerprinting defenses that are expanded regularly. Fingerprinting refers to a tracking technique that identifies and tracks users across the Internet based on certain characteristics of their applications and systems. Browsers do reveal certain information to sites automatically, and scripts may pull even more information that sites may then use to fingerprint users. The uniqueness of the data set determines the tracking success.
Brave plans to launch the anti-fingerprinting techniques in Brave 1.39. The current stable version of Brave is 1.37 at the time of writing.
Language-based fingerprinting protection
The latest iteration of Brave's fingerprinting protections protect users against language-based fingerprinting techniques. Browsers reveal preferred languages to sites so that sites may serve content in the preferred language, if available. Scripts may also pull the information from the browser. Downside to the feature that is designed to improve the accessibility of sites is that it may be included in fingerprinting attacks.
The browser reveals all languages and their weight to sites automatically. While most browsers include just one language by default, most allow users to add more languages. Users who speak multiple languages, say English, French and German, may add all of these to the browser, as these may also power features such as spell checking.
Combinations that are not very popular make the user more unique as the entire pool of users with that combination is small.
Brave going forward reports the most preferred language to sites only going forward. Users who have multiple languages installed will only have the preferred language reported to sites.
The strict fingerprinting setting changes the reporting to English in all cases, even if the user has set a different default language in the browser. The reported weight for the single language that Brave reveals is also randomized "within a certain range" according to Brave.
Font Fingerprinting protection
Fonts are also reported to websites and sites may use the data set for tracking purposes, especially if uncommon fonts are installed. Brave protects users of the browser on all supported systems except for iOS and Linux against fingerprinting techniques that target installed fonts.
Font fingerprinting protection is enabled in default and aggressive Shield configurations. Brave allows sites to use web fonts and all operating system fonts, and a random set of user installed fonts.
The random set is determined for each site and each session, which means that a site will have access to all listed fonts during the entire browsing session.
Brave notes that the protective feature may prove problematic in certain edge cases, for instance, when a particular user-installed font is required for a specific site. Brave 1.39 has a new option under brave://settings/shields that turns off the feature in the browser by toggling "Prevent sites from fingerprinting me based on my language preferences".
Brave plans to monitor the rollout of the feature to adjust it if compatibility issues are noticed on sites.
Closing Words
Brave continues to extend the privacy features of its web browser. The new preferred language and font fingerprinting protections add two more protections to the browser that make it more difficult for sites to use fingerprinting for tracking.
Now Read: Study on the effectiveness of counter-fingerprinting measures
In Firefox they have something similar, just change the language of preference when opening the sites, it will always open in the defined language
Here is my own Brave setup for anyone interested, as of April 9th, 2022. Brave 1.37.111 (desktop version). This setup is meant to strike a good balance between privacy and usability, and tries to debloat the browser.
This in an update to my post from December 11th, 2020 ( https://www.ghacks.net/2020/11/17/brave-browser-gets-cname-based-adblocking-support/#comment-4480402 ) and reflects some changes I’ve made since them (designated with “NEW”). Brave usually does privacy improvement in the background that are already covered with the Shield settings set to “Aggressive”, so that no new configuring is required at all.
Why do I use Brave? Basically, because Brave removes unsolicited requests to Google from Chromium, the only times it contacts Google by itself it to update extensions (if you have any) or Google SafeBrowsing (unless you disable it) and Push notifications (unless you disable them), and even then the connections are proxied (anonymized towards Google). This is far superior to Chrome or vanilla Chromium. You can read about the things the Brave team removed here:
https://github.com/brave/brave-browser/wiki/Deviations-from-Chromium-(features-we-disable-or-remove)
It is the only Chromium-based browser with credible fingerprinting protections:
https://github.com/brave/brave-browser/wiki/Fingerprinting-Protections
It is the only Chromium-based browser that can do CNAME uncloaking (see: https://www.ghacks.net/2020/11/17/brave-browser-gets-cname-based-adblocking-support/ ). Brave’s internal adblocker will also continue to work as it does no uninterrupted. It won’t be affected by Google’s decision to cripple adblockers with Manifest V3. Brave’s adblocker is not an extension, but rather implemented natively, and thus isn’t under extension restrictions, like e.g. uBlock Origin would be.
MY BRAVE SETTINGS:
Brave adblock lists:
– Go to brave://adblock/ (hamburger menu –> Brave adblocker) and enable the lists there, the more the merrier. I recommend the list that fits your native language and the following lists: Easylist-Cookie List – Filter Obtrusive Cookie Notices, Fanboy Annoyances List, Fanboy Social List, uBlock Annoyances List, Schacks Adblock Plus
NEW: I also recommend the following adblock lists as I find them most useful, you can add the URLs:
-> Fuck Fuckadblock (circumvents websites locking you out if you have an adblocker): https://raw.githubusercontent.com/bogachenko/fuckfuckadblock/master/fuckfuckadblock.txt
-> I don’t care about cookies (most effective list against annoying EU cookie notices): https://www.i-dont-care-about-cookies.eu/abp/
-> Frogeye’s block list of first-party trackers (against sneaky CNAME cloaking): https://hostfiles.frogeye.fr/firstparty-only-trackers-hosts.txt
Good resource for adblock lists, depending on your needs:
Brave’s settings menu (hamburger menu –> Settings): https://filterlists.com/
1) brave://settings/appearance
– Brave suggestions in the address bar –> Disabled
– Hide Brave Rewards Button –> Enabled
– Always show full URL –> Enabled (might help in spotting phishing attempts)
2) brave://settings/newTab (Customize menu on the New Tab Page, bottom right of the NTP)
– If you prefer, set this to show an empty page, if not:
– Sponsored Images, Brave Rewards, Binance, Crypto.com, FTX, Brave Talk –> Disabled
NEW: Brave News –> Disabled
3) brave://settings/shields
– Show number of blocked elements on Shield icon –> Enabled
– Default view –> Advanced view
– Trackers & ads blocking –> “Aggressive” (this will block 1st party ads as well as 3rd party ads, “Standard” would only block 3rd party ads – there is no reason we would want to see 1st party ads, so “Aggressive” is fine)
– Upgrade connections to HTTPS –> Enabled (equivalent of the HTTPS Everywhere extension, which is why you don’t need it in Brave)
– Block Scripts –> Disabled (blocking scripts in general breaks too many websites, if you want to do it, use an extension like uMatrix or NoScript that can provide more granular control than the Brave setting)
– Cookie blocking –> Only block cross-site cookies (blocking 1st party cookies break too many websites, we’ll take care of them later on with Cookie AutoDelete)
– Fingerprinting blocking –> Aggressive (if it breaks any website, play around with the “Standard” setting, “Aggressive” has worked for me so far)
4) brave://settings/rewards
NEW: Tips –> Disabled (no Brave Rewards buttons on Reddit, GitHub, Twitter)
5) brave://settings/socialBlocking
– Disable all the settings there, unless you have and use a Google / Facebook / Twitter / Linkedin account, in this case leave the setting that matches your account enabled
6) brave://settings/privacy
– Use prediction service to help complete searches and URLs (= URL speculative autocomplete) –> Disabled
– WebRTC IP handling policy –> Disabled Non-Proxied UDP (will prevent WebRTC IP address leak)
– Use Google services for Push notifications –> Disabled (unless you want notifications from the browser, e.g. for chats, in this case leave it at “Enabled”)
– Allow privacy-preserving product analytics (P3A) = telemetry crap –> Disabled
NEW: Automatically send daily usage ping to Brave = counting installations –> Disabled
– Help improve Brave’s features and performance = crash reporter –> Disabled
7) brave://settings/clearBrowserData
– Set it to delete cookies and cache upon closing the browser
8) brave://settings/cookies
– Block 3rd party cookies, set to delete cookies upon closing the browser
– “Do not track” –> Disabled (only raises entropy, ironically making you more easy to track, and this setting is not respected by most websites anyway)
9) brave://settings/security
– Google SafeBrowsing –> No protection = Disabled (double-edged sword somewhat, Google SafeBrowsing improves security while lowering privacy – but usually your operating system does defend against known malware as well – choose at your own discretion)
NEW: Always use secure connections –> Enabled (forces HTTPS where possible, you may set exceptions for HTTP websites at your own discretion)
NEW: Use secure DNS –> Disabled (DNS over HTTPS / DoH, I don’t want my DNS data leaked to providers I don’t trust – however, you may also choose a DNS provider you trust at your own discretion via the “Custom” setting, I have heard good things about Quad9 for example, more info here: https://www.privacyguides.org/dns/ )
10) brave://settings/content
NEW: Leave as is, you are being asked for your permission when websites want to access your camera, microphone, location etc. I see no reason to generally deny this as the browser asks before permission is granted anyway.
11) brave://settings/search
NEW: Brave now uses Brave Search as default, this is a privacy-friendly search engine already, the following are also privacy-friendly:
– DuckDuckGo, StartPage, Qwant are privacy-respecting, however, I know that Google tends to have better results. Use whatever works for you. I myself tend to prefer StartPage since it anonymously fetches its results from Google
NEW: Web Discovery Project –> Disabled (already set to “Disabled” by default, no need to change, here we get rid of unnecessary search telemetry)
NEW: Index other search engines –> Enabled (you can leave this at “Disabled” if you are satisfied with the included search engines, I let Brave pick up other search engines because I am using Searx instances that are not included by default, I believe those to be the most private search engines)
12) brave://settings/extensions
– Allow Google login for extensions –> Disabled
– Hangouts –> Disabled
– Media Router –> Disabled (unless you want to use Chromecast, in which case one should leave it at “Enabled”)
NEW: Method to resolve Unstoppable Domains –> None
NEW: Method to resolve Ethereum Name Service –> None
– Private Window with Tor –> Enabled (handy if you want to hide your IP address, do not consider it a real Tor Browser replacement though, as Brave doesn’t have Tor’s common fingerprint)
– Automatically redirect to .onion websites –> Disabled (you can still do it if necessary, Brave will offer the option to you, though I really recommend the Tor Browser Bundle for any such action)
– WebTorrent –> Disabled
– Widevine –> Disabled (unless you use any commercial streaming service like Amazon Prime / Netflix / Spotify or whatever in the browser, if you use any of those leave it at “Enabled”)
13) brave://settings/wallet
NEW: Default cryptocurrency wallet –> None
NEW: Show Brave Wallet icon on toolbar –> Disabled
14) brave://settings/ipfs
NEW: Method to resolve IPFS resources –> Disabled / None
You can also disable the other settings there, but the first one should already do the trick.
BRAVE’S ADVANCED SETTINGS
15) brave://settings/passwords
NEW: Disable all settings you see there.
16) brave://settings/payments
– Disable all settings you see there.
17) brave://settings/addresses
– Disable all settings you see there.
Extensions I use in Brave, all downloaded from the Chrome Web Store… All of these extensions are long-standing free and open source software and do not collect any kind of data themselves:
NEW: I dropped uBlock Origin, reason being that Brave now supports custom adblock lists, I also want to keep the number of my extensions and resource usage at a minimum.
1) ClearURLs = primarily filters tracking elements from URLs, meaning you will be using clean links. Also other minor stuff.
– Allow domain blocking –> Enabled
– Prevent tracking via the History API –> Enabled
– Allow Referral marketing –> Disabled
– Filter eTags –> Enabled
2) LocalCDN = websites load libraries from third party sources, the providers of those libraries know which websites you’ve visited and can potentially profile you. LocalCDN provides these libraries locally for websites, intercepting requests to third party sources. Has the side effect of slightly speeding up the loading process of websites. I use LocalCDN instead of the similar Decentraleyes because the development of the latter has slowed down, and because LocalCDN supports a wider spectrum of libraries at this stage.
– You can leave everything at the default settings here. However, I recommend to disable the update notification in the settings of the extension as it’s quite annoying – the extension gets updated quite regularly.
3) Cookie AutoDelete = Gets rid of cookies and other kinds of local data websites store upon your computer upon closing the tab or changing the domain.
– Automatic cleaning –> Enabled
– Enable Cleanup of Discarded / Unloaded Tabs –> Enabled
– Enable Cleanup on Domain Change –> Enabled (Depends on the convenience level you want to maintain, if you are logged into an account, then change the website entirely, and then return to the website you’ve been logged into, all within the same tab, you’ll get logged out as the cookies will be removed upon domain change – normally Cookie AutoDelete would only clean cookies upon actually closing a tab).
– Clean Cookies from Open tabs on Startup –> Enabled
– Clean all Expired Cookies –> Enabled
– Enable Cache Cleanup –> Enabled
– Enable IndexedDB Cleanup –> Enabled
– Enable LocalStorage Cleanup –> Enabled
– Enable Plugin Data Cleanup –> Enabled
– Enable Service Workers Cleanup –> Enabled (may break chat notifications if you need those, so be careful if you use chats)
—–
I hope this info was helpful for any interested party. I always appreciate corrections or criticism where applicable.
) brave://settings/security
– Google SafeBrowsing –> No protection = Disabled (double-edged sword somewhat, Google SafeBrowsing improves security while lowering privacy – but usually your operating system does defend against known malware as well – choose at your own discretion)
NEW: Always use secure connections –> Enabled (forces HTTPS where possible, you may set exceptions for HTTP websites at your own discretion)
NEW: Use secure DNS –> Disabled (DNS over HTTPS / DoH, I don’t want my DNS data leaked to providers I don’t trust – however, you may also choose a DNS provider you trust at your own discretion via the “Custom” setting, I have heard good things about Quad9 for example, more info here: https://www.privacyguides.org/dns/ )
No need to disable safe browsing. All safe browsing requests are proxied through brave’s own domain
@Anonymous
This is true, but I consider this network request to be unnecessary, proxied or not. A proxy also only shifts the trust to Brave Software instead of Google. While I am willing to trust Brave with connections I consider necessary to keep the browser operational (like extension updates, certificate renewal, extension updates etc.), I am also willing to get rid of unnecessary connections where applicable (telemetry, SafeBrowsing etc.).
Does your OS not have antovirus defenses (e.g. Windows Defender)?
*antivirus
Thanks @Iron Heart
Question:
7) brave://settings/clearBrowserData
– Set it to delete cookies and cache upon closing the browser
8) brave://settings/cookies
– Block 3rd party cookies, set to delete cookies upon closing the browser
If you have Cookie AutoDelete as an extension, shouldn’t these be set not to delete cookies?
@Anonymous
> If you have Cookie AutoDelete as an extension, shouldn’t these be set not to delete cookies?
No. Unless you do grant exceptions in Cookie AutoDelete and thus permanently want to store select cookies. In this case it wouldn’t be prudent to let the browser delete them anyway on shutdown.
Read this little snippet (or the entire documentation, if you want to, it’s worthwhile info):
https://github.com/Cookie-AutoDelete/Cookie-AutoDelete/wiki/Documentation#clean-cookies-from-open-tabs-on-startup=
The extension may fail to delete cookies upon browser shutdown and restart due to an API timing limitation, the browser itself never fails as it doesn’t have to rely on extension APIs.
“protect against using preferred language”
Jordan Peterson would agree ? ?
When they make it portable, then I will use it. The developers stubbornly refuse to make a portable version, which is unacceptable to me!
Technically, a portable version does exist:
https://portapps.io/app/brave-portable/
Also gets updated, but the update schedule is too inconsistent for my taste.
Brave is also getting a Smart Assistant:
https://twitter.com/i/status/1509879510639947782
@Neutrino
At last :D
@Neutrino
It was an April’s fools post.
Brings something what is available since several months as extension for Firefox. And this browser calls itself as protecting privacy.
@piomiq
You are talking nonsense. You should NEVER EVER use extensions as fingerprinting protections. The behavior of the extension is detectable and is specific to the extension. Thus, you are within a very small pool of users of said extension – which is terrible if the goal is becoming reasonably non-unique. The pool is too small.
Always use the built-in defenses of browsers.
And Firefox? As in, 3% market share Firefox? LOL, this will go extinct. Brave is the only browser project I know of besides Bromite (which is limited in what it can ultimately achieve because it doesn’t have a large team behind it) that brings privacy improvements to Chromium / Blink, you know, the only relevant engine other than WebKit.
@Iron Heart
Being that there have been many changes recently to Brave, could you update and post your recommended setup to Brave for privacy and security?
@Anonymous
I have posted my current setup below. Sorry for the delay.
Think before posting such thoughts. Don’t make fool of yourself. Advise for life.
If it’s just an extension for Firefox then it’s not a fair comparison. How many users will know or install that extension?