> I did no such thing
Yes, you did. Not that you need to, however, since we already know that your GitHub history is pure emptiness – despite the projects you are attached to being on GitHub. If you had contributed anything, we would know of it by now.
> Iâ€™m more than happy to provide Martin with proof
Don’t care, and why should anybody else care. Provided such “proof” even exists (I strongly doubt it).
Yeah, whatever. Brave’s (and Firefox’s) anti-fingerprinting implementations receive patches all the time. You found that Brave leaked a real value via some testing suite? Great, cool, whatever. Am I supposed to celebrate that? You were not the one patching it in the end, were you? Such reports hit Brave Software and Mozilla on a regular basis.
> Do you still think I am lying
I never said that you were unable to operate a testing suite. It’s just not something I have any kind of respect for – anyone can do that, with little prior knowledge.
> for starters I cannot trust you given your hatred and animosity
That goes for me as well, lol.
> Thirdly, youâ€™d use it against me: dox me, spam me or something.
Boy, you have lots of imagination. Firstly, you are totally irrelevant to me. I don’t care about you. If you weren’t spamming / doxing MY POSTS, I would likely forget about you. Secondly, I have never doxed your virtual self, either. Noticing that your GitHub history is empty took me one (1) click, hardly doxing in my book.
> NO. WAY. AM. I. REVEALING. THE. REAL. ME. TO. YOU.
OK, then reveal the “work” you’ve done under other pseudonyms, I’d likely recognize your nasty self. It’s not like I want your passport and home address, haha. Pointing me to some achievements of yours conducted under a pseudonym would be enough.
By the way, your virtual self already tells me the things I need to know about you (no GitHub contributions, privacy reduction script, heaps of time on your hands etc.). I do not need to know your real identity to see any of that.
> Do I constantly ask about your coding skills, or your body of work, or what you do all day? No. Grow up and behave like a normal human being please
Yeah, I am not posing as an expert here, you do. I just want to see some stuff that would back up your self-grandiosity, and I am sure I am not the only one.
> Youâ€™ve said three times now that Whonix are laughing at the script: where? who? show me? Youâ€™re making it up
Oh, you forgot about it already? No problem, posting it again:
“Madaidan” is a leading Whonix dev. Doesn’t seem to praise your work, eh? Why not take the fight to them, dear * [Editor: removed, stay polited]? Show them your so-called expertise and how they are wrong, personally I can’t wait for that. Your skill level certainly matches theirs, according to your last comments here.
> Of course a enforced set of users is much better
Thanks for admitting it. Only took you 10 comments this time.
> At no point have I said that a disabled API doesnâ€™t provide a metric
I said this repeatedly in my comments when you were still talking about “reduced attack surface”, just because the number of reported values goes down when you disable an API. Bean counting is not efficient here, however. WebGL being enabled (and several values leaking as a result) is not as bad as disabling it on Firefox, you are automatically more unique even tough the absolute result count was reduced.
> At no point have I said that changing prefs in Firefox canâ€™t affect fingerprints
I said this repeatedly in my comments, and yet you still don’t understand that your user.js creates a unique fingerprint.
> At no point have I said that extensions canâ€™t affect fingerprints
Cool, me neiter.
> At no point have I said that an enforced set of users (e.g Brave at default, or Tor Browser, or Whonix) is not required for anti-fingerprinting to work best (e.g advanced scripts)
Ah, so you admit that Firefox not having FP defenses on by default (resulting in people having it on by default being a minuscule minority) is a problem? How come?
> and.. at no point has the user.js ever claimed to beat fingerprinting scripts
It aims to defeat FP scripts, that it not always succeeds in this is self-explanatory. Brave doesn’t succeed in all cases, either. It comes with the territory and is hardly an argument.
> The arkenfox user.js is a template
If users really take your “template” talk seriously, they’ll be even more unique than they would be already by applying your script. Users of your script are a tiny minority already, and users running that script in a modified fashion are even more unique than that.
Furthermore, your “template” talk is already proven wrong by the fact that you are considering usability (if in an insufficient manner) when creating your script, such considerations would be unnecessary in a real template from which users pick what they like / need (hopefully not, as I said, that would be even worse than outright applying your script).
> The user.js is not trying to hide itâ€™s fingerprint, itâ€™s almost impossible against an advanced script without a universal buy-in.
You see, even a primitive script only checking for WebGL and a small range of other things would already be enough to identify your users – that’s how heavily you alter the fingerprint any given Firefox would normally produce.
> Both when on fool naive scripts, which make up the bulk of the scripts out there (pretty sure from memory that Peter has said this, as well as OpenWPM crawls, etc: you can grab lists of known FPing scripts and inspect them you know).
I still remember you screeching for proof when I said some time ago that the grand majority of scripts are primitive (and for which Brave anti-FP is good enough most of the time) – I pointed to the fact that such databases exist, you ignored it, now you provide the very same proof yourself, you snake. That’s how dishonest you are. Not saying that what you say here is wrong (I am aware of this, too), I am just appalled at your methods.
> Your claims that it does nothing for privacy are ludicrous
Correction: I didn’t say it does nothing for privacy (which would be neither good nor bad), I said that it actively REDUCES privacy by creating a highly unique fingerprint for FF users. And I stand by that – the only result is a highly unique fingerprint. It’s not only me saying this, either. The Whonix project (you know, the OS often used by dissidents fering for their lives) says it, too.
> The browser is ALREADY unique doing nothing
…but still less unique than if your script were applied, believe me.
> And the two identical hardware setups is a myth as well (Iâ€™d explain why but you wouldnâ€™t understand)
It’s not a myth. There are only so many things that can differ on identical hardware. Hardware concurrency wouldn’t differ, anything related to the GPU wouldn’t differ, RAM wouldn’t differ, screen solution (both browsers maximized – I realize that window dimensions are a threat) wouldn’t differ. Fonts wouldn’t differ, unless the user installed new fonts (except maybe those of MS Office, which is widespread enough not to matter). Battery would be a threat, but only on mobile devices.
I can identify different hardware on the network level (MAC address), your script stupidly suggests turning off IPv6 in response to that (instead of, you know, randomly spoofing the MAC address, but whatever). The fake MAC address would be the solution, however, I can detect that someone falls back to IPv4 when an IPv6 connection would the default, and fewer and fewer people fall into that category. While the fake MAC address isn’t sticking out, your users increasingly do. What I am saying is that your script is also messing up at the network level, where identification of different hardware could be done in the easiest manner. That also includes timing attacks, but they are too resource-intensive to be carrie out on a wider scale.
Network-level identification of different hardware would be easier than (oftentimes unreliable) results from fingerprinting identical hardware, but your script messes with that, as well. It’s so messed up, seriously.
> And youâ€™re overplaying the FPing script: first it has to get through, and then it ALSO needs to be universally widespread to be of any use. Granted, itâ€™s useful for first parties, but the threat is a lot less than youâ€™re making it out to be
Yeah, remember when I said the exact same to you? You then went on and on about how your script is supposedly a “comprehensive solution” (while in fact just resulting in a highly unique fingerprint), in response to me pointing out that scripts are not that varied in the wild (likely most of them get blocked by an adblocker) and that it would have to target Brave’s weaknesses. You were in total denial of that, now you are pointing it out yourself. Cool. It’s obviously only correct when Pants says it – as always.
> Donâ€™t talk about things you do not understand.
You don’t understand shit, either:
– Produces a script that among other things is meant to combat fingerprinting, but doesn’t understand that it makes users more unique in the end.
– Talks about being identical to Tor’s fingerprint but fails to realize that Firefox and Tor can be told apart on the network level.
– Doesn’t understand that WARs are not the only way to detect extensions when behavioral patterns are a thing.
– Doesn’t understand that the web compatibility implications of randomization are lesser when compared to the “everyone looks the same” approach, hence why the letter approach is hard to maintain.
– Fails to understand that the fact of using Firefox alone already is pretty special these days (not in a good way).
– Fails to understand that security is relevant as well (many deanonymizations are facilitated by weak anti-exploit measures).
– Generally has zero idea about the network fingerprint.
– Doesn’t know what an unsolitcited request is, fails to stop it when it appears (because coding skills beyond about:config would be required).
And so and so forth…
> Your knowledge on entropy and how linkability works is appalling. You should stop advising people here immediately and refrain from posturing as an expert:
My gal, I am not the one playing expert here. That would be you. And you lack the skill to pose as such.
> pointing at articles by others and misinterpreting them with wild misleading generalizations does not help anyone
I don’t get the impression that I come up with “wild generalizations” here, but OK, whatever.