Can you help me understand JShelter’s browser fingerprint protection?
I've been testing my browsers against these sites:
With JShelter in recommended mode I get same hash on ThumbMarkJS site on every page load but when I set it to strict mode hash always changes. I'm also able to fool fingerprint.com site the same way, if I remove cookies and site data between page loads. This way I can get "first visit" every time.
On ThumbMarkJS site this is because audio test returns different, more randomized, result on strict mode, which causes different hash on every reload, but not on recommended mode.
ThumbMarkJS audio result:
"audio": {
"sampleHash": 1013.8656387917245,
"oscillator": "sine",
"maxChannels": 2,
"channelCountMode": "max"
},
To me, this seems like a good thing. Changing hash means that site can't reliably detect me between pageloads (ignore cookies, sessionStorage and localStorage for now).
However, in JShelter web-page they say that:
First of all, the Strict JSS level does not mean stronger protection from fingerprinting. In fact, it makes your fingerprint stable. We do not recommend using Strict level as an anti-fingerprinting mechanism. — https://jshelter.org/faq/
Strict: Enable all non-experimental protection. The wrapped APIs return fake values. Some APIs are blocked completely, others provide meaningful but rare values. Some return values are meaningless. This level will make you fingerprintable because the results of API calls are generally modified in the same way on all webistes and in each session. Use this level if you want to limit the information provided by your browser. If you are worried about fingerprinters, make sure the Fingerprint Detector is activated. — https://jshelter.org/levels/
So, as far as I understand, there are two strategies against fingerprinting. Be as average as you can and dissapear in the crowd or randomize everything so that you can't be identified reliably. JShelters increased randomization with strict levels should then mean better protection against fingerprinting, right? Or did I just get lucky with these services that happened to fingerprint audio that gives randomized output and screws up their result and in general I'm still more fingerprintable or can still be identified from session to session because it's randomized in a predictable way?
Anyway, to me this still seems like a improvement. Mullvad browser can't beat those sites and can be detected even after restarting the browser. Brave can be identified inside same session even though you clear cookies and site data but restarting the browser seems to generate new hash on ThumbMarkJS. JShelter in strict mode can beat these detections.
