How are supercookies prevented?

[mklcp]

While I appreciate MullVad's browser efforts to prevent many common privacy leaks like WebRTC, totally preventing fingerprinting seems pretty hard given that users can always be identified by storing locally their fingerprints, whether it's in localStorage or even favicons.

Like this demo shows: https://supercookie.me/

[ruihildt]

Totally preventing fingerprinting is an impossible goal and not one we're trying to achieve.

To better understand our approach I recommend the articles we have written about the approach from the browser page on our website.

Regarding this website, have you tried the demo in Mullvad Browser?
When I run it, I receive an ID, if I restart the browser and run it again, I get another ID.

[Thorin-Oakenpants]

by storing locally

Everything is partitioned by first party and sanitized on close, and a lot of third parties are even prevented in the first place. A lot of disk-touching "state" are also memory only. Some, such as indexedDB, which is written to disk, are encrypted with a memory-only session key (in case of an ungraceful exit - and cleaned up on startup). By definition a fingerprint is stateless, you're confusing the two (although storing the FP hash or data is also a way to re-ID, but that defeats the purpose of stateless and they could just use their own cheaper UUID)

[mklcp]

@ruihildt Yeah I tried it, and I do get a different ID after a restart.
Actually my question was more general. What's the point of even trying to prevent fingerprinting when, as 1) you said it's impossible to do it totally; and 2) unless the browser is stateless, techniques like supercookies that use states stored will be possible; and 3) all browser sessions from all users should be the same or at least identical enough (basically a crowd of clone).

[Thorin-Oakenpants]

ruihildt: Totally preventing fingerprinting is an impossible goal and not one we're trying to achieve.
mklcp: What's the point of even trying to prevent fingerprinting

to recap ... no one is trying to prevent fingerprinting

TB/MB do not retain any state, nothing is retained on disk after each session and a lot never even touches the disk. Stateless is not the same thing. Stateless == fingerprinting. A session is not a fingerprint nor a state. What are you trying to actually ask?

[mklcp]

Mullvad Browser attempts to at least prevent some forms of tracking. From https://mullvad.net/en/browser :

When you visit a website, you can be identified and tracked through your IP address, third-party cookies, all kinds of tracking scripts, and through so called browser fingerprints. That’s why masking your IP address is not enough to stop the data collection. However, by using a trustworthy VPN in combination with a privacy-focused browser, you can put up a better resistance against the mass surveillance of today. That's why we partnered with the Tor Project to develop Mullvad Browser – a browser designed to minimize tracking and fingerprints.

I used "fingerprinting" to include tracking in general, perhaps a bit loosely.
As it has been said, totally preventing fingerprinting is impossible. I wondered why attempting to even prevent tracking was worth it. Because it usually imposes much restrictions on the browsing experience (APIs disabled, etc.) and because if any state is conserved through browsing sessions, it's always possible to store an identifier in one way or another. Thus not worth the hassle of a restricted browsing experience.

But if no state is kept, that's answer my question.

I'm unsure what you mean by Stateless == fingerprinting though