Re: [Public WebGL] about the VENDOR, RENDERER, and VERSION strings

----- Original Message -----
> On Wed, Dec 1, 2010 at 00:52, Benoit Jacob <bjacob@mozilla.com> wrote:
> >> Maybe a way to make RENDERER useful while not giving too much bits
> >> would be to return the hardware maker and model but strip out
> >> driver
> >> information?
> >
> > That would be a step in the right direction, but these days GPU
> > manufacturers make many different models.
> > For NVIDIA alone, there are at least 200 device IDs relevant to
> > WebGL (OpenGL 2 hardware)
> >
> > So I expect the RENDERER string to give roughly 9 bits of
> > information, with an uneven distribution --- some models are less
> > commons and so their owners would be more exposed.
> Yes, but then that's also the case for any kind of less common
> setups... eg. people using, say, Opera on Linux are already much more
> exposed to browser-tracking than people using Internet Explorer on
> Windows ;-)

Sure! But this is neither an argument against or for caring about leaking more info through RENDERER :-) It's orthogonal. People with rare setups were already more exposed than the average, and this will make it worse for them.

> The way privacy-conscious people workaround this is usually to change
> their user-agent string through configuration, this is something that
> should be possible as well for WebGL RENDERER string imho.

If the RENDERER string is really important to get a good gaming experience on a given video card, then spoofing it will be more painful than it was to spoof the user-agent.

> In general, RENDERER string without driver version would give very
> minimal bits considering that the distribution is indeed very uneven
> with a strong bias on more popular hardware...

The more uneven the distribution, the least info is leaked for users with common hardware, but the more info is leaked for users with rare hardware. So I don't know that the unevenness affects how serious this issue is at all, in either direction. Also, there seems to be a long tail of relatively rare hardware.

> and on mobile devices
> the number of bits is even lesser considering the lesser number of
> designs and the fact that GPU can be inferred by other ways (eg. IOS 4
> means PowerVR SGX).

OK for mobile devices.

