One more thing.
If you want to change GFX card because this chosen by automatic is too old to be realistically used with Windows 10/11 at this day, then not only you need to change WebGL Properties but also WebGL/WebGL2 Parameters.
Too bad it’s not recalculated or available to chose from drop down menu.
Same with userAgent/Platform/OS CPU combo…
Camofox automatically generates both Intel/AMD graphics. It look more realistic. The user‑agent can be manually changed to be as realistic as possible. It’s very easy. The main point is that the OS fingerprint is highly realistic.
1 Like
FWIW,
I’ve been using Brave (with anti-fingerprinting) as my main browser for about a year. Around 80% of my browsing is sessionless/incognito. Since moving to Qubes, I use one appVM for sessionless browsing and another for logged-in sessions on “usual suspect” websites. I rotate VPN IPs within my country every 2–3 hours. On mobile, I haven’t used YouTube or logged-in sessions for years. I’ve exclusively used DuckDuckGo or Brave Search for 5+ years, and uBlock Origin for just as long (previously on Firefox/Chrome).
Here’s what I’ve noticed:
Most of my incognito browsing (~80%) is on YouTube as a TV replacement. I haven’t yet set up FreeTube/Invidious on Qubes, so I just use incognito YouTube with bookmarks folders for my “channels”, “watch later” and “history".
Each time I restart the YouTube appVM (not a dispVM) and open YouTube in incognito, it shows the usual “Try searching to get started” screen. But from my very first search (“news” or “emacs”), it instantly begins recommending videos I’m likely to click.
If I leave the appVM running for ~24 hours, after 10+ related clicks, daily visits to my 5 bookmarked channels, and several keyword searches, YouTube essentially rebuilds my logged-in feed—about 80% accuracy. It knows to show me Vim as well as Emacs, Linux as well as security news—even sites I haven’t visited in that session or in a long time - including old content!
For this reason I don’t even log in to YouTube anymore since it already knows who I am.
The extent of this cross-device/cross-IP/cross-browser/cross-OS digital stalking really blows my mind.
It takes longer if I completely wipe the browser profile (even though I’m only using incognito), but it still identifies me surprisingly quickly. It’s as if every interaction with Google infrastructure hones in on my patterns—usage, sites visited, even VPN endpoints—and assigns a probability that it’s me. This goes well beyond non-cookie identifiers.
If I leave the appVM running for 3+ days, it even resurfaces content from old “Music” or “Watch Later” playlists I haven’t accessed in years.
TL;DR: For this use case, I probably need to use a dispVM: that is my next goal.
I think this could make a reproducible fingerprinting test: start with a common keyword (“news”) on a fresh browser/incognito install, delete cookies on exit, etc and see how fast old ‘tripwire’ channels/content resurface. With browser automation (Playwright, Selenium) and thousands of tests, the community could actually accurately measure and score cross-device/OS/IP/browser/sessionless fingerprinting.
Does anything like this already exist? Is this a bad idea? Such a test could empirically evaluate and score fingerprinting/antidetect on donut-browser, dispVMs, Brave, Arkenfox, LibreWolf, etc - and I would love such an awesome feature to be born on Qubes as it is designed to test many browsers, configurations and operating systems - the ‘Killer App’ and compelling reason that will bring many more users in to the safety of Qubes 
(as well as self-evaluation).
2 Likes
Does this protect against mouse fingerpinting? Audio fingerprinting, etc?
have you considered newpipe app on an android vm? There is also insidious/piped
Camoufox have protect against mouse fingerpinting
Sorry I can’t even remember what original OP was. I see there now promoting “unique fingerprint”, which to my understanding is to be avoided, unless one-time use per fingerprint…
Interesting, great suggestion
@zhom new package releases don’t mark old one as obsolete so it can’t be updated by RPM - can’t update from 0.12.3:
file /usr/bin/donutbrowser from install of donut-0:0.13.2-1.x86_64 conflicts with file from package donut-browser-0:0.12.3-1.x86_64
I will try with donutbrowser app itself but it needs aditional package that is not installed.
PS: it also complains about conflicts with old package and after that there is no zypper installed
PS2: no love
Trying to install with rpm
Installation failed with rpm: file /usr/bin/donutbrowser from install of donut-0:0.13.2-1.x86_64 conflicts with file from package donut-browser-0:0.12.3-1.x86_64
file /usr/bin/nodecar from install of donut-0:0.13.2-1.x86_64 conflicts with file from package donut-browser-0:0.12.3-1.x86_64
Trying to install with dnf
Installation failed with dnf: Updating and loading repositories:
Repositories loaded.
Total size of inbound packages is 94 MiB. Need to download 0 B.
After this operation, 301 MiB extra will be used (install 301 MiB, remove 0 B).
Running transaction
Transaction failed: Rpm transaction failed.
Warning: skipped OpenPGP checks for 1 package from repository: @commandline
- file /usr/bin/donutbrowser from install of donut-0:0.13.2-1.x86_64 conflicts with file from package donut-browser-0:0.12.3-1.x86_64
- file /usr/bin/nodecar from install of donut-0:0.13.2-1.x86_64 conflicts with file from package donut-browser-0:0.12.3-1.x86_64
Trying to install with yum
Installation failed with yum: Updating and loading repositories:
Repositories loaded.
Total size of inbound packages is 94 MiB. Need to download 0 B.
After this operation, 301 MiB extra will be used (install 301 MiB, remove 0 B).
Running transaction
Transaction failed: Rpm transaction failed.
Warning: skipped OpenPGP checks for 1 package from repository: @commandline
- file /usr/bin/donutbrowser from install of donut-0:0.13.2-1.x86_64 conflicts with file from package donut-browser-0:0.12.3-1.x86_64
- file /usr/bin/nodecar from install of donut-0:0.13.2-1.x86_64 conflicts with file from package donut-browser-0:0.12.3-1.x86_64
Trying to install with zypper
Installation failed with zypper: donut-0.13.2-1.x86_64 (Plain RPM files cache): Signature verification failed [6-File is unsigned]
Problem occurred during or after installation or removal of packages:
Installation has been aborted as directed.
Please see the above error message for a hint.
That seems interesting. I may need to look into it a bit more, although I’m already pretty happy with my own setup. It randomizes my fingerprint, making it unreliable for tracking. Cloudflare will block access to half the internet with this, though.
• Ungoogled Chromium (hardened)
• uBO in strict mode
• JShelter in max mode
• hardened_malloc (strong)
• Qubes DisposableVM
• seccomp sandbox
• No GPU → predictable software rasterization
• ptrace_scope=3
I’m still missing some kind of kloak-style protection at least.
Hi KitsuneNoBaka, please delete the old installation of Donut and install the new one. You can do so with your package manager. To resolve the issue you experienced with the .desktop file, I have renamed the application to simply “Donut”. As long as you do not manually delete data in your home directory, it will not be affected.
Also, please post all issues on GitHub as it is a lot easier for me to track them. I have also already closed 2 issues created by you. It doesn’t mean that I don’t want to fix them, it means that I assume that they are fixed. If I am wrong, please reopen them or create new ones. It is also important to keep this thread on topic.
Appreciate your active usage. Please continue sharing bugs and your feedback. Thanks!
2 Likes
Thank you for update and for fixing bugs with update!
1 Like
One github issue was with .desktop file - but both you changed it to work with QubesOS and devs of qubes fixed it that it should work with spaces. So double fixed that one.
Another one was with feature that after discussing it here is not relevant anymore.
Keep up the good work. 
1 Like