Anti-Fingerprint strategy that actually works.

[newedgex]

First, a thank you to the developers & contributors of this add-on.

I have been following the fingerprinting technologies for quite some time, and I think that so far, none of the browsers or add-ons really offer any protection, it's easy to verify from sites like https://www.amiunique.org/fingerprint or others. Some identifying techniques make us unique like :

• webgl
• canvas
• fonts listed through js
• navigator properties and so on....

Now where do we fail, well we fail on "faking" these values or spoofing them, regardless if they keep changing or are spoofed, we will keep being "unique" which can uniquely identify each of us.

So , what's the catch? Yes, we should protect our real data, however we should create a single fake profile shared among all browsers. The more common our "footprint" is, the less identifiable we are.

So yes, we should fake the common JS Attributes and HTTP headers, but only with a "profile" that's the same across all devices, and hopefully the more the add-on is used, the more browsers will be seen with the same footprint.

A similar approach is implemented by tor-browser

[e-t-l]

@sereneblue I have also found from https://www.amiunique.org/fingerprint that my most unique fingerprinters are JS Fonts and Navigator properties. I already have Chameleon set to spoof font fingerprints, but regardless of whether I enable/disable that setting, change the value of browser.display.use_document_fonts in about:config, or even try disabling all custom webfonts with the Toggle Web Custom Fonts addon, my font fingerprint remains the same. I don't know what it's based on or how to change it, though, since all these methods don't seem to work...

[slrslr]

Speaking about Tor browser, their explanation caught my attention. They are confirming at https://tb-manual.torproject.org/anti-fingerprinting/ what you are saying:

Users cannot choose a specific operating system or attempt to imitate every possible platform. Instead, Tor Browser standardizes User-Agent values to reduce uniqueness and avoid creating a false sense of privacy:

**All Windows appear as Windows 10.
All macOS appear as OS X 10.15.
All Android as Android 10.
All other systems like all Linux distributions (including Tails and Qubes), *BSD and other operating systems are grouped together and reported as "Linux running X11".
All the other details (such as the architecture) are also normalized per-platform.**

In this case, the fingerprint resistance strategy in Tor Browser is to protect real values of the User-Agent by spoofing, but also have a large enough user set.

User-Agent is sent to websites as an HTTP header, and it is available to JavaScript as navigator.userAgent. Inconsistencies in these values can trigger anti-bot and anti-fraud systems into categorizing Tor users as a bot, and deny their requests, which in turn affects usability for Tor Browser users.

Some privacy tools or users suggest that making all users appear as Windows would offer the best cover. However, perfectly spoofing across all browser contexts is not possible and active fingerprinting methods (using fonts, features, behavior, with or without JavaScript, etc.) can often be used to infer aspects of the hardware or operating system.

Tor Browser does not let users select which OS they appear to be. This is intentional: any option to choose would only make users more unique and thus easier to fingerprint. The small set of standardized options is key to keeping users blended together, maximizing privacy for everyone.

Some highlighted parts reminded me quite significant Cloudflare issues: #608 #518 and also Chameleon approach, which I understand to be wrong per what Tor written. @sereneblue what about making a Chameleon version which aims not to randomize User-Agent/footprints, but make them common with a footprints of other Chameleon users? Maybe then such new, simplified(?) Chameleon version can be compared with current one to see which one is better against fingerprinting and Cloudflare.

[kekkc]

https://www.amiunique.org/fingerprint is a nice test site, but I don't think the percentage values are as bad as they suggest.

Their DB seems to be too old to reflect current UAs. Using a standard English -current up to date - Windows 11 & Firefox 142, it shows 0.03% for the UserAgent, while using a spoofed old Linux FF v136 shows 0.13%.

If one just uses a local, non-english language, this would result in 1% or less, although my language is surely more spread.

Additionally, their dataset is 4 million users. Even 0.03% multiplied by 5 billion internet users worldwide equals 1 in 1.5 million users (which would not be really unique). Quite philosophical: even this estimation is useless. In reality someone would mix the identifiers. Local language, OS, avail screen height / width should be enough to check if it was the same person who clicked on first and second adlink to show him similar ads.

Tor approached is necessary for cases prioritising anonymity, but for standard cases I would prefer the convenience to use my complete available screen for example.

However, Canvas, nagivator properties & Screen available height seem to be a general problem.

[sereneblue]

U

You can opt out of Chameleon's profile spoofing and use the resist fingerprinting option that Firefox has (mimics Tor Browser's spoofing, will break some sites) if you want a uniform profile.