Ask HN: How to Prevent Website(s) from Fingerprinting?

8 points by jackallis ↗ HN
I use Mozilla (71.0), with add ons - ghostery, privacy badger, ABP, No script. In privacy setting, for Mozilla, i chose custom,i.e to block fingerprinting. I ran EFF's Panopticlick [1] and it should that i am still being fingerprinted.

how to stop this?

[1]https://panopticlick.eff.org/

9 comments

[ 3.1 ms ] story [ 28.2 ms ] thread
Use tor browser, its designed so that every one has the same fingerprint iirc.
there really isn't any simple way of being fingerprinted that I've come across other than generating noise, but I am not an expert in this area.

Anyone else want to chime in that has experience in this area?

I am not an expert in these but isn't' tracking IP address also part of fingerprinting ? If thats the case, other than using something like TOR, can you really hide that ?
There are so many ways its hard to be truly secure. Just about everything your browser does (or can be asked to do), plus what it gives as a side effect of normal usage can yield some fingerprintable data. The variance is in how detailed or what is fingerprinted (you vs device/browser, OS, etc.). Once you cross correlate, you can bring in a tighter fingerprint.

Since you weren't specific with the areas of concern, I'm just listing some factors and defenses off the top of my head (not all are practical or precise, but in combination can be useful):

* IP: Geo, location, person/device when correlated. --> VPN, TOR, etc. It would have to rotate to break correlation. Using wifi can pin you to a location or type of business (e.g. a specific coffee shop).

* Cookies: Easy to block, session limit, restrict to origin (despite cookies' scoping).

* User Agent: Can be easily forged or rotated, but can break some functionality. Lying may not be adequate since other browser features can expose your lie.

* Javascript: Can expose browser type (based on capabilities), enumerate plugins (plugins+versions, etc.), etc. Basically the general purpose leak source here.

* Plugins: Ball of fun, but thankfully less needed these days. Don't use them.

* CSS: You can use selective CSS content loading to identify browsers, or possibly users, leak some content (not much). Hard to turn off.

* Fonts: Font set enumeration, or what ones are fetched can expose OS, etc. Can be disabled.

* Images: Similar to other remote resources. Could be disabled but makes browsing pretty tough these days.

* Browser caching: Guessing this can be abused based on the presence (or absence) of a fetch. Could be turned off, but in the age of giant payload websites it will suck.

* Other hard to control things (but probably impractical anyway): Supported TLS algs, network packets, known vulnerabilities, etc.

I see two main strategies: Noise, and looking 'average'. Both have tradeoffs and are likely to be more effective in different scenarios. Noise can help avoid correlating independent events, but can push you to be a recognizeable outlier if the noise is repeatable. Looking average lets you hide among others (assuming you can define average). Browser defaults are moving us toward this; but system customization can move you back.

Have you tried setting privacy.resistFingerprinting in about:config?