Ask HN: How to Prevent Website(s) from Fingerprinting?
I use Mozilla (71.0), with add ons - ghostery, privacy badger, ABP, No script. In privacy setting, for Mozilla, i chose custom,i.e to block fingerprinting.
I ran EFF's Panopticlick [1] and it should that i am still being fingerprinted.
how to stop this?
[1]https://panopticlick.eff.org/
9 comments
[ 3.1 ms ] story [ 28.2 ms ] threadAnyone else want to chime in that has experience in this area?
An ongoing comprehensive user.js template for configuring and hardening Firefox privacy, security and anti-fingerprinting
https://github.com/ghacksuserjs/ghacks-user.js
https://blog.mozilla.org/security/2020/01/07/firefox-72-fing...
Since you weren't specific with the areas of concern, I'm just listing some factors and defenses off the top of my head (not all are practical or precise, but in combination can be useful):
* IP: Geo, location, person/device when correlated. --> VPN, TOR, etc. It would have to rotate to break correlation. Using wifi can pin you to a location or type of business (e.g. a specific coffee shop).
* Cookies: Easy to block, session limit, restrict to origin (despite cookies' scoping).
* User Agent: Can be easily forged or rotated, but can break some functionality. Lying may not be adequate since other browser features can expose your lie.
* Javascript: Can expose browser type (based on capabilities), enumerate plugins (plugins+versions, etc.), etc. Basically the general purpose leak source here.
* Plugins: Ball of fun, but thankfully less needed these days. Don't use them.
* CSS: You can use selective CSS content loading to identify browsers, or possibly users, leak some content (not much). Hard to turn off.
* Fonts: Font set enumeration, or what ones are fetched can expose OS, etc. Can be disabled.
* Images: Similar to other remote resources. Could be disabled but makes browsing pretty tough these days.
* Browser caching: Guessing this can be abused based on the presence (or absence) of a fetch. Could be turned off, but in the age of giant payload websites it will suck.
* Other hard to control things (but probably impractical anyway): Supported TLS algs, network packets, known vulnerabilities, etc.
I see two main strategies: Noise, and looking 'average'. Both have tradeoffs and are likely to be more effective in different scenarios. Noise can help avoid correlating independent events, but can push you to be a recognizeable outlier if the noise is repeatable. Looking average lets you hide among others (assuming you can define average). Browser defaults are moving us toward this; but system customization can move you back.
@dang, spam account posting misleading comments