Daily plug for Cromite, which is explicity built for anti-fingerprinting (through not just blocking, but spoofing and stripping systems out) and de-Googling:
So I guess for Firefox users it’s time to enable the resist fingerprinting option ? https://support.mozilla.org/en-US/kb/resist-fingerprinting
You can also use canvas blocker add-on.
Use their containers (firefox multi-account container add-on) feature and make a google container so that all google domains go to that container.
If you want to get crazy, in either set in about:config or make yourself a user.is file in your Firefox profile directory and eliminate all communication with google. And some other privacy tweaks below.
google shit and some extra privacy/security settings
Google domains and services:
user_pref(“browser.safebrowsing.allowOverride”, false);
user_pref(“browser.safebrowsing.blockedURIs.enabled”, false);
user_pref(“browser.safebrowsing.downloads.enabled”, false);
user_pref(“browser.safebrowsing.downloads.remote.block_dangerous”, false);
user_pref(“browser.safebrowsing.downloads.remote.block_dangerous_host”, false);
user_pref(“browser.safebrowsing.downloads.remote.block_potentially_unwanted”, false):
user_pref(“browser.safebrowsing.downloads.remote.block_uncommon”, false);
user_pref(“browser.safebrowsing.downloads.remote.enabled”, false);
user_pref(“browser.safebrowsing.downloads.remote.url”, “”);
user_pref(“browser.safebrowsing.malware.enabled”, false);
user_pref(“browser.safebrowsing.phishing.enabled”, false);
user_pref(“browser.safebrowsing.provider.google.advisoryName”, “”);
user_pref(“browser.safebrowsing.provider.google.advisoryURL”, “”);
user_pref(“browser.safebrowsing.provider.google.gethashURL”, “”);
user_pref(“browser.safebrowsing.provider.google.lists”, “”);
user_pref(“browser.safebrowsing.provider.google.reportURL”, “”);
user_pref(“browser.safebrowsing.provider.google.updateURL”, “”);
user_pref(“browser.safebrowsing.provider.google4.advisoryName”, “”);
user_pref(“browser.safebrowsing.provider.google4.advisoryURL”, “”);
user_pref(“browser.safebrowsing.provider.google4.dataSharingURL”, “”);
user_pref(“browser.safebrowsing.provider.google4.gethashURL”, “”);
user_pref(“browser.safebrowsing.provider.google4.lists”, “”);
user_pref(“browser.safebrowsing.provider.google4.pver”, “”);
user_pref(“browser.safebrowsing.provider.google4.reportURL”, “”);
user_pref(“browser.safebrowsing.provider.google4.updateURL”, “”);Privacy and security stuff:
user_pref(“dom.push.enabled”, false);
user_pref(“dom.push.connection.enabled”, false);user_pref(“layout.css.visited_links_enabled”, false);
user_pref(“media.navigator.enabled”, false);user_pref(“network.proxy.allow_bypass”, false);
user_pref(“network.proxy.failover_direct”, false);
user_pref(“network.http.referer.spoofSource”, true);user_pref(“security.ssl.disable_session_identifiers”, true);
user_pref(“security.ssl.enable_false_start”, false);
user_pref(“security.ssl.treat_unsafe_negotiation_as_broken”, true);
user_pref(“security.tls.enable_0rtt_data”, false);user_pref(“privacy.partition.network_state.connection_with_proxy”, true);
user_pref(“privacy.resistFingerprinting”, true);
user_pref(“privacy.resistFingerprinting.block_mozAddonManager”, true);
user_pref(“privacy.resistFingerprinting.letterboxing”, true);
user_pref(“privacy.resistFingerprinting.randomization.daily_reset.enabled”, true);
user_pref(“privacy.resistFingerprinting.randomization.enabled”, true);user_pref(“screenshots.browser.component.enabled”, false);
user_pref(“privacy.spoof_english”, 2);
user_pref(“webgl.enable-debug-renderer-info”, false); user_pref(“webgl.enable-renderer-query”, false);
But why would any browser accept access to those metadata so freely? I get that programming languages can find out about the environment they are operating in, but why would a browser agree to something like reading installed fonts or extensions without asking the user first? I understand why Chrome does this, but all of the mayor ones and even Firefox?
Because the data used in browser fingerprinting is also used to render pages. Example: a site needs to know the size of browser window to properly fit all design elements.
Would it be possible for a browser or extension to just provide false metadata in order to subvert this type of fingerprinting?
So from what I understand, theres 2 common ways that browsers combat this. Someone add to or correct me if I’m wrong.
- Browsers such as Mull combat this by looking the same as every other browser. If you all look the same, it’s hard to tell you apart. I believe this is why people recommend using default window size when using Tor.
Ex: Everyone wearing black pants and hoodies with the facemasks. Extremely hard to tell who is who.
- Browsers such as Brave randomize metadata that fingerprinting collects so that it’s more difficult to piece it all together and build a trend/profile on someone.
Ex: look like a dog in one place, a cat in another place. They get data for a dog but that doesn’t help build anything if the rest of the data is a cat, hamster, whatever. No way to piece it together to be useful.
In both my examples, there are caveats. Just because everyone dressed the same doesn’t mean someone isn’t taller or shorter, or skinnier or fatter. There can still be tells to help narrow down. Or a cat that barks like a dog suddenly is more linkable to a dog if that makes sense lol.
In other words it still depends user behavior that can contribute to the effectiveness of these tools.
EDIT: got distracted. To answer your question I don’t think so. I think it’s more about user behavior blending in or being randomized. I think the only thing an extension would be able to do is possibly randomize the data but I’m unsure of such an extension yet. These aren’t the only options, these are just ones I’ve read about recently. Online behavior, browswr window size, and I’m sure so much more also goes into it. But every little bit helps and is better than nothing.
EDIT2: Added examples for each for clarity.
Using Mullvad Browser + Mullvad VPN could mitigate this a little bit. Because if you use it as intended (don’t modify Mullvad browser after installation) , all Mullvad users would have the same browser fingerprint and IPs from the same pool.
The problem is it’s all or nothing. You must foil IP address, fingerprint, and cookies - all three at once.
Mullvad browser might make your fingerprint look similar to other users, but it’s not common is the problem. Test it with the EFF Cover your tracks site.
This has been the case for years. I develop fingerprinting services so AMA but it’s basically a long lost battle and browser are beyond the point of saving without a major resolution taking place.
The only way to resist effective fingerprint is to disable Javascript in its entirity and use a shared connection pool like wireguard VPN or TOR. Period. Nothing else works.
How can you live with yourself?
I do it as a security measure for private institutions and everyone involved has signed contracts. It’s not on the public web.
PiHole
AdAway
Burn the ads down.
Sadly, neither will truly protect you from fingerprinting.
It would be nice to hammer a manually created fingerprint into the browser and share that fingerprint around. When everyone has the same fingerprint, no one can be uniquely identified. Could we make such a thing possible?
Not really. The “fingerprint” is not one thing, it’s many, e.g. what fonts are installed, what extensions are used, screen size, results of drawing on a canvas, etc… Most of this stuff is also in some way related to the regular operation of a website, so many of these can’t be blocked.
You could maybe spoof all these things, but some websites may stop behaving correctly.
I get that some things like screen resolution and basic stuff is needed, however most websites don’t need to know how many ram I have, or which CPU I use and so on. I would wish for an opt-in on this topics: So only make the bare minimum available and ask the user, when more is needed. For example playing games in the browser, for that case it could be useful to know how much ram is available, however for most other things it is not.
Unfortunately the bare minimum is in most cases already enough to uniquely fingerprint you.
This is called Tor
No it isn’t.
And this is really important. If you go on Google tracked websites without tor, Google will still know it’s you when you use tor, even if you’ve cleared all your cookies.
Tor means people don’t know your IP address. It doesn’t protect against other channels of privacy attack.
