Browser fingerprinting is a method that is speculated to be used by monitoring agencies and advertising networks to track internet users, by reducing the entropy of the data that can be used to fingerprint your browser it is possible to make fingerprinting either difficult or useless. This tutorial lists how to modify the settings of your browsers to be able to reduce the entropy of your fingerprint, the recommendations are based of off the default settings for Firefox 30 and it should be possible to carry these changes out on any modern browser.
Background
The background to browser fingerprinting is well covered by the EFF[1] but I will provide a short summary anyway. Basically, the idea behind browser fingerprinting is that every browser and computers configuration is unique enough to allow you to identify a person based on these variables alone. An example of a variable is your useragent, your useragent varies based on your: browser, browser version, operating system, system architecture, CPU brand (for older Macs and mobile users), window system (for linux) and many other variables. By doing some informal testing I found that by selecting a random useragent and running the Panopticlick test[2], (by using the Random Agent Spoofer for Firefox) the number of bits of entropy you should expect will be between 10 and 20.
By taking the population of the Earth (around 7 billion) and calculating the logarithm (in base 2) of it we can see that we need approximately 33 bits (See Appendix for more details) to be able to identify any single person and that by the useragent alone we are halfway to being able to achieve this. Other sources of entropy that can be used include[2]: HTTP_ACCEPT headers, browser plugin details, time zone, screen size and color depth and system fonts, from this it is clear that any attempt to fingerprint a browser is very likely to succeed, however, it is possible to significantly reduce the number of bits of entropy to below 33 bits.
Mitigation
I will go over mitigating the effects of the most significant sources of entropy.
Useragent (~10-20bits):
There is not a lot that can be done about the useragent, due to the variety of system configurations and browsers available almost every possible useragent provides a similar amount of entropy and if you made a fake useragent then you would be more easily identifiable. A simple way to work around this is to use a plugin that will periodically switch between useragents, this essentially makes the useragent a redundant source of entropy as its not a fixed value. However, due to the possibility of having an archaic useragent, some websites may not render correctly due to the server sending additional data specific to that browser (Gmail and Google Maps will often cause problems with odd useragents).
Browser plugin details (+31 bits):
This is a very important variable as alone it can easily provide 32 bits (I don't have a reference for this but browser plugin details are almost always unique due to different installations and also the order in which the plugins are listed), in Firefox you can disable plugin enumeration by setting plugins.enumerable_names to an empty string in about:config. At the time of making this post, it doesn't seem to be possible to do this on Chrome.
System fonts (+31 bits):
The system fonts list is as useful as the browser plugins list as almost every system has a unique set of fonts due to fonts installed by applications and websites, in this area non-Windows systems have a slight advantage due to having less system fonts when making a clean install. System fonts are enumerated by using Javascript[3] or Flash[4] and both methods have to be stopped individually to remove the entropy.
To prevent Javascript based enumeration you can disable Javascript or you can set an approved set of fonts for websites to use (Firefox 30: Settings->Content->Default Font and also uncheck Settings->Content->Default Font->Advanced...->Allow websites to use fonts other than...). As far as I know this isn't possible in Chrome, it should be feasible in Chromium.
To disable Flash based enumeration you need to set the following in "mms.cfg" which can be found in "/etc/adobe" on linux and in "C:/windows/system32/Macromed/Flash" or "C:/windows/syswow64/Macromed/Flash" in Windows:
Code: Select all
DisableDeviceFontEnumeration = 1
Conclusion:
By doing these settings changes I have been able to reduce the entropy of my browser's fingerprint from around 100 to about 19 which is far from enough data to be able to identify my browser via fingerprinting. However, this is based of the assumption that a constantly changing useragent will be able to render the value useless and also that browser vendors will enable these measures by default in the future as by not doing so there is a risk that these measures become counter productive.
[1] - A Primer on Information Theory and Privacy, Peter Eckersley, January 26, 2010 [https://www.eff.org/deeplinks/2010/01/p ... nd-privacy]
[2] - Panopticlick [https://panopticlick.eff.org/]
[3] - JavaScript/CSS Font Detector [http://www.lalit.org/lab/javascript-css-font-detect/]
[4] - Getting a List of Installed Fonts with Flash and Javascript [http://hasseg.org/blog/post/526/getting ... avascript/]
Appendix: How can 33bits can represent the world's population?
If we gave every single person in the world a unique number starting from 1 and increasing in increments of 1 (i.e. first person gets 1, second gets 2 and so on...), the number of digits required to represent any of those is 10 (all numbers from 0 to 7billion can be represented using 10 or less digits).
However, computers use binary and so the value of 10 digits is incorrect (10bits would allows us to give 1024 people a unique number). To find the number of bits you can calculate it manually by finding the power of 2 which is greater than the number of numbers you need or you can use logarithms (See: https://www.wolframalpha.com/input/?i=l ... MathWorld-" onclick="window.open(this.href);return false;).