> Sure would be nice if Mozilla had an option for "only announce the > standard vanilla web fonts".
Check out firegloves. It's outdated, and I'd love to see it getting some love, but it's a great POC for anti-fingerprinting in Firefox. Still works with Iceweasel 20, so it's aged well for an apparently unmaintained academic project. Among the key features; a restricted set of fonts sent to sites, possibly including cycling the fonts randomly to confuse fingerprinting by recurrent font-lists. Note though, it breaks some websites in a manner akin to fascist-maxima-noscript. So you'll sometimes need to disable it; Paypal is a good example. User-agents are the devil, though, because whatever about other sources of browser entropy, the User Agent is a big honking bonus score every site gets for zero effort. Worse, most efforts to minimise User-Agents can end up maximising them instead, and there don't seem to be any *current* lists of "most common user-agent string" to work from to reduce entropy. I've set mine to a super-generic-looking Windows/Firefox setting, but as other people upgrade their browsers and OSes and as architectures get more diverse, browser UAs are getting more and more diverse, too.. I vote we ditch them entirely and just assume that all browsers to HTML5 or GTFO. On Sun, 13 Oct 2013 17:06:22 -0700 Bill Stewart <[email protected]> wrote: > > >Date: Sun, 6 Oct 2013 11:11:46 -0700 > >From: Don Marti <[email protected]> > > > >Translation: "Fine, you smug cookie-blocking nerds. > >We're going to go all browser fingerprinting on you." > >... > >Unfortunately, Firefox appears to be highly fingerprintable. > > One reason Firefox is highly fingerprintable is that it sends a list > of your available fonts to the web server so the server can format > its pages with cool fonts instead of boring fonts if you're able to > read them. That often turns out to be surprisingly unique, at least > if you like fonts, and AFAIK it's not just the fonts you've > configured into your browser, it's the fonts configured into your > computer. > > For instance, my work PC has a font for the $DAYJOB corporate logo, > and has since acquired a couple more fonts so I can display their > newer marketing presentations correctly in Powerpoint, plus it's got > the dozen or two different monospace console fonts I was trying out > to find a good one for programming use, and the usual collection of > Bocklin and Dwarvish and Tibetan that old hippies usually have on our > computers, just in case we might need to count to nine billion or > have an appropriate password entry form. When I first tested it with > the panopticlick tool, it was unique; there are now a couple other > similar machines (but that's "my machine's IE", "my machine's > Firefox", and "my machine running Win7 with the Long Term Support > version of Firefox that Corporate IT department makes us use", so > it's still unique in reality.) > > Sure would be nice if Mozilla had an option for "only announce the > standard vanilla web fonts". >
signature.asc
Description: PGP signature
