Just to throw out a different approach: buy the most popular computer and use the most popular browser. Don't change the user agent or make any other advanced user changes.
Going to extreme measures to be untraceable is like wearing a Ghillie suit to the airport.
IMO, one of the most difficult fingerprinting attacks to defend against is the installed fonts list. I wish incognito mode only made a standardized list of fonts available.
Firefox is experimenting with a font whitelist as part of upstreaming of Tor features into Firefox trunk. These features are controlled by the privacy.resistFingerprinting pref. resistFingerprinting has some webcompat issues, but Mozilla is considering a subset of the protections for Privacy Browsing mode, similar to Tracking Protection. Here is the work-in-progress bug:
I wonder if the fontSettings section of the Chrome extensions API[1] can be used to defend against that. By randomly and deliberately poisoning that info for when in Incognito mode (or even regular browsing).
• Active countermeasures against cookie-based retargeting
• Popular enough market that merely having an iPhone in a geographic area doesn't single you out
There's a guy who downloads every page with curl. I see him on web logs. I think he must have some script that parses the amp pages out and does something with it, but because he's the only person in that geographic region who browses the web with curl, he's very easy to spot from a tracking perspective. On the other hand, because he's using curl, I don't think anyone wants to bother trying to show him an ad.
Stallman would probably use GNU wget which is licensed under the terms of the GPL, while curl is licensed under a license derived from MIT/X consortium.
I've never heard him say anything bad about running MIT licensed software.
On the other hand, I think I've read a FAQ where he says he views web pages by having a script fetch the pages with wget and them emailing them to him, but I'm pretty sure that's simply because wget is free and does the job (being able to recursively download the necessary resources), not because it's GPL licensed.
I generally do not connect to web sites from my own machine, aside from a few sites I have some special relationship with. I usually fetch web pages from other sites by sending mail to a program (see https://git.savannah.gnu.org/git/womb/hacks.git) that fetches them, much like wget, and then mails them back to me. Then I look at them using a web browser, unless it is easy to see the text in the HTML page directly. I usually try lynx first, then a graphical browser if the page needs it (using konqueror, which won't fetch from other sites in such a situation).
I occasionally also browse unrelated sites using IceCat via Tor. Except for rare cases, I do not identify myself to them. I think that is enough to prevent my browsing from being connected with me. IceCat blocks tracking tags and most fingerprinting methods."
I don't believe it's RMS because this user appears to "browse" the web interactively. A lot of the sites he hits are on HN so I think he's a user here.
I used to browse with lynx till few years ago. I am not sure if it is practical to do that anymore. Most of the web is no longer friendly for text browsing.
Somewhat suprisingly, youtube is not too bad. I've used elinks to get a URL and then put that into youtube-dl. I suspect that any site that is designed to be friendly to a (vision impaired) screen reader is going to be friendly to text based browsing.
I'll second that. As someone who once worked on fingerprinting scripts I can tell you that iPhones of the same model are basically indistinguishable to Javascript.
Generally speaking, you _can't_ prevent a page from being able to tell what browser you're using. Even with JavaScript completely disabled, there's probably still some quirks with the way different browsers handle CSS or image loading that would give away that information. Even curl can be "fingerprinted" this way, because curl is one of the only "browsers" that doesn't process CSS or images at all.
If you just want to prevent yourself from being identified as an individual, that's a different problem. Tor browser does a pretty good job of solving that.
Use distinct browsers (or profiles) for browsing web-of-documents, and using apps hosted on the web-as-application-distribution-platform. They're each (for many of us) legitimate uses, but have different requirements and threat models.
Cons: interactive infographics and courseware don't fit neatly in either.
Well, depending on whether a script tag gets its own context, and each context gets the same seed (in which case you're boned?), you could use an extension of some sort that runs a random number (through your own pseudo random function with time and/or page location as seed inputs) of Math.random() calls to mix up the results.
Or just use an extension that replaces Math.random() with something more random, but it's possible that could cause weird performance problems on certain pages and it would be hard to debug.
It's an arms race... there is so much to fingerprint ... usually people that deploy fingerprinting have more of an issue deciding which tasty morsel of bits to go for first ...
