Exactly. And as the blog post mentioned, people who have a strong need to block bots have tools other than browser fingerprinting at their disposal. Quoth the post:
> It’s important to leverage other signals such as:
>
> * Behavior (client-side and server-side)
> * Different kinds of reputations (IP, sessions, user)
> * Proxy detection, in particular, residential proxy detection
> * Contextual information: time of the day, country, etc
> * TLS fingerprinting.
Having a headless browser that behaves exactly like a normal one is tremendously useful for making things. And people who really *need* to block bots also need to contend with "mechanical turk" style attackers anyway. These techniques are also very useful against that approach, which still may be cheaper than making an undetectable bot even with a near-perfect Chrome fingerprint available headless.
> * Different kinds of reputations (IP, sessions, user)
Almost all use mobile network right now. One IP can be sticked to thousands of users. Imagine count of false positives.
> * Proxy detection, in particular, residential proxy detection
Most residential proxy are just common ISP ips bought by a face or led by botnet. Imagine false positives of simple home users that are IP ranged like on 4chan.
> * Contextual information: time of the day, country, etc
> It’s important to leverage other signals such as:
>
> * Behavior (client-side and server-side)
> * Different kinds of reputations (IP, sessions, user)
> * Proxy detection, in particular, residential proxy detection
> * Contextual information: time of the day, country, etc
> * TLS fingerprinting.
Having a headless browser that behaves exactly like a normal one is tremendously useful for making things. And people who really *need* to block bots also need to contend with "mechanical turk" style attackers anyway. These techniques are also very useful against that approach, which still may be cheaper than making an undetectable bot even with a near-perfect Chrome fingerprint available headless.