13

Regarding the concept of device (browser) fingerprinting, would it be possible for the user to spoof fingerprinting data by giving random information such that your fingerprint changes after every request?

If so, are there any plugins/browsers that have this capability?

Moses
  • 2,137
  • 2
  • 20
  • 23

4 Answers4

5

As far as I can see, you can easily spoof all of the fingerprinting data, and potentially change it with every request. All this information is sent by your browser in the HTTP headers of the request (or obtained via browser client-side scripts). I am not aware of a particular plugin that supports this fully, but there are some plugins for changing your user-agent, manipulating headers and managing cookies. The user-agent is one of the main identifying pieces of information of the fingerprinting process and most other pieces are in other various headers. Blocking javascript/flash scripts is also possible, e.g. using the noscript plugin

Changing this fingerprinting info however does come with a price. It might cause the website to display pages in a different way, which will cause the site to look wrong or not to function properly. Lots of website developers rely on (at least some of) this fingerprint information in order to make the pages they display compatible with your browser. Hiding/spoofing this info will therefore affect this process and your browsing experience may be altered.

It's also possible that this fingerprinting is performed for legitimate security reasons. For example, a security-aware website might tie in the fingerprint info to the session or logged-in user, and will reject requests where the fingerprinting doesn't match (this would suggest to the server a request is now coming from a different browser). Here's one more example from another question where the website owner wants to test browser plugin versions of your browser (which is part of the fingerprinting data) before allowing access. I don't know of any specific sites that use this technique, but it is definitely feasible. Changing fingerprint data with every request will again cause unwanted behaviour.

I suppose that performing some minor randomized tweaks to specific headers will achieve a better degree of anonymity against fingerprinting without compromising the browsing experience. This requires some experimentation and will probably mean a compromise between security and usability.

Yoav Aner
  • 5,299
  • 3
  • 24
  • 37
2

There is a browser plugin for Firefox called CanvasBlocker by kkapsner which claims to be able to block canvas fingerprinting in several different ways. The block mode that I find most interesting is the "fake readout api" which supposedly sends fake data whenever it is called; however, the user can choose other methods such as block all requests, block sites only on blacklist, don't block on white list, etc. However as Shnatsel pointed out above, you can't check the results unless you have access to the fingerprinting providers. Furthermore, as Yoav Aner stated in the above post, blocking or spoofing one's fingerprint may break certain sites. The developer, kkapsner, also describes this particular problem. More information for this extension is available at https://github.com/kkapsner/CanvasBlocker. The Firefox extension is available at https://addons.mozilla.org/en-US/firefox/search/?platform=windows&q=CanvasBlocker. Happy surfing!

Jay
  • 21
  • 2
1

Yes, it's probably possible. However, I don't know of any browsers or plugins that support spoofing the fingerprint or making it change on every request.

If you are trying to protect your anonymity and protect yourself against fingerprinting, I would suggest a combination of Tor (install it via the Tor bundle), possibly along with NoScript.

D.W.
  • 98,420
  • 30
  • 267
  • 572
  • 4
    Tor does not affect fingerprinting. And having JavaScript disables is a hell of an identifier by itself - less 10% of clients have it disabled and very few of them happen to have a desktop web browser's user agent. – Shnatsel Jul 04 '13 at 08:21
  • 2
    @Shnatsel You are incorrect. Tor Browser has a huge variety of mitigations built in. And with JS enabled, you can be fingerprinted with near 100% accuracy via things like AudioContext fingerprinting and WebGL fingerprinting. With JS disabled, your anonymity set is reduced only to the group of people who have disabled JS (which is actually not small). – forest Nov 22 '18 at 08:54
1

No. It's hardly possible. There are several problems with it.

The main problem with avoiding fingerprinting is that we have very little idea about how it actually works, so we have no idea what to do to circumvent it.

Everybody seems to think of Panopticlick as a reference frame for fingerprinting. And you can, in theory, more or less circumvent Panopticlick by crowdsourcing fingerprints. But Panopticlick is a very limited demo. Its whitepaper clearly states that even in 2009 when Panopticlick was created commercial fingerprinting solutions were much more advanced:

Arcot... claims it is able to ascertain PC clock processor speed, along with more-common browser factors to help identify a device. 41st Parameter looks at more than 100 parameters, and at the core of its algorithm is a time differential parameter that measures the time difference between a user's PC (down to the millisecond) and a server's PC. ThreatMetrix claims that it can detect irregularities in the TCP/IP stack and can pierce through proxy servers... Iovation provides device tagging (through LSOs) and clientless [ngerprinting], and is best distinguished by its reputation database, which has data on millions of PCs.

And this was in 2009! I'm afraid to think what those guys have come up with since then.

The other problem is that if you change your clock skew every so often, you can't check if that helped or not, unless you have access to admin consoles of all major fingerprinting providers.

This is why there are no software to circumvent fingerprinting: nobody really knows how to combat it. So we'll probably have to deal with it.

Shnatsel
  • 2,802
  • 2
  • 16
  • 15