There are two questions but I am answering the font list question:

It is possible to disable Flash font enumeration using mms.cfg system wide configuration file. This file should be located in /etc/adobe/ directory if you are using Linux. Basically you just need to put the following line in the file:

DisableDeviceFontEnumeration = 1

See the Adobe Flash Player Administration Guide for more details.

With this setting Panopticlick and other sites can not get your font list via Flash.

Note that the font list is still available through Java if you have it installed. It is a good idea to get rid of Java anyway. If you use a couple of sites that require Java, use a different browser instance with a different user profile with Java enabled just for those sites.

The free Chrome extension RubberGlove blocks plugin and mime-type enumeration by cloaking the array entries in roughly the same way Firefox and Internet Explorer can/do natively.

You still need to set chrome to "Click to play" plugins and disable 3rd-party cookies in Chrome's privacy settings yourself. Also, as was mentioned in the study, you'll still probably show up as unique until enough people start using plugins like this.

Full disclosure: I'm the author.

This functionality may (or may not) be integrated into the Electronic Frontier Foundation's Privacy Badger extension in future. They seemed interested, anyway.

In Firefox 28:

Type about:config the location bar

Find plugins.enumerable_names

Set the entry to nothing.

Visit https://panopticlick.eff.org/ to verify plugins are no longer listed.

Font fingerprinting is just a small part of browser fingerprinting. Blocking it totally is almost impossible to do if the purpose is to leave the browser still functional. The best general fingerprint protection is said to be found in the Tor Browser.

In practical tests it was found that trying to block font fingerprinting actually increases the uniqueness of the computer fingerprint, since most users don't do that. The best way to avoid fingerprinting is to do nothing special and blend-in with thousands of other users.

First step against font fingerprinting is to have a test for the effectiveness of any defensive measure that you will take. A good tool here is https://browserleaks.com/fonts. A good tool for the uniqueness of the general fingerprinting is https://panopticlick.eff.org/ (my own browser came up as unique among the 199,984 tested in the past 45 days) or Am I Unique.

For protection in Chrome, measures you may take are:

• Install instead a hardened Chromium build
• Use an extension (I have not tested their effectiveness):
  • Font Glyph Fingerprint Privacy Whitelist
    Allows only the default list of fonts that came installed with Windows to be detected.
  • Font Fingerprint Defender
    It adds a small noise to the actual fingerprint and "renews" it every time you visit a website or reload a page.
  • Don't FingerPrint Me
    Adds a tab to Chrome's developer tools which shows browser fingerprinting attempts.

For protection in Firefox

Mozilla is currently working on the Tor Uplift project, whose goal is to build up in Firefox the same level of fingerprinting resistance as in the Tor Browser. This project is in progress and described in the article Security/Fingerprinting.

You could try the Firefox-hardening script in Github ghacks-user.js, although by all reports it may be too much and actually harm browsing.

As far as add-ons go, there is a list of useful add-ons and other advice maintained in the page firefox-tweaks.

For the moment, the measures I know of specifically for Font Fingerprinting are in about:config settings:

• Right-click and select New > String, creating the new parameter font.system.whitelist, which will list the fonts that JavaScript will see. An example valid value is Helvetica, Courier, Verdana. The change takes effect immediately.
  In my case, this has reduced my own Font Fingerprinting from 266 fonts and 238 unique metrics found in a list of 512 fonts, to "only" 28 fonts and 9 unique metrics. (I have no idea how this would impact browsing.)

• privacy.resistFingerprinting=true is a general switch to enable privacy measures from the Tor Uplift project as they are implemented. It enables a uniform font list to be distributed. Mozilla does not recommend enabling it since it will break some websites.

• Disabling the options of "Allow websites to use their own fonts" and the CSS Font Loading API by changing these values:

  browser.display.use_document_fonts = 0
  layout.css.font-loading-api.enabled = false
  font.blacklist.underline_offset = (empty string)
  gfx.downloadable_fonts.enabled = true
  gfx.font_rendering.opentype_svg.enabled = false
  gfx.font_rendering.graphite.enabled = false
  

  (This will most likely degrade browsing.)

Just to remark that I have seen methods discussed for sophisticated Font Fingerprinting and drawing that could even identify the display card and the graphical driver.

My opinion : It is impossible to avoid fingerprinting - fonts are not everything. Even if you:

• Use a VPN
• Do the browsing from a vanilla Windows virtual machine
• Install no fonts or other software
• Install the most widely-used browser - Chrome, with no extensions
• Do browsing in Incognito mode that disables all cookies and extensions

then most likely these unique protection methods, together with hardware elements still detectable in the virtual machine, will still make for a unique or almost-unique fingerprint. Not to mention that this environment will be quite hard to use.

For discussions of some known fingerprinting methods, see the following articles:

• Browser Fingerprinting – Explanation & Solutions (from 2019)
  Contains more information and hacks than I have listed above.

• New Fingerprinting Techniques (from 2017)

• Web Browser Security — BrowserLeaks.com

Absolutely possible with Proxomitron.

Prox is like NoScript, HTTP LiveHeaders, RequestPolicy, CookieSafeguard, BetterPrivacy, and whatnot, all put into one program. It's not developed further, but still guarantees me privacy no other tool can do.

The Proxomitron is a universal web filter. Info from their site:

The Program

For those who have not yet been introduced, meet the Proxomitron: a free, highly flexible, user-configurable, small but very powerful, local HTTP web-filtering proxy. To become better acquainted, please see our online version of the Proxomitron Help files for a more comprehensive overview.

The current (and last) version of Proxomitron is Naoko 4.5, of which there were two releases, one in May of 2003 followed by one in June. Although very similar, there are distinct differences between the two which are not mentioned in either program's documentation. Both releases are available in the Files section. P.I's focus will be on the latest version -- the June release.

The Author

Scott R. Lemmon originally developed the Proxomitron for his own use. He then decided to release it to the public and made himself available to users via email and in several Proxomitron user-discussion groups. His support, like his program, was always free.

With the release of Naoko 4.5, Scott discontinued all further development and support of his program and pulled the official home of Proxomitron off the Web. We respected his decision to move on and wished him all the best -- which is, after all, what he consistently gave to us.

Sadly, one year later, Scott died -- but his brilliance of mind and spirit lives on. Simply put, Proxomitron is a reflection of its creator: To know Scott's program . . . is to know Scott Lemmon.

Check it out! There's a (somewhat) active community.

Solution for latest firefox browsers is to:

• Use Random Agent Spoofer. It recently added options to turn off plugin enumeration: https://github.com/dillbyrne/random-agent-spoofer/issues/283

• Or use a user script as shown in Mechazawa's comment in the above link. You can use his Greasemonkey or Tampermonkey script (both firefox and chrome) to take care of this without any extension.

I can confirm that this shows plugins as "undefined" in the panopticlick test.

Even though this is an older question, as of 2017 we are still very concerned about all the information leaked by the browser as they are used for fingerprinting. I find that Random Agent Spoofer (https://github.com/dillbyrne/random-agent-spoofer) mentionned by Spectraljump hits the nail right on the head.

As requested, it will protect against:

• plugin enumeration
• will not expose the fonts installed on your machines (which is a more efficient alternative to font-changing tools, like FluxFonts)

Also, it will provide options to protect you from:

• most other fingerprinting tools
• will let you disable webRTC, webGL, local cache, and more.

If you throw in a canvas fingerprinting randomizer (such as Canvas Defender), you will find yourself protected against pretty much everything detectable on browserleaks.com and Panopticlick.

Finally, make sure to use a VPN with DNS leak protection, to close the loop.

An alternative solution, although less convenient, is to use a generic vanilla (most common OS, with nothing custom installed) VM for all browsing activities and reset it after each session.