Web Browser Thumbprint Spoofing

Does anyone know of any Firefox or Chrome extensions that can spoof browser thumbprint attributes?

I’ve been using the EFF’s privacy badger extension which attempts to block known browser tracking domains. It’s a good tool but I wonder if anyone has written something that takes a more active approach, doing stuff like controlling which fonts get reported to sites or slightly randomizing reported display resolution.

You might start with a user agent randomizer. I am sure there are probably a few, but a quick google yielded this one: (note I have no experience with it, and thus not specifically recommending it beyond it being my top search result.)

Also, there’s general blocking recently improved:

And finally, advice from the EFF:

1 Like
  • Canvas Fingerprinting Protection

Canvas Fingerprinting is a method of uniquely identifying browsers by hashing an image produced by the HTML5 Canvas element. This is one of the most common kinds of tracking I see when doing my research on webpages. To combat this, Trace randomly generates a new canvas hash every request, making it impossible to tie you down to one identity.
A demo of canvas fingerprinting is available here: BrowserLeaks Canvas Fingerprinting Demo, when protected you should see the “Signature” changes every time you reload the page. If it stays the same, you’re trackable.

  • Audio Fingerprinting Protection

A more advanced tracking method is Audio Fingerprinting, this uses the AudioContext API to fingerprint your browser, Trace stops this by disabling the API, it is configurable so you can choose how extreme you want the protection to be.
A demo of audio fingerprinting is available here: OpenWPM Audio Fingerprinting Demo.

  • getClientRects Fingerprinting Protection

This Javascript function returns coordinates and size information about HTML elements on a webpage, which seems rather innocent in itself… However since all of the values returned are in pixels, drawing the same element(s) on different displays and devices will yield different results due to a number of factors such as the size of the screen, browser viewport and pixel density of the screen, this is done so that the element looks consistent no matter the device. Trace protects you by adding a randomised decimal offset to each value, this will allow you to successfully spoof the fingerprint without breaking websites.

  • HTTP Cookie Protection

Cookies are the main form of tracking on the web, they store a unique identifier which is tied to all of your online activities. There are 2 types of cookie, first party and third party; first party cookies are ones from the current website that you’re on. Whereas third party cookies are the ones set by other websites that are running code on the current site you’re visiting. Third party cookies are the ones which usually track you and it’s usually alright to outright disable third party cookies.
Trace protects you against these tracking cookies by intercepting both Set-Cookie and Cookie headers, checking the names of the cookies against the cookie list, checking if they’re third or first party and then removing them depending on your settings. More information is available here.

  • Screen Resolution Tracking Protection

One of the many variables that websites can use to track you is the size of your screen. Trace can modify the browser variables which are seen by websites and change them. This means that you could essentially have a new identity on each page load.

  • Removal of Referrer Headers

The HTTP ‘Referer’ header (Yes it’s spelt wrong), is a header that will tell a webpage the URL of the page that brought you to that page. This is an exremely common tracking technique but blocking it completely can actually break some websites. In version 2.0, Trace now handles this header itself instead of relying on a setting in the browser, allowing greater control in choosing when this header is sent.

  • Removal of Special Chrome Headers

Chrome, by default will tell Google, Youtube and some other websites certain information about your Chrome installation. Such as experiments that are running in your browser, this not only allows Google to force ‘experimental’ features on you but it wastes unnecessary bandwidth, Trace protects you by removing those headers from Web Requests.
The headers removed are: X-Client-Data , X-Chrome-UMA-Enabled , X-Chrome-Variations and X-Chrome-Connected

  • JS Plugin Hider

Almost all web browsers have plugins installed, some people install extra plugins such as flash and java to perform tasks on specific web pages. This can be used to track you because it’s another piece of information that makes you different from the crowd. To protect against this, Trace overrides the Javascript plugins object which makes it seem as though you don’t have any plugins installed.

  • User-Agent Randomiser

User-Agent Randomisation protection protects you by changing your HTTP User-Agent every 15 seconds. A User-Agent is a string of text sent to every website you visit telling it what OS and Browser you’re using and their versions. Whilst this information can be used to show you relevant information for your computer it can also be used to identify you, it can also be used by attackers to identify if your system or browser is vulnerable to certain attacks.

  • WebRTC Leakage Prevention

WebRTC is a technology that is rather new, by default it will tell a website your local IP (e.g 192.168.x.x), it can also tell a website about other devices on your network, blocking this not only makes it harder to track you but it can also stop attackers from being able to scope out your network and find potential weaknesses.

  • Hyperlink Auditing Prevention

Hyperlink Auditing is a feature made solely to track you, when ever you click on a link with a ‘ping’ attribute, it visits the link but also tells trackers that you clicked it. It is also the type of request sent by a function in javascript called sendBeacon which is used by trackers to send analytics and other information about your activities on a webpage. You can disable this in Chrome, but it’s difficult to find, so it’s bundled in the Trace options panel.