Block browser fingerprinting at system level (hosts file)

I'm not sure that's really possible, save a few that are commonly known. One can use Request Policy to block unwanted connections and add the known fingerprinting servers to the host file, blocklist, or a custom address group blocked by a firewall. Either way, you end up with the same problem all blacklisting apps have, never complete and never up to date.

I think the better approach is to apply a default-deny policy to the web content. Block the user agent. Block the nosey javascripts that attempt to collect this information. Allow them only when necessary. Give accurate info only when you have to. A fair number of sites won't accept no user agent but will accept a spoofed one. Fingerprinting isn't used just to identify you. It's also used to determine how to attack you. If you're so inclined and are willing to take the time needed to make them agree, configure the filtering proxy to modify what's reported by javascript and the headers. Doing so probably won't help you to appear less unique, but it can help to mispreresent your system and cause an attacker to target you with the wrong exploit.

 

That whole paragraph was the "bottom line"

 

I'm not convinced it's worth bothering to specifically block known fingerprinting servers, in the host file, as suggested in the OP. There are eighteen addresses listed there. I am assuming that it either already is true or will soon be true that every tracking adserver, and the like, uses fingerprinting. There are probably thousands, if not tens of thousands, of such servers. I don't see where eighteen addresses gets us.

Moreover, for what it's worth, I see that Easylist's EasyPrivacy filters already include about half of the sites listed in the OP. These are claimed to be the most common fingerprinting servers and yet I did not have a single hit from one of them. This speaks to me for how difficult and probably fruitless it is to try identify the worst offenders and block them. We should assume we don't know who the offenders are and that any site could be doing this.

To the extent that this sort of blocking is useful, it's probably more effective and easier to just use the EasyPrivacy list to block tracking sites in general.

I think the more useful strategies are the suggestions to spoof one's header and use NoScript to block javascript as much ass possible. Blocking javascript will preempt not just known fingerprinting sites, but also unknown ones. Of course, as I pointed out above, spoofing one's header does have the downside of potentially making one's system appear more unique, since oddball combinations like a general Windows header and Linux fonts is probably going to make one appear more unusual. It also shows that it's not necessarily possible to easily mislead an attacker about what OS one is running.

In the long run, it would be nice if there were a way for sites where one wants to enable javascript, to block the browser from reporting unnecessary information about plugins and fonts.

But in the end, I feel like what I've learned is that the already generally accepted best practices for blocking tracking (NoScript and ad blocking with lists like EasyPrivacy) are probably the best (though not universal) defense against fingerprinting. The only additional action that might be worth while is spoofing one's header.

 

guys, instead of trying to block browser fingerprinting, wouldn't it just be easier to change the fingerprint frequently? for example, is there an add-on that changes some browser graphic frequently or adds/removes some benign plugins for you once a day or something?

 

Click-To-Play should help with fonts if the feature is implemented well and supports per instance/element control. If built-in support is lacking, then look for an addon that brings it.

There are scenarios where blocking the request, and even just the TCP connection, would be necessary in order to prevent negative privacy consequences. However, there are other scenarios where disguise might work. FWIW, SecretAgent (https://www.dephormation.org.uk/?page=81) is one plugin I've seen but haven't tried.

 

For things like the user agent, referrer, flash, and individual plugins, PrefBar can put thhe options right on the toolbars. This makes it easy to monitor the settings and change them. Other very identifiable items like the HTTP_ACCEPT headers, ETags, etc require a filtering proxy to modify them. I don't know how effective NoScript is here. It's been years since I've tried it. The last time I did, I was disgusted to find that it came with a whitelist that included sites like Google. Every time I removed them, NoScript replaced them. I have no use for software or a developer who feels that they can decide what I should whitelist. AFAIC, that attitude made NoScript incompatible with my security policy, whether it still behaves that way or not. Regardless, with Proxomitron, NoScript is redundant anyway.

 

Is there a reason why addons like Secret Agent and PrefBar do not make themselves available in Mozilla's addon site?

As far as NoScript white listing google goes, I'm perplexed by noone_particular's experience. I've used NoScript for a long time and every time I install it on a new system the white list is completely empty and only configured by the user. That aside, Proxomitron looks interesting, I had not heard of it.

 

PrefBar is listed at Mozilla Addons. Not familiar with Secret Agent.
https://addons.mozilla.org/en-US/firefox/addon/prefbar/

Re: NoScript
It was a very old version of NoScript. I think it was version 1.0.9 or 1.1.1 when I tried it. The self rebuilding whitelist got quite a few complaints at the time. That was before the extent of Google's data mining was known. The behavior most likely has changed since then. I've still got a screenshot of the whitelist, dated 8-11-2005. With security software, I don't often give 2nd chances when I see behavior that I don't like.

 

why sure you can , spoof your os , just use a vm , thats it , easy as pie , not heard of an addon that allows in browser spoofing of the os as elaborate as youd have by using an entirely compartmentalized os aka vm running , thats only for extreme privacy cases thou , the rest of points mentioned would be more than enough to block all the usual fingerprinting done, of course sandboxed , mind you browsing behaviour analysis is a big thing as well , but were all security nuts here so no worries ...

 

I think that pretty much amounts to simply using a different OS, not spoofing one. I take your point on doing this in a VM only for privacy purposes. But it seems like a bit of overkill. One can just use the Tor browser or Whonix for those occasions and probably not worry about the fingerprinting issue. It's precisely for the more everyday surfing that it would be nice if one could block more of the information collected for browser fingerprinting purposes (without having to totally disable javascript and flash and thereby make surfing a lot more of a hassle).