I'd like some advice on how to property segregate different profiles for web browsing. My goal is to use only one computer, but make it look like 10 different people using 10 different computers in 10 different locations. For example, I'd like to use profile A to log in to a website, then later use Profile B to log in to that same website, but have the two sessions be completely unrelated to each other. Is this as simple as just finding a Firefox plugin to spoof the browser headers and then running through a proxy? Or do I need to go deeper, to the OS level? Like run a bunch of VMs or Qubes or something?
Browser headers can be the same, except cookies which must be separate. VMs can be useful to change fingerprint of the browser. It depends on the Website whether it is a requirement.
I'd go with a bunch of VMs. But ten VMs would take 7-10 GB RAM. Even with a light Linux, Firefox uses a few hundred MB. But do keep in mind that using multiple accounts on forums typically violates ToS. And it's hard to do without being obvious. I don't do that. I do have tons of email addresses, however.
you may try using various linux live cd/usb distros. as for the hardware fingerprint/id, vm's are your best bet.
Also, be aware that all Debian-family VMs on a given host have the same WebGL signature. Because they all use the same video driver, and the same host graphics card. So if you want totally different VMs, on a given host, you need to use different guest OS. Debian family, Arch family, Red Hat family, BSD family, OSX, Windows, etc. And check them, using a site that shows you WebGL fingerprints.
I think Debian Stable and Debian testing can have different fingerprintes from each other, because of different version of video driver, linux kernel and compiler.
Well, I found that Debian and Ubuntu had the same fingerprint. But maybe that was just a coincidence. I didn't beat on it to figure out exactly what determined the fingerprint. Good project for someone, hey
Thanks guys. Good information. It sounds like I'll want to go the VM route. This raises a question, though. If spoofing the browser header won't effectively change the browser fingerprint, then what's the point of those spoofing plugins? I thought all system information used for fingerprinting was volunteered by the browser and could be spoofed. For the record, I don't intend to violate any TOS. I was just trying to use an example to illustrate my goal.
With a Linux VM environment, I can also recommend the firejail sandbox/security program, which also has some interesting compartmentalising and privacy features. You can instantiate different instances of say firefox with distinct home directories (invisible to the others), and also do things like mac address randomisation, and machine-id randomisation - effectively a sandboxed network environment. This can also be used to fan out to different VPNs for instance, based on assignable IP addresses for example.
Yes, it is. Unfortunately headers are not the only thing that can make you distinguishable. Actually, excluding cookies, they are usually the same for a large group of Internet users, effectively not making users easily disguishable. Canvas fingerprinting is for example not based on headers. And there are some audio capacities of Web browser and so on.
I have read every post in this thread above my addition here. Might I suggest a slightly different approach. You can place multiple TBB's (TOR browsers bundles) on a VM desktop, preferably a linux flavor. Access those ten sites on a unique TBB and have all workspace in the one specific TBB go to each of those ten sites. Do NOT modify the TBB at all. The goal is for you to appear as the generic TBB user. In other words you appear the exact same as many thousands of TOR users. Each TBB will occupy about 150 meg on the desktop so ten would be 1.5 Gig and that is it. Create a virgin snapshot and after a session online revert to the virgin snapshot in a second or two. In a case where one of those sites is critically important to your security then place the TBB on a unique VM as well. TBB activity is mostly contained within the TBB itself and not the VM. I am writing this post from within such a TBB on a linux VM, which is chained through two VPNs between it and the host. For here its about privacy and not really security per se.
Maybe to give false sense of anonymity? Using these plugins can rather end up making you stand out more. I like an example of full-masked man in crowd. If you take privacy & anonymity seriously, those suggested in knowledgeable members here are way to go.
