I can't beat panopticlick

Holysmoke · Aug 20, 2015

Either that sight is a lie or I am SOL. I have tried alot to get uniqueness low but today I got near 6 million.

I am using ublock origin, privacy badger, Disable Plugin & Mimetype Enumeration, better privacy, https everywhere and the following ff tweaks from ghacks

STARTUP
// 0100: STARTUP
// 0101: disable "slow startup" warnings, disk history, welcomes, intros, EULA, default browser check
user_pref("browser.slowStartup.notificationDisabled", true);
user_pref("browser.slowStartup.maxSamples", 0);
user_pref("browser.slowStartup.samples", 0);
user_pref("browser.rights.3.shown", true);
user_pref("browser.startup.homepage_override.mstone", "ignore");
user_pref("startup.homepage_welcome_url", "");
user_pref("startup.homepage_override_url", "");
user_pref("browser.feeds.showFirstRunUI", false);
user_pref("browser.shell.checkDefaultBrowser", false);
GEO
// 0200: GEO
// 0201: disable location-aware browsing
user_pref("geo.enabled", false);
user_pref("geo.wifi.uri", "http://127.0.0.1");
user_pref("browser.search.geoip.url", "");
// 0202: disable GeoIP-based search results - https://trac.torproject.org/projects/tor/ticket/16254
user_pref("browser.search.countryCode", "US");
user_pref("browser.search.region", "US");
QUIET Fox Part 1
// 0300: QUIET FOX [PART 1] - no (auto) phoning home for anything - you can still do manual updates
// 0301: disable browser auto update
user_pref("app.update.enabled", false);
// 0302: disable browser auto installing update when you do a manual check
user_pref("app.update.auto", false);
// 0303: disable search update
user_pref("browser.search.update", false);
// 0304: disable add-ons auto checking for new versions
user_pref("extensions.update.enabled", false);
// 0305: disable add-ons auto update
user_pref("extensions.update.autoUpdateDefault", false);
// 0306: disable add-on metadata updating - sends daily pings to mozilla about extensions and recent startups - privacy issue
user_pref("extensions.getAddons.cache.enabled", false);
// 0307: disable auto updating of personas (themes)
user_pref("lightweightThemes.update.enabled", false);
// 0308: disable check for plugin updates (this may not cover the OpenH264 plugin)
user_pref("plugins.update.notifyUser", false);
// 0309: disable sending plugin crash reports - keep FF quiet
user_pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false);
// 0310: disable sending the URL of the website where a plugin crashed - privacy issue
user_pref("dom.ipc.plugins.reportCrashURL", false);
// 0320: disable extension discovery - featured extensions for displaying in Get Add-ons panel
user_pref("extensions.webservice.discoverURL", "http://127.0.0.1");
// 0330: disable telemetry
// big fat list here: https://gecko.readthedocs.org/en/latest/toolkit/components/telemetry/telemetry/preferences.html
// the pref (.unified) affects the behaviour of the pref (.enabled)
// IF unified=false then .enabled controls the telemetry module : IF unfied=true then .enabled ONLY controls whether to record extended data
// so make sure to have both set as false
user_pref("toolkit.telemetry.unified", false);
user_pref("toolkit.telemetry.enabled", false);
// 0331: remove url of server telemetry pings are sent to
user_pref("toolkit.telemetry.server", "");
// 0332: disable archiving pings locally - irrelevant if toolkit.telemetry.unified is false
user_pref("toolkit.telemetry.archive.enabled", false);
// 0333: disable health report
user_pref("datareporting.healthreport.uploadEnabled", false);
user_pref("datareporting.healthreport.documentServerURI", "");
user_pref("datareporting.healthreport.service.enabled", false);
// 0334: FF41+ see https://gecko.readthedocs.org/en/latest/toolkit/components/telemetry/telemetry/preferences.html
// https://bugzilla.mozilla.org/show_bug.cgi?id=1195552
// This is the master-kill-switch for upload/reporting for Health Reports and Telemetry
user_pref("datareporting.policy.dataSubmissionEnabled", false);
// 0340: disable experiments
user_pref("experiments.enabled", false);
user_pref("experiments.manifest.uri", "");
user_pref("experiments.supported", false);
user_pref("experiments.activeExperiment", false);
// 0341: disable mozilla permission to silently opt you into tests
user_pref("network.allow-experiments", false);
// 0350: disable crash reports
user_pref("breakpad.reportURL", "");
// 0360: disable new tab tile ads & preload & marketing junk
user_pref("browser.newtab.preload", false);
user_pref("browser.newtabpage.directory.ping", "");
user_pref("browser.newtabpage.directory.source", "");
user_pref("browser.newtabpage.enabled", false);
user_pref("browser.newtabpage.enhanced", false);
user_pref("browser.newtabpage.introShown", true);
// 0370: https://wiki.mozilla.org/Firefox/Projects/Firefox_Start/Snippet_Service
user_pref("browser.aboutHomeSnippets.updateUrl", "https://127.0.0.1");
// 0371: disable heartbeat - mozilla user rating telemetry
user_pref("browser.selfsupport.url", "");
// 0372: disable hello - a WebRTC mozilla voice & video call that doesn't require an account - WebRTC (IP leak)
user_pref("loop.enabled", false);
// 0373: disable pocket, remove urls for good measure - a third party "save for later" service - privacy concerns
user_pref("browser.pocket.enabled", false);
user_pref("reader.parse-on-load.enabled", false);
user_pref("browser.pocket.api", "");
user_pref("browser.pocket.site", "");
// 0374: disable "social" integration - https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Social_API
user_pref("social.whitelist", "");
user_pref("social.toast-notifications.enabled", false);
user_pref("social.shareDirectory", "");
user_pref("social.remote-install.enabled", false);
user_pref("social.directories", "");
user_pref("social.share.activationPanelEnabled", false);
QUIET Fox Part 2
// 0400: QUIET FOX [PART 2] - NOTE: This section has security & tracking protection implications vs privacy concerns
// These setings are geared up to make FF "quiet" & private, if you want safebrowsing & tracking protection then don't use this section (or parts of it)
// 0401: DON'T disable extension blocklist as it is now includes updates for "revoked certificates", this is not a privacy issue
// see https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/
user_pref("extensions.blocklist.enabled", true);
// 0402: disable block reported web forgeries - when true this compares visited URLs against a blacklist or submit
// submit URLs to a third party to determine whether a site is legitimate = privacy concerns. This setting is under Options>Security
user_pref("browser.safebrowsing.enabled", false);
// 0410: disable block reported attack sites - This setting is under Options>Security
// safebrowsing uses locally stored data, but if the item is not found, then google is contacted - privacy concerns
user_pref("browser.safebrowsing.malware.enabled", false);
// 0411: disable safebrowsing urls & download
user_pref("browser.safebrowsing.downloads.enabled", false);
user_pref("browser.safebrowsing.downloads.remote.enabled", false);
user_pref("browser.safebrowsing.appRepURL", "");
user_pref("browser.safebrowsing.gethashURL", "");
user_pref("browser.safebrowsing.malware.reportURL", "");
user_pref("browser.safebrowsing.reportErrorURL", "");
user_pref("browser.safebrowsing.reportGenericURL", "");
user_pref("browser.safebrowsing.reportMalwareErrorURL", "");
user_pref("browser.safebrowsing.reportMalwareURL", "");
user_pref("browser.safebrowsing.reportPhishURL", "");
user_pref("browser.safebrowsing.reportURL", "");
user_pref("browser.safebrowsing.updateURL", "");
// 0420: disable tracking protection - // https://support.mozilla.org/en-US/kb/tracking-protection-firefox
// I believe there are no privacy concerns here, but you are better off using an extension such as uBlock Origin
// which is not decided by a third party (disconnect) and which is far more effective
user_pref("privacy.trackingprotection.enabled", false);
user_pref("browser.polaris.enabled", false); // deprecated?
user_pref("browser.trackingprotection.gethashURL", "");
user_pref("browser.trackingprotection.getupdateURL", "");
user_pref("privacy.trackingprotection.pbmode.enabled", false);
BLOCK IMPLICIT OUTBOUND [not explicitly asked for - eg clicked on]
// 0600: BLOCK IMPLICIT OUTBOUND [not explicitly asked for - eg clicked on]
// 0601: disable link prefetching
user_pref("network.prefetch-next", false);
// 0602: disable dns prefetching
user_pref("network.dns.disablePrefetch", true);
user_pref("network.dns.disablePrefetchFromHTTPS", true);
// 0603: disable seer/necko
user_pref("network.predictor.enabled", false);
// 0604: disable search suggestions
user_pref("browser.search.suggest.enabled", false);
// 0605: disable link-mouseover opening connection to linked server
user_pref("network.http.speculative-parallel-limit", 0);
// 0606: disable pings (but enforce same host in case)
user_pref("browser.send_pings", false);
user_pref("browser.send_pings.require_same_host", true);
LOCATION BAR / SEARCH / AUTO SUGGESTIONS / HISTORY etc
// 0800: LOCATION BAR / SEARCH / AUTO SUGGESTIONS / HISTORY etc
// 0801: disable location bar using search, give error message instead - don't leak typos to a search engine
user_pref("keyword.enabled", false);
// 0802: disable location bar domain guessing
user_pref("browser.fixup.alternate.enabled", false);
// 0803: disable location bar dropdown
user_pref("browser.urlbar.maxRichResults", 0);
// 0804: display all parts of the url
user_pref("browser.urlbar.trimURL", false);
// 0805: disable URLbar autofill - http://kb.mozillazine.org/Inline_autocomplete
user_pref("browser.urlbar.autoFill", false);
user_pref("browser.urlbar.autoFill.typed", false);
// 0806: disable autocomplete
user_pref("browser.urlbar.autocomplete.enabled", false);
// 0807: disable history manipulation
user_pref("browser.history.allowPopState", false);
user_pref("browser.history.allowPushState", false);
user_pref("browser.history.allowReplaceState", false);
// 0808: disable history suggestions
user_pref("browser.urlbar.suggest.history", false);
// 0809: limit history PER TAB (back/forward) - history leaks via enumeration
// default=50!! minimum=1=currentpage, 2 is good for some sites/pages to work, 4 may be more practical
user_pref("browser.sessionhistory.max_entries", 4);
// 0810: disable css querying page history - css history leak
user_pref("layout.css.visited_links_enabled", false);
// 0811: disable displaying Javascript in history URLs
user_pref("browser.urlbar.filter.javascript", true);
CACHE
// 1000: CACHE
// 1001: disable disk cache
user_pref("browser.cache.disk.enable", false);
// 1002: disable disk caching of SSL pages - http://kb.mozillazine.org/Browser.cache.disk_cache_ssl
user_pref("browser.cache.disk_cache_ssl", false);
// 1003: disable memory cache as well IF you're REALLY paranoid, you'll take a performance/traffic hit
// user_pref("browser.cache.memory.enable", false);
// 1004: disable offline cache
user_pref("browser.cache.offline.enable", false);
// 1005: disable storing extra session data 0=all 1=http-only 2=none
user_pref("browser.sessionstore.privacy_level", 2);
user_pref("browser.sessionstore.privacy_level_deferred", 2);
SSL / OCSP
// 1200: SSL / OCSP / CERTS / ENCRYPTION
// 1201: block rc4 fallback and disable whitelist
user_pref("security.tls.unrestricted_rc4_fallback", false);
user_pref("security.tls.insecure_fallback_hosts.use_static_list", false);
// 1202: override rc4 ciphers anyway - these will be deprecated anyway
user_pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false);
user_pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false);
user_pref("security.ssl3.rsa_rc4_128_md5", false);
user_pref("security.ssl3.rsa_rc4_128_sha", false);
// 1203: https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
user_pref("security.ssl.enable_ocsp_stapling", true);
// 1204: https://wiki.mozilla.org/Security:Renegotiation - eventually this will be set to true by default,
// leave commented out for now, as when set to true it can break too many sites eg some microsoft.com ones
// user_pref("security.ssl.require_safe_negotiation", true);
// 1205: display warning (red padlock) for "broken security" - https://wiki.mozilla.org/Security:Renegotiation
user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true);
// 1206: require certificate revocation check through OCSP protocol. - this leaks information about the sites you visit to the CA.
// when set to true, a number of people have experienced issues with youtube, if this is you, change it to false
// It's a trade-off between security (checking) and privacy (leaking info to the CA) - your choice
user_pref("security.OCSP.require", true);
// 1207: query OCSP responder servers to confirm current validity of certificates
// 0=disable, 1=validate only certificates that specify an OCSP service URL, 2=enable and use values in security.OCSP.URL and security.OCSP.signingCA for validation
user_pref("security.OCSP.enabled", 1);
// 1208: enforce strict pinning - https://trac.torproject.org/projects/tor/ticket/16206
user_pref("security.cert_pinning.enforcement_level", 2);
FONTS
// 1401: disable websites downloading their own fonts - change this to 0 in FF41+. Note: 0=block, 1=allow
// This is the preference under Options>Content>Font & Colors>Advanced>Allow pages to choose their own fonts
// If you disallow fonts, this blocks font enumeration (by JS) which is a high entropy fingerprinting vector
// disabling fonts uglifies the web a little, and until FF41 will also block icon fonts
user_pref("browser.display.use_document_fonts", 1);
// 1402: but for FF41+ allow icon fonts (gylphs) through
user_pref("gfx.downloadable_fonts.enabled", true);
// 1403: https://wiki.mozilla.org/SVGOpenTypeFonts - iSEC Partners Report recommends to disable this
user_pref("gfx.font_rendering.opentype_svg.enabled", false);
HEADERS
// 1600: HEADERS
// 1601: disable Referer from an SSL Website
user_pref("network.http.sendSecureXSiteReferrer", false);
// 1602: DNT HTTP header - essentially useless
user_pref("privacy.donottrackheader.enabled", true);
// 1603: REFERER - http://kb.mozillazine.org/Network.http.sendRefererHeader
// It is better to leave these at default (2, false) and use an extension to block all and then whitelist ( eg RefControl )
// otherwise too much of the internet breaks. Even TOR does nothing about this.
// user_pref("network.http.sendRefererHeader",2);
// user_pref("network.http.referer.spoofSource", false);
PLUGINS
// 1800: PLUGINS
// 1801: set default plugin state to never activate - 0=disabled, 1=ask to activate, 2=active - you can override individual plugins
user_pref("plugin.default.state", 0);
user_pref("plugin.defaultXpi.state", 0);
// 1802: enable click to play and set to 0 minutes
user_pref("plugins.click_to_play", true);
user_pref("plugin.sessionPermissionNow.intervalinminutes", 0);
// make sure a plugin is in a certain state: 0=deactivated 1=ask 2=enabled - flash example below
// you can just set all these plugin.state's via add-ons>plugins NOTE: you can still over-ride individual sites eg Youtube/ via site permissions
// user_pref("plugin.state.flash", 1);
// 1803: remove plugin finder service
user_pref("pfs.datasource.url", "");
// 1804: disable plugin enumeration
user_pref("plugins.enumerable_names", "");
user_pref("security.xpconnect.plugin.unrestricted", false);
// 1805: disable scanning for plugins - http://kb.mozillazine.org/Plugin_scanning
// plid.all = whether to scan the directories specified in the Windows registry for PLIDs - includes: RealPlayer, Next-Generation Java Plug-In, Adobe Flash
// user_pref("plugin.scan.plid.all", false);
// 1806: Acrobat, Quicktime, WMP are handled separately - integer refers to min version number allowed
user_pref("plugin.scan.Acrobat", 99999);
user_pref("plugin.scan.Quicktime", 99999);
user_pref("plugin.scan.WindowsMediaPlayer", 99999);
// 1807: disable auto-play of HTML5 media - have put this under plugins, not media
user_pref("media.autoplay.enabled", false);
// 1808: disable? OpenH264
// user_pref("media.gmp-provider.enabled", false);
MEDIA / CAMERA / MIKE
// 2000: MEDIA / CAMERA / MIKE
// 2001: disable webRTC
user_pref("media.peerconnection.enabled", false);
user_pref("media.peerconnection.use_document_iceservers", false);
user_pref("media.peerconnection.video.enabled", false);
user_pref("media.peerconnection.identity.timeout", 1);
// 2002: disable WebRTC - firefox making automatic connections#w_media-capabilities
user_pref("media.gmp-gmpopenh264.enabled", false);
user_pref("media.gmp-manager.url", "");
// 2003: disable EME bits - https://trac.torproject.org/projects/tor/ticket/16285
user_pref("browser.eme.ui.enabled", false);
user_pref("media.gmp-eme-adobe.enabled", false);
user_pref("media.eme.enabled", false);
user_pref("media.eme.apiVisible", false);
// 2004: getUserMedia - https://wiki.mozilla.org/Media/getUserMedia
user_pref("media.navigator.enabled", false);
// 2010: disable webGL, force bare minimum feature set if used & disable webGL extensions
user_pref("webgl.disabled", true);
user_pref("pdfjs.enableWebGL", false);
user_pref("webgl.min_capability_mode", true);
user_pref("webgl.disable-extensions", true);
// 2020: disable video statistics fingerprinting vector - javascript performace fingerprinting
user_pref("media.video_stats.enabled", false);
// 2021: disable speech recognition
user_pref("media.webspeech.recognition.enable", false);
// 2022: disable screensharing
user_pref("media.getusermedia.screensharing.enabled", false);
user_pref("media.getusermedia.screensharing.allowed_domains", "");
// 2023: disable camera stuff
user_pref("camera.control.autofocus_moving_callback.enabled", false);
user_pref("camera.control.face_detection.enabled", false);
UI meddling
// 2200: UI meddling
// see http://kb.mozillazine.org/Prevent_websites_from_disabling_new_window_features
// 2201: disable website control over rightclick context menu
user_pref("dom.event.contextmenu.enabled", false);
// 2202: UI SPOOFING: disable scripts hiding or disabling the following on new windows
user_pref("dom.disable_window_open_feature.location", true);
user_pref("dom.disable_window_open_feature.menubar", true);
user_pref("dom.disable_window_open_feature.resizable", true);
user_pref("dom.disable_window_open_feature.scrollbars", true);
user_pref("dom.disable_window_open_feature.status", true);
user_pref("dom.disable_window_open_feature.toolbar", true);
// 2203: POPUP windows - prevent or allow javascript UI meddling
user_pref("dom.disable_window_flip", true); // window z-order
user_pref("dom.disable_window_move_resize", true);
user_pref("dom.disable_window_open_feature.close", true);
user_pref("dom.disable_window_open_feature.minimizable", true);
user_pref("dom.disable_window_open_feature.personalbar", true); //bookmarks toolbar
user_pref("dom.disable_window_open_feature.titlebar", true);
user_pref("dom.disable_window_status_change", true);
user_pref("dom.allow_scripts_to_close_windows", false);
DOM - JAVASCRIPT
// 2400: DOM - JAVASCRIPT
// 2401: disable dom storage
user_pref("dom.storage.enabled", false);
// 2402: disable website access to clipboard (will break some sites functionaility such as pasting into Facebook)
user_pref("dom.event.clipboardevents.enabled", false);
// 2403: disable scripts changing images eg google maps - will break a lot of web apps
// user_pref("dom.disable_image_src_set", true);
// 2404: disable JS storing data permanently - NOTE disabling this could break extensions (started in FFv35) - this bug has now been fixed
user_pref("dom.indexedDB.enabled", false);
// 2405: https://wiki.mozilla.org/WebAPI/Security/WebTelephony
user_pref("dom.telephony.enabled", false);
// 2406: disable gamepad API - fingerprinting - USB device ID enumeration
user_pref("dom.gamepad.enabled", false);
// 2407: disable battery API - fingerprinting vector
user_pref("dom.battery.enabled", false);
// 2408: disable network API - fingerprinting vector
user_pref("dom.network.enabled", false);
// 2409: disable giving away network info - https://developer.mozilla.org/en-US/docs/Web/API/Network_Information_API
user_pref("dom.netinfo.enabled", false);
// 2410: disable User Timing API - https://trac.torproject.org/projects/tor/ticket/16336
user_pref("dom.enable_user_timing", false);
// 2411: disable resource/navigation timing
user_pref("dom.enable_resource_timing", false);
// 2412: https://wiki.mozilla.org/Security/Reviews/Firefox/NavigationTimingAPI - javascript performace fingerprinting
user_pref("dom.enable_performance", false);
// 2413: disable virtual reality devices
user_pref("dom.vr.enabled", false);
// 2414: disable shaking the screen
user_pref("dom.vibrator.enabled", false);
// 2415: max popups from a single non-lick event - default is 20!
user_pref("dom.popup_maximum", 3);
// 2416: disable idle observation
user_pref("dom.idle-observers-api.enabled", false);
// 2417: disable SharedWorkers for now - https://www.torproject.org/projects/torbrowser/design/#identifier-linkability (see no.
user_pref("dom.workers.sharedWorkers.enabled", false);
MISC - LEAKS / FINGERPRINTING / PRIVACY / SECURITY
// 2600: MISC - LEAKS / FINGERPRINTING / PRIVACY / SECURITY
// 2601: disable sending additional analytics to web servers - https://developer.mozilla.org/en-US/docs/Web/API/navigator.sendBeacon
user_pref("beacon.enabled", false);
// 2602: CIS 2.3.2 disable downloading on desktop
user_pref("browser.download.folderList", 2);
// 2603: always ask the user where to download - enforces user interaction for security reasons
user_pref("browser.download.useDownloadDir", false);
// 2604: https://bugzil.la/238789#c19
user_pref("browser.helperApps.deleteTempFileOnExit", true);
// 2605: don't integrate activity into windows recent documents
user_pref("browser.download.manager.addToRecentDocs", false);
// 2606: disable hiding mime types in prefs applications tab that are not associated with a plugin
user_pref("browser.download.hide_plugins_without_extensions", false);
// 2607: disable page thumbnails - privacy
user_pref("browser.pagethumbnails.capturing_disabled", true);
// 2608: disable JAR from opening Unsafe File Types
user_pref("network.jar.open-unsafe-types", false);
// 2609: disable insecure active content on https pages - mixed content
user_pref("security.mixed_content.block_active_content", true);
// 2610: disable insecure passive content (such as images) on https pages - mixed context
// current default is false, am inclined to leave it this way as too many sites break visually
// user_pref("security.mixed_content.block_display_content", true);
// 2611: disable WebIDE to prevent remote debugging and addon downloads
// https://trac.torproject.org/projects/tor/ticket/16222
user_pref("devtools.webide.autoinstallADBHelper", false);
user_pref("devtools.webide.autoinstallFxdtAdapters", false);
user_pref("devtools.debugger.remote-enabled", false);
user_pref("devtools.webide.enabled", false);
// 2612: disable SimpleServiceDiscovery - which can bypass proxy settings - eg Roku
// https://trac.torproject.org/projects/tor/ticket/16222
user_pref("browser.casting.enabled", false);
user_pref("gfx.layerscope.enabled", false);
// 2613: disable device sensor API - fingerprinting vector
user_pref("device.sensors.enabled", false);
// 2614: disable SPDY as it can contain identifiers - https://www.torproject.org/projects/torbrowser/design/#identifier-linkability (see no. 10)
user_pref("network.http.spdy.enabled", false);
user_pref("network.http.spdy.enabled.v3-1", false);
// 2615: disable http/2 for now as well - need more info
user_pref("network.http.spdy.enabled.http2", false);
user_pref("network.http.spdy.enabled.http2draft", false);
// 2616: disable auto-filling form fields (can leak in cross-site forms) - http://kb.mozillazine.org/Signon.autofillForms
// password will still be set after the user name is manually entered
user_pref("signon.autofillForms", false);
// 2617: disable pdf.js as an option to preview PDFs within FF (see mime-types under Options>Applications) - exploit risk
// enabling this will change your option - most likely to Ask, or Open with some external pdf reader
// NOTE: this does NOT necessarily prevent pdf.js being used via other means, it only removes the option
// I think this should be left at default (false). 1. It won't stop JS bypassing it. 2. Depending on external pdf viewers there is just as much risk or more (acrobat)
// 3. mozilla are very quick to patch these sorts of exploits, they treat them as severe/critical 4. convenience
user_pref("pdfjs.disabled", false);
// 2618: when using SOCKS have the proxy server do the DNS lookup - dns leak issue
// http://kb.mozillazine.org/Network.proxy.socks_remote_dns
// https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers
// eg in TOR, this stops your local DNS server from knowing your Tor destination as a remote Tor node will handle the DNS request
user_pref("network.proxy.socks_remote_dns", true);
PERSONAL SETTINGS (with privacy implications)
// 2800: PERSONAL SETTINGS [that have PRIVACY implications]
// These can all be set via options. you don't have to use this section
// This is included for those who wish to add this type of control into their user.js
// 2801: COOKIES
// disable cookies on all sites (you can still use exceptions under site permissions or use an extension - eg Cookie Controller)
// 0=allow all, 1=allow same host, 2=disallow all, 3= allow 3rd party if it has already set a cookie
user_pref("network.cookie.cookieBehavior", 2);
// 2082: enable FF to clear stuff on close (Options>Privacy>Clear history when firefox closes)
user_pref("privacy.sanitize.sanitizeOnShutdown", true);
// 2803: what to clear (Options>Privacy>Clear history when firefox closes>Settings)
// these are the settings of the author of this user.js, chose your own
user_pref("privacy.clearOnShutdown.cache", true);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.downloads", true);
user_pref("privacy.clearOnShutdown.formdata", true);
user_pref("privacy.clearOnShutdown.history", true);
user_pref("privacy.clearOnShutdown.offlineApps", true);
user_pref("privacy.clearOnShutdown.passwords", false);
user_pref("privacy.clearOnShutdown.sessions", false);
user_pref("privacy.clearOnShutdown.siteSettings", false);
// 2804: (to match above) - auto selection of items to delete with Ctrl-Shift-Del
user_pref("privacy.cpd.cache", true);
user_pref("privacy.cpd.cookies", false);
user_pref("privacy.cpd.downloads", true);
user_pref("privacy.cpd.formdata", true);
user_pref("privacy.cpd.history", true);
user_pref("privacy.cpd.offlineApps", true);
user_pref("privacy.cpd.passwords", false);
user_pref("privacy.cpd.sessions", false);
user_pref("privacy.cpd.siteSettings", false);
Personal Handy Settings
// 3000: PERSONAL HANDY SETTINGS
// these are just damn handy to know, have lying around, and be able to easily migrate to a new profile
// users can put their own non-security/privacy/fingerprinting/tracking stuff here
// 3001: disable annoying warnings
user_pref("general.warnOnAboutConfig", false);
user_pref("browser.tabs.warnOnClose", false);
user_pref("browser.tabs.warnOnCloseOtherTabs", false);
user_pref("browser.tabs.warnOnOpen", false);
// 3002: disable closing browser with last tab
user_pref("browser.tabs.closeWindowWithLastTab", false);
// 3003: disable new search panel UI
user_pref("browser.search.showOneOffButtons", false);
// 3004: disable backspace
user_pref("browser.backspace_action", 2);
// 3005: disable autocopy default (use extensions autocopy 2 & copy plain text 2)
user_pref("clipboard.autocopy", false);
Click to expand...

TheWindBringeth · Aug 20, 2015

First test: Javascript disabled. If you assure your user-agent string is a common one, you'll be one in thousands if not better.

Second test: Javascript enabled, but no Flash (if you have it). Javascript is a major risk because it is used to interact with DOM/etc and acquire more information. Panopticlick is really just a POC. The fingerprinting risk is much much worse than it suggests, especially if you run with Javascript enabled and make unique combinations of changes to your browser. Browser plugins is a doozy, but IIRC plugins.enumerable_names should help. One in low millions or better should be possible.

Allowing Flash will expose System font info. You could try setting
DisableDeviceFontEnumeration=1 in the mms.cfg file. You can play with some other settings via the file or control panel thingy.

Log in or Sign up

I can't beat panopticlick

Holysmoke Registered Member

TheWindBringeth Registered Member

Log in or Sign up

I can't beat panopticlick

Holysmoke Registered Member

TheWindBringeth Registered Member

Useful Searches