17.62 bits on firefox, 11.0 on Tor, 17.63 on chrome.
On firefox, the big contributors are HTTP headers (my native language is announced), hash of WebGl fingerprint and time zone.
On Tor big contributors are hash of webGL fingerprint, screen size.
On chrome, they are system fonts, hash of canvas fingerprint, user agent, and time zone.
I am not too concerned about the fingerprinting in firefox since I have strict blocking on, ublock origin, and separate containers for facebook and google. Based on the small amount of data facebook has on me, all the blocking is working pretty well.
Similar results for me. Does anyone know if it's possible to turn off WebGL, and if so, how? AFAIK I never use it for anything and I'd rather have increased anonymity. (Assuming disabling it prevents it from being used for fingerprinting.)
Edit: Answering my own question. In `about:config`, change the `webgl.disabled` preference from `false` to `true`. This reduced the "bits of identifying information" from WebGL from 11.26 to 2.56.
CanvasBlocker actually increases your track-ability because the consistent factor is now that you have a changing canvas fingerprint (which almost no one does).
This is why Safari tries to give a universal canvas fingerprint so you can "blend in" with other users.
I agree that a universal canvas fingerprint is better in principle, but practically who is going to write a script to search for all visitors who only differ by their canvas fingerprint and then identify them as one browser because the fingerprints are non-standard?
Practically, it requires little more work than creating a canvas fingerprint framework itself! If someone puts in the effort to write a framework that tracks you via canvas fingerprints, it’s little more work to add to the script with another one that performs a simple diff to find people trying to evade it.
Panopticlick's numbers are extremely confusing and borderline useless.
On my initial run, I got an overall entropy of 17.63. My two biggest identifiers were screen resolution (1000x595x24 which was approx 1/22000 browsers) and webgl hash (approx 1/3800 browsers). I fixed screen resolution to 1000x600x24 (approx 1/85 browsers) and disabled webgl hashing (approx 1/6 browsers) and the overall entropy did not change one iota, despite also closing browser, flushing cache and cookies, etc. I gave it another run with a deliberately weird resolution (1420x701 which was something like 1/105000 browsers) and once again, the overall entropy was exactly 17.63. So based on my experiment, it seems that screen resolution and webgl hash have no effect whatsoever on [Panopticlick's] overall entropy score.
An update on last night's experiment, if anyone cares. The next largest identifier was system fonts (approx 1/1300 browsers). I set `browser.display.use_document_fonts=0` which hid the system fonts (now the same as approx 1/10 browsers) and my overall entropy dropped to just below 11 bits. At this point, none of the metrics were less common than 1/10 browsers, so I figured I wouldn't be able to do better than that.
As a side note, I ended up re-enabling system fonts because disabling them broke a large percentage of web sites' CSS.
The numbers don't make much sense to me. On FF I get 14.05 with NoScript active. Curiously the headers increase from 1.68 bits to 3.47 when NoScript is running.
I'm curious about the difference between things like NoScript and native Brave script blocking.
In particular I was going to make a snarky comment that the site seems to, appropriately, not work when script blocking is enabled on Brave. I do get the site to do the refresh business a couple of times, but no results are ever displayed.
> On Tor big contributors are hash of webGL fingerprint, screen size.
Doesn't tor randomise the window size on startup? Though I guess it chooses some sensible size for your screen which is then leaking info about your screen size (in a pretty indirect way).
Not quite correct. It automatically picks the browser window size based on the monitor its being displayed on, in some multiple of 200x100. There is no randomization on every run.
On firefox, the big contributors are HTTP headers (my native language is announced), hash of WebGl fingerprint and time zone.
On Tor big contributors are hash of webGL fingerprint, screen size.
On chrome, they are system fonts, hash of canvas fingerprint, user agent, and time zone.
I am not too concerned about the fingerprinting in firefox since I have strict blocking on, ublock origin, and separate containers for facebook and google. Based on the small amount of data facebook has on me, all the blocking is working pretty well.