It's long been known that an individual machine could be identified from a profile of its hardware components.

Now there is work afoot that, if successful form a pratical standpoint, will allow for profiling based on the browser instance, its settings, its extensions, etal..

Thus, for a machine with multiple user accounts, cookies would no longer be required in order to track individual users' usage.

Browser Fingerprinting Can ID You Without Cookies - PC World (http://www.pcworld.com/printable/article/id,188161/printable.html)

Now, while it will be possible to obfuscate ones profile, this is not an undertaking for the average user. Thus, should use of this method come to pass, we should expect to see the offering of various applications designed to automatically perform such obfuscation.

In the mean, what suggestions have you for those who choose the do-it-yourself route?

Your browser fingerprint appears to be unique among the 412,213 tested so far.

That's me. Defences?

My extensive font collection definitely makes me stand out from the crowd. I wonder if a font manager (fonts loaded only when requested) could help make me more ordinary, or always different.

Developer browser plug-ins also make me a bit more unusual. I'd find it hard to manage without those.

Panopticlick (http://panopticlick.eff.org/self-defense.php) (who seem to be driving this fingerprinting research) suggest possibilties for making yourself non-unique? such as using a non-rare browser (fairly easy), disabling JavaScript (ahem!) or using a third party FireFox addon called Tor which, among other things "blocks browser plugins such as Java, Flash, ActiveX, RealPlayer, Quicktime, Adobe's PDF plugin... For example, that means Youtube is disabled."

I can't see many who would happily cripple their online experience to counter this 'invisible threat'. Can you?

I come up unique in this as well. Some of the things that are checked are somewhat necessary to report, such as the availability of fonts and media plugins. However, plugins that don't affect the user experience (FireBug for example) can probably be hidden, which would alleviate the problem. Java and Flash automatically deleting older installs during the patch process would also help tremendously, IMO. (It would also clear up any security risks associated with those older versions)

Now, while it will be possible to obfuscate ones profile, this is not an undertaking for the average user. Thus, should use of this method come to pass, we should expect to see the offering of various applications designed to automatically perform such obfuscation.

In the mean, what suggestions have you for those who choose the do-it-yourself route?
At least, it is relatively easy if you use Opera browser | Faster & safer internet | Free download (http://www.opera.com/)

Some possibilities:


CTRL + F12
F12 + Proxy + ... +
Put opera:config in the address field for additional configuration options.

Virtualization offers an immediate solution to the problem of machine fingerprinting - most any aspect of a machine's operation (be it apparent hardware, installed applications, etc) can be tweaked.

Give VirtualBox (http://www.virtualbox.org/) or Xen (http://xen.org/) a try - they're free.

I can't see many who would happily cripple their online experience to counter this 'invisible threat'. Can you?
I quite concur.

Hence the need for real-time, random obfuscation.

At least, it is relatively easy if you use Opera browser | Faster & safer internet | Free download (http://www.opera.com/)

Some possibilities:


CTRL + F12
F12 + Proxy + ... +
Put opera:config in the address field for additional configuration options.

Will any of the above ensure that ones profile is continually and randomly altered?

Even my oldest daughter has learned to use a proxy server (voting online. More advanced surfers make their own voting bots).

Personally, I have had no need for a proxy server.

Virtualization offers an immediate solution to the problem of machine fingerprinting - most any aspect of a machine's operation (be it apparent hardware, installed applications, etc) can be tweaked.

Give VirtualBox (http://www.virtualbox.org/) or Xen (http://xen.org/) a try - they're free.
Here, however, the profile in question is that of a specific application, a profile that needs to be randomly altered on a continual basis.

While virtualization can indeed provide for a static alteration of a platform's profile, can it also provide for dynamic alteration of that of a particular application?

Will any of the above ensure that ones profile is continually and randomly altered?
I don't know since I have never tried seriously.

I don't remember the WebMasterWorld thread, but as far as I remember that story was that Opera can for some good reasons be configured to surf nearly invisible.

You may find the thread I think of by

browsing invisible site:webmasterworld.com

about:config == opera:config

was used.

Even my oldest daughter has learned to use a proxy server (voting online.
The profile in question is a local one that remains unchanged by externalities such as a proxy server.

Do you think it is difficult for a browser company to program options that hides everything about a client?
Do you think those options can easily be set?
Cookies are the simplest footprints that can be easily deleted.

Related:

Reader Poll: Best Forums for Search Marketing Tips - Online Marketing Blog (http://www.toprankblog.com/2007/03/reader-poll-best-forums-for-search-marketing-tips/)

I had to draw an American expert to the fact how easy it is to manipulate polls by deleting cookies and he stopped the poll immediately.

Here, however, the profile in question is that of a specific application, a profile that needs to be randomly altered on a continual basis.

While virtualization can indeed provide for a static alteration of a platform's profile, can it also provide for dynamic alteration of that of a particular application?

Well that depends upon how far you plan to take it... are you going to install FireFox and create a script which randomly changes the user-agent string and Accept-Encoding headers while bouncing between Tor endpoints and other proxies?

You don't need to deploy virtualization to achieve the goal of near-perfect anonymity for web browsing but, if you need the kind of paranoid assurances implicit in this variety of goal, you may as well have a randomly-seeded configuration for a virtual machine complete with pseudo-hardware so local network administrators get as little information as the administrators of the sites you browse to.

Do you think it is difficult for a browser company to program options that hides everything about a client?


Well that depends upon how far you plan to take it... are you going to install FireFox and create a script which randomly changes the user-agent string and Accept-Encoding headers while bouncing between Tor endpoints and other proxies?
The problem to be solved goes beyond that which the browser does, and into the realm of the characteristics of the resources that are available to the browser.

For example, how might one randomly mask the true nature of settings that allow/disallow the execution of client-side script, while still allowing the true settings to operate as intended by the user?

This


It's long been known that an individual machine could be identified from a profile of its hardware components.

Now there is work afoot that, if successful form a pratical standpoint, will allow for profiling based on the browser instance, its settings, its extensions, etal..

Thus, for a machine with multiple user accounts, cookies would no longer be required in order to track individual users' usage.

Browser Fingerprinting Can ID You Without Cookies - PC World (http://www.pcworld.com/printable/article/id,188161/printable.html)

Now, while it will be possible to obfuscate ones profile, this is not an undertaking for the average user. Thus, should use of this method come to pass, we should expect to see the offering of various applications designed to automatically perform such obfuscation.

In the mean, what suggestions have you for those who choose the do-it-yourself route?
was your Op. (I read the article in that link).

In your last post you write:

The problem to be solved goes beyond that which the browser does, and into the realm of the characteristics of the resources that are available to the browser.

For example, how might one randomly mask the true nature of settings that allow/disallow the execution of client-side script, while still allowing the true settings to operate as intended by the user?
My bolding.

Can you be more specific (e.g. by giving an example)? I am a little:confused:

I also read this

http://www.eff.org/deeplinks/2010/01/help-eff-research-web-browser-tracking

article that mention this

https://panopticlick.eff.org/

tool.

Here

http://www.cyscape.com/showbrow.aspx?

is a classic tool.

Can you be more specific (e.g. by giving an example)?

As I gave an example, I'm unclear as to the nature of your confusion.

If you look to the items cataloged by Panopticlick, it is these or similar data which may serve as a fingerprint; and, it is these data which would need to be randomly obfuscated, in a manner that does not interfere with the desired behavior of the user's platform, in order to nullify the usefulness of said fingerprint.

While Panopticlick itself offers some steps toward such, at https://panopticlick.eff.org/self-defense.php , these provide but partial defense.

"The most obvious way to try to prevent browser fingerprinting is to pick a "standard", "common" browser. It turns out that this is surprisingly hard to do. It appears that the most likely candidate (https://www.eff.org/deeplinks/2010/01/tracking-by-user-agent) would be the latest version of Firefox running on a modern Windows version. But even so, many of those Firefox on Windows browsers can be distinguished from one another by the enourmous range of plugin versions and fonts that can be installed with them".


Did you look up some of the WMW threads about inivisible browsing?
Did you try to prevent browser fingerprinting configuring Opera?

I am no more convinced than here:


http://www.webproworld.com/internet-security-discussion-forum/84600-browser-shopping-online.html#post476180 (wait til the thread redirects to post #35)
http://www.webproworld.com/internet-industry/81340-internet-explorer-8-released.html#post428904 (wait til the thread redirects to post #40)

Generally, randomization is always good if you want to confuse an opponent or hide your activity.

Did you look up some of the WMW threads about inivisible browsing?
I've tried the query strings suggested by you at http://www.webproworld.com/internet-security-discussion-forum/98072-deleting-blocking-cookies-may-soon-fruitless-measure.html#post493099 , along with several related ,variants, with no success to date.