[tor-talk] Spoofing a browser profile to prevent fingerprinting

Craw paulus.smirnov at yandex.ru
Sat Jul 26 18:14:28 UTC 2014

Hello everybody,

You know, there are some various methods of fingerprinting a browser.
Plugins and plugin-provided information are still the most useful in
uniquely identifying a browser, but there are also some other
information that can be used to fingerprint a Tor user, like user
agent, screen resolution, time zone, etc.

I think it can be helpful to spoof real browser profile to random
temporary one. Each browser profile includes user-agent (browser
name/version), platform (OS name/version), screen resolution, time
zone (depends on country of an exit-relay, so, perhaps, mismatch of it
can cause suspicion?). So, my suggestion is to generate random browser
profile during each identity session, or randomly switch them after a
chosen period of time has expired. By making this, some important info
about users will be unreachable for an attacker and fingerprinting
will be more difficult.
Here's a link on open-source repository of Firefox add-one which code
we can use for Tor Browser -

Also I suggest to:
- forbid HTML5 Canvas by default
- use only standard font set (can be used for fingerprinting)
- set network.http.sendRefererHeader value "0" by default (allows
sites to track referer, but some sites can be broken! add ability to
switch on/off referer?)

Let me know about your thoughts,
Looking forward to hear from you, Pavel.

More information about the tor-talk mailing list