On 22-03-2023 23:08 VanguardLH <V@nguard.LH> wrote:

>> You may be the only person on Windows who has only one browser
>> installed.
>
> You're making up what I said. I said, again, that Firefox is my
> primary, and Edge-Chromium is my backup. I had Chrome as the backup,
> but since Microsoft moved to Blink for the rendering engine and V8 for
> the Javascript interpreter, both from Chromium, and because
> Edge-Chromium gives me more options than Chrome, there was no point in
> keeping Chrome installed.

We disagree on how to approach a problem where you want to approach is
browser by browser by browser by browser by browser, and I don't.

The randomizing of fonts approach works instantly for all browsers.
And it doesn't require any in-depth knowledge of the browser peculiarities.
> As a matter of fact, most users do NOT install an addition web browser.
> They use what was bundled in the OS. For Windows, that's Edge (now
> Edge-Chromium). For Android, that's Chrome. For Apple stuff, it's
> Safari. So, for the vast majority of users, they do only have a single
> web browser on their computing platform. It's the only one they need to
> configure - but most don't tweak anything of the web browser. They
> don't need the global solution you seek across multiple web browsers,
> because they only have one. But then your inquiry isn't addressed to
> the vast majority of users since they don't visit here. The audience
> here is different, so, yes, they may have more than one web browser. I
> have 2 of them. How many do you have?

I use all the main variants of chromium & mozilla (such as iron, pale moon,
ice dragon, ice weasel, iridium, vivaldi, sea monkey, etc) and then some
privacy focused browsers (such as avast, brave, epic, opera & tor).

The reason is multiple as some do things the others don't but the main
reason is that a fundamental component of fingerprinting is the browser.

> That I have 2 web browsers does not mean I'm constantly switching
> between them. Nor does having umpteen web browsers means I used anymore
> than just one of them. Only one web browser needs to be tweaked how you
> like - the one you use all the time. The others should be left in their
> install-time state, because they are backups should there be a problem
> with your primary web browser, and a backup choice should be plain to
> ensure you aren't fucking it up the same way as you did the primary.
> This is the same way you create your own Windows account for logging in
> for your dailing computing sessions, and leave Administrator alone
> except for use only in emergencies.

Even if you only have one browser, approaching the problem outside the
browser is a better approach in many ways than trying to learn the
unfathomable complexities of an ever changing and easily hacked browser.

> You are still hiding why you need umpteen web browsers for why you need
> a global solution that affects all of them regarding fingerprinting. If
> you are a developer then there is a reason to *test* with multiple web
> browsers. You have shown no cue that you are a web developer. So, how
> many web browsers do you have installed, how many do you use, and why do
> you have more than one primary web browser? Why would you be screwing
> with your backup/emergency web browsers that you aren't using anyway?

Those comments indicate you don't understand how fingerprinting works.
What part am I hiding if the entire concept is fingerprint avoidance?
Are you not aware that the browser itself is a key component of entropy?

>>> The fonts getting divulged for fingerprinting are those installed on
>>> your computer. Well, you can randomize which fonts you have, or you
>>> could pare down all those extra fonts down to the basic set that
>>> Windows, or your choice of OS, comes pre-bundled.
>>
>> That's not as easy as you seem to think it is. Each program you
>> install can add its own fonts.
>
> Yep, you'll have to be the admin of your computer and perform the
> maintenance. You want to setup a rotation of font folders (simpler than
> trying to modifying the font files in one folder), so you are already
> doing the same maintenance. For example, you will need to ensure when
> installing programs that you reset the font folder rotation back to the
> original \Fonts folder to ensure the program deposites its fonts into
> that folder into one of your obscuring rotation font folders.

The maintenance of a background Windows script is COMPLETELY DIFFERENT than
the maintenance of the myriad switches and dials in a half dozen browsers.

Just turning off search in the Firefox address bar should be a simple
switch, right? It is, but it's hidden and you have to know the intricate
complexities of Firefox just to turn the address bar back into what it's
called. And that could change at any moment. And has, over time.

>>> You're denying web sites from falling back to your fonts other than
>>> some standard set that everyone has and supposedly would reduce your
>>> fingerprint (but do users really only have a basic set of fonts that
>>> never change?). What happens to all your other programs installed
>>> on your computer?
>>
>> That comment indicates you don't understand how font fingerprinting
>> works. They tabulate ALL the fonts on your computer. Not just what
>> you use.
>
> Answer the question rather than evade the subject. You want to rotate
> between different sets of fonts (like renaming \Fonts to \Fonts.Original
> and some other font folder, like \Fonts2 to \Fonts), but obviously that
> DOES affect all your other programs. You're focusing on how to obscure
> font fingerprinting *only* in the web browser without regarding the
> effect such action does on other programs.

There is no effect on other programs.

Somehow you're seeing UFOs when they don't exist.
> Oh, and as to web fonting, did you configure your web browsers to NOT
> allow remote fonts? Those can easily be used for tracking, especially
> if the site you visit gets those fonts from a 3rd-party, like Google, or
> some other font foundry. The web page you load requests font resources
> from elsewhere, so the request for the fonts goes to the font foundry
> who redirects the resource elsewhere that can see where you visited for
> the request and also your IP address to deliver the font resources to
> your client. You want to obscure all your system fonts, but you're
> allowing remote font loading which allows easy tracking.
>
> https://github.com/gorhill/uBlock/wiki/Per-site-switches#no-remote-fonts
> (That's using uBlock Origin, but there's likely other ways to block web
> fonts.)

I don't use any addons or plugins for the same reason that I use a Windows
based holistic approach to fingerprinting - always outside the browser.

> You doing all this work to hide what Javascript in a web doc can detect
> for your font set. Yet you're allowing even easier tracking if you
> allowing download of web fonts. Have you yet addressed that method of
> tracking? Just be aware that if you disable remote fonts that many web
> docs won't be correct. Often the fonts are to use graphical characters
> within them, like chevrons, arrows, geometric shapes, and so forth for
> the icons on elements in a web doc, like buttons you click on. Without
> the remote fonts, you'll get a generic placeholder for the element's
> icon, and won't have a clue what the element does. You can guess until
> you error enough times to remember what each unidentified element does
> for an action being content that you've blocked that tracking method, or
> you can allow remote fonts, suffer any tracking, if any, and better
> interpret the intent of iconified elements in a web doc.

When I set up a browser, I set it up to turn off EVERYTHING I don't need.
That's almost everything, but I will admit some things I don't understand.

Things like turning off autofills and remembering previous pages are easy
to turn off, as are questions about using the camera and mic or displaying
anything but images but some browser setting switches I don't understand.

I don't understand DRM questions, for example - so I turn them off.
If you can explain why they ask those DRM questions, please do.

Same with "Query OCSP responders" questions which I don't understand.
So I turn them off.

I know enough NOT to block malicious content because that alone has to send
the content to a server, which is an invasion of privacy from the get go.

And of course, the data collection of Firefox is legendary, all of which I
turn off on sight but I leave on spellchecking (because I need it).

I don't even know what they're asking when they ask for a yes or no on
"Continue running background apps when browser is closed" either.

>>> You randomize the font set while you are web browsing. When web
>>> browsing, you never ever run any other program? You never open an
>>> editor, word processor, spreadsheet, or load ANY other program while you
>>> have the web browser loaded? Well, randomizing the font set for the web
>>> browser means you are doing the same for every other program you may
>>> open at the same time. If concurrently opening multiple programs was
>>> not a wanted feature, Windows nor any other OS would have to bother with
>>> multi-tasking, running a dispatcher, assigning priority, or all the
>>> other functions of a multi-tasking OS. Running a single program that is
>>> always foregrounded with no opportunity to load any other program is not
>>> how users use Windows, Linux, or any other OS. To do so would mean
>>> having to cripple the OS back to single-process operation, like DOS.
>>>
>>> Your solution impacts more than just the web browser.
>>
>> Run this program please. <https://amiunique.org/fp> and save the results
>> to text, and paste your results into the reply like I did and we can solve
>> the fingerprinting issues together using real world data of our own.
>
> Do you even read the replies to your thread? Look at my very first
> reply. I already reported the effects of various methods of obscuring
> fonts at EFF, amiunique, and browserleaks.

I'm well aware of fingerprinting entropy. This thread is only about fonts.
Specifically a Windows method to randomize them.

>> The way you normally approach fingerprinting usually is you start with the
>> worst entropy and when you fix that, you move down to the next worst
>> entropy, and so on, until you're no longer unique or nearly unique.
>
> You do realize that the stats reported at those sites are based solely
> on their database of visitors. That you are unique within 200K other
> visitors doesn't really represent your uniqueness across all web
> browsing users visiting all web site. Theirs is just a small database.
> It's a sample, and one that is biased due to the intent of the visitors
> to their test sites.

I've been looking up fingerprinting for a decade. I've watched the stats.
I've tested them myself with various easy-to-do spoofs to see how they
increment the counter (for example come in twice but from different IPs).

>> In the best case, you want to blend in with the crowd.
>
> And why I said you need to figure out which is the base font set for a
> new Windows installation. However, that would represent a sample of
> users that install Windows, and install nothing thereafter. There are
> some users like that, but doesn't seem the norm for most users. Windows
> is a general-purpose OS, so the intent is more programs will get
> installed. Those that have only the base font set are not the crowd you
> want to hide within. My guess is that isn't the dominate crowd. I've
> yet to find anyone gathering statistics on fonts to determine what the
> average user has for a fonts set to let you hide in the biggest crowd.

I explored the base set many years ago and there are two problems, one of
which you've noted which is that it's rare, but the other of which is there
is no such thing (there is no fundamental base set that I ever could find).

Your suggestion of just rotating a never-ending set of fonts is one
approach which has merits in simplicity, but it suffers from a finite set.
>> Here are my current AmIUnique.txt values using one Firefox browser.
>
> I found amiunique was inaccurate in the fonts count, and which could be
> discovered after making tweaks in the web browser. EFF and browserleaks
> were more compliant with web browser tweaks on font accessibility.

Yeah. Years ago I messed with things one by one by one by one to watch the
entropy change. Sometimes it changed. Sometimes it didn't change.
>> My browser fingerprint
>> Are you unique ?
>> Yes!
>> You are unique among the 1529201 fingerprints in our entire dataset.
>
> Unique in a database of visitors which is a small sample of users (only
> those that visited their web site AND ran the test) represents highly
> skewed results.

Doesn't matter. If they can see you twice, that's it for your anonymity
when you're going to a web site that is tracking such things.

I don't think you understood that I don't mind being unique, and in some
ways, there's no disadvantage to being unique. The fundamental concept you
don't yet show an understanding of is you don't want to be the same unique.

> Also, depends on how the test site performed its fingerprinting tests.
> Without unusual tweaking of font accessibility in Firefox, both EFF and
> browserleaks report:
>
> EFF: you have strong protection against web tracking
> 16.54 bits of identifying information
> one in 95262.5 browsers have the same fingerprint as yours
>
> amiunique: Almost! Only 2 browsers out of the 1532682 observed browsers
> fingerprints in our entire dataset (<0.01 %) have exactly the same
> fingerprint as yours.
>
> Depends on who you use for a fingerprinting score. Browserleaks breaks
> up the testing into separate tests, so no overall score. You would
> think "1 or 2 in <millions> of other visitors" sounds bad (you're unique
> is a small sample). Yet 1.5 million out of 5.4 *billion* users is a
> very small sample (0.03%). Your being measured by a skewed database.
>
> You can get paranoid by using these sites and online security articles
> on how to lock down your web browser, but remember the more security you
> have then the less convenient becomes the Web. Security and convenience
> are the antithesis of each other. The more you have of one, the less
> you have of the other. You have to decide what level of security is
> still comfortable to you, and sensitivity is far ranging amongst users.

The only thing I care about in any of these sites for the purpose of this
thread is what they say about browser fonts, and even then, I don't care if
I'm unique. As I said, what matters is not being the same unique twice.
>> The following informations reveal your OS, browser, browser version as
>> well as your timezone and preferred language.
>> ...
>
> If Firefox is among your set of multiple web browsers, have you yet
> tried its privacy.resistFingerprinting setting? That would give you far
> better fingerprint rankings, but at the expense of the features that I
> mentioned, and restriction or throttling of features in the referenced
> Mozilla wiki article.

See! I didn't know about that. It's a perfect example of the problem set!

privacy.resistFingerprinting false
privacy.resistFingerprinting.autoDeclineNoUserInputCanvasPrompts true
privacy.resistFingerprinting.block_mozAddonManager false
privacy.resistFingerprinting.exemptedDomains *.example.invalid
privacy.resistFingerprinting.jsmloglevel Warn
privacy.resistFingerprinting.randomDataOnCanvasExtract true
privacy.resistFingerprinting.reduceTimerPrecision.jitter true
privacy.resistFingerprinting.reduceTimerPrecision.microseconds 1000
privacy.resistFingerprinting.target_video_res 480
privacy.resistFingerprinting.testGranularityMask 0
services.sync.prefs.sync.privacy.resistFingerprinting.reduceTimerPrecision.jitter true
services.sync.prefs.sync.privacy.resistFingerprinting.reduceTimerPrecision.microseconds true

What you're proving for me is that it's futile to try to learn every method
of reducing font fingerprinting if you approach it browser by browser by
browser by browser by browser by browser... instead of doing it all in
Windows completely outside the browser.

>> We use cookies and other storage mechanisms to make sure you can have
>> the best experience on our website. If you continue to use this site,
>> we assume that you will be happy with it.Ok <#>
>
> Firefox can be configured to purge ALL its locally cached data on its
> exit, so none of it remains for reuse in the next web session. I purge
> all locally cached data on exit. For example, there was a canvas
> exploit that used DOM Storage to retain info across web sessions to
> allow tracking by a unique ID generating by canvas code. I used an
> add-on back when this was a big deal, and there POC sites to show the
> vulnerability, that didn't disable all of Canvas (which you can do to
> smash all of Canvas using a Firefox setting) but just randomized the ID
> that canvas code would generate to make the ID unusable for tracking.
> Eventually I decided for other reasons, and this, to purge all locally
> cached data on Firefox's exit. So, cookies disappear, too, as well as
> DOM Storage, history (which Javascript can retrieve), and other info I
> consider personal and usually unrelated to a visited site, so it's none
> of their business getting at all that user data.

I purge everything I can from browser settings but I have a script that
runs in the background that wipes out all the left-behind cache stuff.

> For Chrome, I had to install the Click&Clean add-on to get the same
> purge-on-exit function. However, Google doesn't allow the delayed
> action when Chrome exits, so the add-on would do the purge when it was
> loaded which is when Chrome loads. Didn't need an add-on for
> Edge-Chromium since there are similar purge-on-exit options, and why
> Edge-Chromium, even with the migrate to Blink and V8 of Chromium, is
> more secure than Chrome (but still doesn't have the deep settings
> available in about:config of Firefox).

I don't use addons for the same reason that I want to solve the font
randomization problem in Windows so that it instantly works for all
browsers, not just one browser.

> I'm pretty sure we (you and I) are at an impasse on how best to secure
> the web client. You want to do it outside the web client for a solution
> that is global across multiple web browsers. You're only focusing on
> font fingerprinting which is only a small measure as part of the entire
> fingerprinting spectrum. You haven't even noted if you are blocking
> remote fonts which are far better for tracking than trying to pick you
> out of all web visitors based on system fonts.

The impasse is simply that you do all the work inside each and every
browser many times, and where most browsers (save for the tor browser
perhaps) don't give you the necessary switches so you will fail no matter
what, whereas I wish to do the work in Windows outside the web browser.

I think nobody has a better solution than the visual basic solution
so that's the one I will try to randomize the fonts within Windows.