"Furthermore, if you're the only person in your city using Firefox with very different behaviour, that just makes you easier to fingerprint"
If you do NOTHING, you are already unique. And not all FP'ing techniques carry the same threat. Also, and I'm sure you're all aware of this, sites that calculate your entropy are only good for seeing what you return as values. They do not have "real world" data but rather are comprised of biased data from repeat visitors with a vested interest in tweaking, constantly rechecking their configurations. The data sets can also be long lived and out of date. Everything I now know about fingerprinting is based on science, sound principles (of methods to mitigate it), and in the last year validated by some large scale real-world studies. There's also the building and usage now of OpenWMP, (which is now part of Mozilla). For example we're looking at the usage of DOMRect across the top 10,000 sites to evaluate the threat (the FPing is certainly possible and easy to add, but is it used, and how?). This gives us a sense of priority, and ideas on mitigation (there are a number of ways this could be done: but some will break more than others). Real data, real world cases, real solutions - lowering entropy, using the right methods, practically zero information paradoxes, minimum breakage: and an all-in buy-in. THIS is your only salvation (or use the Tor Browser, which uplifts and helps out with RFP). See the next point though - you're still unique.
"If you want to resist fingerprinting, wait for Firefox's fingerprint protection to advance and keep everything as close to default as possible instead."
I actively work on RFP. Even with RFP, you are still unique. It has a long way to go - years. Keeping everything at default is a sure way of always being unique. I will say that FP'ing, which is my real passion, is not as important as the other factors. Eliminate unnecessary third party calls, limit JS functionality (or just use Tor Browser for goodness sakes). But it is taken into consideration.
For example: we do not disable geo requests (they are behind a prompt), we do not disable prompt permissions (they are behind a prompt), we do not disable gamepads or vr. All of these are fingerprintable, yes, including your default prompt permission! We don't change any TLS settings (thats server side entropy) - we could make the minimum as TLS1.2 for security, but less than 1.5% of the web uses those, and we're happy to let Mozilla decide when to change the value. We don't change any crypto prefs, as they are also server side entropy, and again while they may harden security, the risk really isn't here - we'll let Mozilla take care of that. There's more, but I'm a bit knackered (been up way too long), and I'm not quite up to trolling through the user.js to pick out more examples. Fingerprinting is my passion. Totally immersed in it. I'd like to think I'm qualified to talk about it.
Most FP'ing comes from "simple" scripts such as fingerprintjs2. The corporate surveillance world is basically not interested in spending money or using server side FP'ing or developing new techniques and so on, when they have 95% of the world already serving it all up - via IP, header referrers, ssl session ids, cookies, persistent local data, logins, third party connections, and OMG, the nightmare of smartphones with location tracking and dodgy apps and so on. FP'ing is slightly overrated as a threat - but yes, it is being used: e.g as a 1st party script on reddit.
RFP here almost has you covered (basic FP techniques, scripts). So don't sweat the FP'ing too much. It's more about us being proactive and anticipating possible threats and mitigating them ahead of time. If you need it, then use Tor Browser.
Sorry for the long post again. I love talking about this stuff.
"Furthermore, if you're the only person in your city using Firefox with very different behaviour, that just makes you easier to fingerprint"
If you do NOTHING, you are already unique. And not all FP'ing techniques carry the same threat. Also, and I'm sure you're all aware of this, sites that calculate your entropy are only good for seeing what you return as values. They do not have "real world" data but rather are comprised of biased data from repeat visitors with a vested interest in tweaking, constantly rechecking their configurations. The data sets can also be long lived and out of date. Everything I now know about fingerprinting is based on science, sound principles (of methods to mitigate it), and in the last year validated by some large scale real-world studies. There's also the building and usage now of OpenWMP, (which is now part of Mozilla). For example we're looking at the usage of DOMRect across the top 10,000 sites to evaluate the threat (the FPing is certainly possible and easy to add, but is it used, and how?). This gives us a sense of priority, and ideas on mitigation (there are a number of ways this could be done: but some will break more than others). Real data, real world cases, real solutions - lowering entropy, using the right methods, practically zero information paradoxes, minimum breakage: and an all-in buy-in. THIS is your only salvation (or use the Tor Browser, which uplifts and helps out with RFP). See the next point though - you're still unique.
"If you want to resist fingerprinting, wait for Firefox's fingerprint protection to advance and keep everything as close to default as possible instead."
I actively work on RFP. Even with RFP, you are still unique. It has a long way to go - years. Keeping everything at default is a sure way of always being unique. I will say that FP'ing, which is my real passion, is not as important as the other factors. Eliminate unnecessary third party calls, limit JS functionality (or just use Tor Browser for goodness sakes). But it is taken into consideration.
For example: we do not disable geo requests (they are behind a prompt), we do not disable prompt permissions (they are behind a prompt), we do not disable gamepads or vr. All of these are fingerprintable, yes, including your default prompt permission! We don't change any TLS settings (thats server side entropy) - we could make the minimum as TLS1.2 for security, but less than 1.5% of the web uses those, and we're happy to let Mozilla decide when to change the value. We don't change any crypto prefs, as they are also server side entropy, and again while they may harden security, the risk really isn't here - we'll let Mozilla take care of that. There's more, but I'm a bit knackered (been up way too long), and I'm not quite up to trolling through the user.js to pick out more examples. Fingerprinting is my passion. Totally immersed in it. I'd like to think I'm qualified to talk about it.
Most FP'ing comes from "simple" scripts such as fingerprintjs2. The corporate surveillance world is basically not interested in spending money or using server side FP'ing or developing new techniques and so on, when they have 95% of the world already serving it all up - via IP, header referrers, ssl session ids, cookies, persistent local data, logins, third party connections, and OMG, the nightmare of smartphones with location tracking and dodgy apps and so on. FP'ing is slightly overrated as a threat - but yes, it is being used: e.g as a 1st party script on reddit.
RFP here almost has you covered (basic FP techniques, scripts). So don't sweat the FP'ing too much. It's more about us being proactive and anticipating possible threats and mitigating them ahead of time. If you need it, then use Tor Browser.
Sorry for the long post again. I love talking about this stuff.