> Browser fingerprinting is a hack, and exploits clear loopholes in browser privacy models.
> I wouldn't rely on it because it's committing to an ongoing arms race against the browsers.
It doesn't seem to me that browsers are trying to win at all. For example, one of the greatest discriminators - font list - has been known about since people were talking about browser fingerprinting.
The fix would be pretty easy too: in incognito mode (or when toggled by the user), only support 2 fonts: 1 serif and 1 san-serif that ship with the browser on all platforms.
I don't think any of the browsers want to do that.
There are a number of other longstanding fingerprinting issues that are similarly easy to fix.
Last I checked, Safari in fact restricts the fonts web pages can see/use to ones that ship by default with MacOS. So you can't fingerprint a Safari user via fonts any further than "Safari user".
So yes, browsers, at least some of them, are in fact trying to win here.
> You'd need a standardized font rendering engine to defeat fingerprinting via canvas.
That's fair.
But that really only gives the attacker the OS (and perhaps the GPU vendor?). Not ideal for sure, but not that many bits of info, especially if you are in the majority (windows / intel)
> I wouldn't rely on it because it's committing to an ongoing arms race against the browsers.
It doesn't seem to me that browsers are trying to win at all. For example, one of the greatest discriminators - font list - has been known about since people were talking about browser fingerprinting.
The fix would be pretty easy too: in incognito mode (or when toggled by the user), only support 2 fonts: 1 serif and 1 san-serif that ship with the browser on all platforms.
I don't think any of the browsers want to do that.
There are a number of other longstanding fingerprinting issues that are similarly easy to fix.