Most common TOR browser configuration - panopticlick

Question

Yesterday I put some effort into getting the best "score" I can on Panopticlick. The following is my result:

I did several things to get the lowest numbers for "unique in x browsers".

• I looked up what the most common screen resolution is and set my browser to it. It's not the default setting of the TOR browser though.
• I've tried several user agent strings and it seems an empty string is way better than others.
• I deactivated WebGL, so that the WebGL canvas thing cannot be used.
• I got an addon to block HTML5 canvas and that asks me whenever someone tries to use HTML5 canvas on a site - shocking how often that is! But when I use it consequently on panopticlick, the test stops working at the last step, not letting me see the results, so that is not included in the screenshots. (Is there a better way to test my "uniqueness" somewhere?)
• I can deactivate the JS, but then I'd not see the information about all the things, which can be exploited when I have JS on, so that's also not in the screenshot.

However, despite all this effort, it seems I am still unique in 145k browsers. If I am still a unique profile, then all the confusion created by the TOR network is for naught, if someone really wanted to track me. If I multiply those "unique in x browsers" numbers together, I'd get the combined "uniqueness" when someone considers really all of the listed things there. The number is still sooooo high, I am still far from a not unique fingerprint. Now the question is:

Can I still improve this? If so, how?

And for everyone else I hope you have use for this configuration and that it helps you.

Answer 1

This approach of trying to shoehorn yourself into the middle of the bellcurve is ultimately destined to fail. Part of the problem is that you seem to be viewing each part of the various things they fingerprint on as a distinct challenge to approach and try and sit in the middle of the bellcurve of for all browsers.

Instead, an observer knows you're using Tor Browser, Panopticlick is measuring how unique your own Tor Browser is against the set of all browser. You should instead be considering how you look amongst all other Tor Browser users. You are adding granularity to a previously smooth surface of Tor Browser users, you stand out from other Tor Browser users rather than blend in with them, with every change you make.

While fingerprinting methods like Canvas, AudioContext and other features might leak information about configuration specifics and need to be addressed with patching or being disabled making your own "special snowflake" changes might make panopticlick say your browser is less unique amongst the set of all browsers in truth you're making yourself stand out from the set of Tor Browsers and harming your anonymity.

Recommended reading: The Design and Implementation of the Tor Browser

---

Response to comment(s):

"that is what your argumentation is based"

Not entirely, they don't need to know what your browser is, just that it doesn't match any known fingerprints which almost all other stock browsers (even with "privacy" add-ons) will. It's a bit like the famous "parable" or "urban legend" of the thief who removed his fingerprints and then was the only person who didn't have any fingerprints, making him the only suspect when they found the blank set of fingerprints at the scene of the crime.

"how would an observer know that? [x and y guess incorrectly]"

Most browser fingerprintings sites are pretty naive PoC attempts, they're not performing advanced fingerprinting. One tell-tale sign, for example that a user is using Tor Browser would be to try to canvas fingerprint them. If you get back a hash of an empty string, they're probably using Tor Browser because currently no other browser implements that functionality. More advanced fingerprinting methods that are much harder to hide would be how it renders the page, given a page with a series of resources to be loaded embedded into the page, the order and means by which it loads each of the sub resources can be used as a distinguisher between browser engines (gecko, webkit, trident, etc) because each has it's own parser. Other distinguisher that are often overlooked are accepted encoding types and content types, especially given a specific context and file extension, what sort of images do you support? What sort of compression do you support? What about your TLS Cipher Suite?

As such (and as suggested in the original answer) your efforts would be best served at blending into the crowd or Tor Browser users as best as possible, providing as little distinguishability as possible.