On Thu, Jan 23, 2014 at 5:50 PM, Stefan Monnier <monnier@iro.umontreal.ca>wrote:

> > Hmm... I wonder if https://panopticlick.eff.org/ rates "no UA" as being
> > *more* identifiable than spoofing it to something commonplace? :-)
>
> BTW, I was recently thinking about this "http header fingerprinting"
> problem and was wondering if anybody has tried to randomize
> their header.
> More specifically, change part of the header for each request.
> An obvious option is to add a counter to the "user-agent", and to add
> a "blur" factor to the language options.
>
> E.g. my "en-us,fr-ch;q=0.8,es-ar;q=0.6,en;q=0.4,de;q=0.2" appears to be
> very
> rare, but if it keeps changing from
>
>  en-us,fr-ch;q=0.80000234,es-ar;q=0.60000765,en;q=0.40000345,de;q=0.20000123
> to
> en-us,fr-ch;q=0.80000983,es-ar;q=0.60000923,en;q=0.40000186,de;q=0.20000236
> to ...
> then a naive fingerprinting will be fooled into thinking it's coming
> from a different user.
>

It's not a bad idea, but I wouldn't try it specifically with q-values, as
they're likely discarded by the server before they get to the browser-id
step.

~Chad