Chameleon extension for fingerprinting

Hi everyone, I’m curious to know the opinion of the community on the chameleon extension?

For now I use a dual based approach with Firefox for anything I need to connect to with a username/password and Mullvad (+VPN) for any other browsing.

Anything spoofing your useragent string is a bad idea and will make you stand out like a sore thumb. Seems like all this extension does is that and show some about:config settings you can change. Don’t really see the point in using it, better off using arkenfox.

Im not entirely sure, but this sounds very similar to what FPP does in Firefox (see Arkenfox for more details)

I don’t know about Chameleon specifically, the general rule of thumb is a browser extension or spoofing your user-agent are subpar solutions compared withe either (1) Purpose built browsers (Mullvad, Tor) or (2) the FP protection built into mainstream browsers like Firefox or Brave. #1 being the preferred and strongest solution. I used to use an extension (canvasblocker) for basic protection, not I use Firefox’s built in FPP for that (which is enabled when you enable ETP strict mode).

As @exaCORE mentioned, the Arkenfox wiki (and github issues) are a great resource for info on fingerprinting protection. The Tor Project has some good content also.

2 Likes

Great, thanks all!

I have found that Chameleon is the only way to defeat sophisticated fingerprinting techniques with a customizable browser like Firefox. If you are not sure if your current setup is effectively working to protect you from fingerprinting definitely navigate to fingerprint(.com) and find out.

I wrote a full guide on properly deploying Chameleon with Firefox if you want to test it out: Defeating Persistent Web Fingerprinting with Chameleon

1 Like

Fingerprint.com is easy to beat. Any advanced script will be able to tell you’re spoofing your user agent/time zone/whatever. If you’re on desktop Linux and you say you’re an iPhone that’s trivial even to figure out.

I would hardly call a 99.5% fingerprint tracking success rate as trivial. Most Internet users are not using Tor for general web browsing and are probably not using a vanilla installation browser either.

Every user’s setup is going to be different depending on platform, browser choice and configuration, and whether they use a VPN. The best way to tell if they are being persistently tracked across browser sessions over long periods of time is to visit fingerprint(.com) for themselves and see if their unique ID on the site stays the same.

My stock Safari browser beats it 100% of the time. It says that the demo on their site isn’t as accurate as the production version so maybe that’s why.

That’s quite interesting. For how long would you say Safari has been able to resist fingerprint(.com) and does this also work for you from iOS?

Yeah from iOS is where I tested it. It’s always been able to beat it occasionally but when they added the fingerprint randomization feature and private relay it seems like fingerprint.com just wasn’t able to deal with it.

Of course it’s possible that the demo doesn’t reflect the full product but you’d think they would want to show off the full capabilities of it.

It’s helpful to hear your experience with fingerprinting and Safari. I’m definitely going to be doing more fingerprint research and testing with Safari on both macOS and iOS.

Are you using a VPN in addition to Private Relay?

No, I think actually you can’t use both at the same time. Private Relay is better than a VPN for browsing anyway, there are two hops controlled by different parties and you get a different route for every website.

At some point I’ll make a blog post or something about it with my testing methodology and some data I think.

I really really like the WebKit team’s approach to fingerprinting, they don’t implement certain APIs and features that make fingerprinting easier. Like they don’t support the DNT header at all for example.

1 Like

I think I never visited that site before. I tested it with several different IPs and incognito on/off. It always detects me. I use Brave on android.

Did you clear your cookies between visits? And did you turn on fingerprint randomization? Problem with Brave on Android is Android brave users on your specific phone are going to be an incredibly small group of people. It’s going to be really difficult to blend in.

Yeah, that makes sense. But other websites can not detect phone model and screen size… Anyway that just shows tracking and fingerprinting is not hard. I dont think some extension can easily fix all those issues.