Tracking using only css

No way to spoof those except to change your system fonts. I think there was something for linux that lets you spoof fonts but it is a run as root thingy.
You can block, fake, and or spoof all related functionaly and that makes it impossible to track the browser, just lurk moar to learn how.
Change your resolution or use CTRL+ or CTRL- to change it in firecucks.
Really the only thing you can't spoof is fonts and functions related to mozilla.navigator or the chrome counterpart. But you can block those functions from being read/used. Someone should make a webkit and .xpi addon to spoof those.

...

arthuredelstein.github.io/tordemos/media-query-fingerprint.html
Related.
I also wonder why doesn't Tor browser have protection against resizing it's window or built-in set of default window sizes like maximized browser on windows 7/10 @ 768p or 1080p / OS X 1600p (OS X has weird "full screen" modes) giving the fact that most normies use it that way ignoring the warning even scroll bar width matters, but only can be fingerprinted with javascript.
Or is there a way to fix window size in X-server settings or something like that?
---obligatory 4chan space----
I think this is a proper browser thread. We need to discuss privacy issues on most common browsers and ways to mitigate them instead of screeching "muh boootnet" and installing goynauseam for "muh privacy".
We should address the fact that most web users today are phonecucks and we need to mimic them.
I've also seen a proposal to load all CSS media variables in bulk on Tor mailing list.
Here are some interesting links for those unfamiliar with them:
samy.pl/evercookie/
Profiling audio playback capabilities of your computer:
audiofingerprint.openwpm.com/
ubercookie.robinlinus.com/
Better than panopticlick:
browserleaks.com/
Gives more raw data and less meme scores.
Search engines and lots of sites obfuscate links or add tracking data to them, here is deobfuscator for Google/Yandex search results:
addons.mozilla.org/en-US/firefox/addon/google-search-link-fix/?src=userprofile
However, I think that Google can even put you on a list as user of this extension since lots of sites have Google analytics and it will see you visiting a link from search results without getting data from tracking obfuscation.

Fun thing is that "Tracking protection" built into Firefox is pure botnet (who would have thought).
First: it sends "suspicious links" to Google and Disconnect Remember that proxy search page for google in Tor browser before duckduckgo became a thing?
Second: it sends "do not track me" http header to websites. You got it right, a website knows when a normie desires not to be tracked.
Third: it acts as poor ad-blocker with outdated malverizing lists from Disconnect.
Then there is such thing as "fraud score", mostly common among people who do webcasino/payment fraud or some shit like that. As you have already guessed, web-casinos have the most advanced ways of automatically detecting their users, they even compare your TCP SYN frame size (unique for different OS-es and kernels) with your browser's UA for example, this is how Windows users (or "smart guys" spoofing their user agent as Windows) with VPN are detected for example, or if your VPN exit has "data center IP" contrary to "residential IP" is a red flag for fraud detection systems too.

I have also noticed that lots of websites either give http 403 error page or straight up reject request (Chinese firewall) when accessing from tor. Does anyone know a way to cope with first use a list of fresh exits not yet included in blocklists those websites usually rely on or automatically refresh circuit until it gets valid answer, but when connection is rejected I somehow can't refresh the circuit, only creating new identity helps.

>addons.mozilla.org/en-US/firefox/addon/google-search-link-fix/?src=userprofile
fuckfuckfuck this is what I was talking about, sites like ebay do this often to track users lurking through site and even users sharing links between each other.
I visited the developer's profile and then clicked link to extension page.

If you are using ff57 google analytics (and the invisible captcha iirc) on amo runs even if your addons says its blocked, mozilla uses the webextensions api to lie, check the network tab.

Or better yet, fontspecter

This can be faked if you recompile your kernel on *nix with a custom one to imitate winblows.
You can disable javascript or fake this faggot. Just press CTRL+ or CTRL- and it changes in firefucks along with resolution.
Change your audio driver from ALSA to OSS and vice versa. Occasionally use pulseaudio ontop of whatever you switch too to trick it ever the more. Or if you want to blend in just run it with pulseaudio enabled all the time. This isn't a big deal as you can't test for silicone peculeraties other then driver version with these techniques.
Get a bettter VPN or get a better website to browse then.

Load invisible images via CSS element states? I don't think thats widespread, too many people have js enabled for anyone to go to such lengths

This can't be fixed because its not a bug. CSS is intended to be able to show images. The only solution is the one Thunderbird uses for its emails, just don't load any images.

If you block pseudo elements alltogether, you will break almost every website. You could block url content from pseudo elements, but even then you're going to break a lot of shit.

How do you recompile a kernel of 2-dollar VPS or VPN?
Scaled resolution can be easily measured as it grades by 10%.
Literally 0,0001% of web users depending on website disable JavaScript. It is more profiling than leaving it enabled. Sure, obscure boards like 8ch/tech have a significant amount of visitors with disabled JS or even Tor browser over hidden services, however if we pick something what normies visit, in order to blend in, we have to pretend to look like normies.

Using latest version is not the best solution, since anti-botnet settings are not updated as quickly as dicks in Mozilla's devs' arseholes. ESR is preferable.
Here are some links for further researching into about:config settings:
github.com/pyllyukko/user.js
github.com/The-OP/Fox/blob/master/header.md (slavrunes, beware)
kb.mozillazine.org/About:config_entries
kb.mozillazine.org/Category:Preferences
I also discourage from using IceCat since instead of simply re-licensing Firefox which is not really needed, it also adds it's own snowflake add-ons that affect your fingerprint in unpredictable ways. Even disabling default browser home phoning might affect your OPSEC because your VPN hoster/ISP will notice this change in browser behavior.

Thought of this shit long ago.
You can even do server-side fingerprinting and tracking of sites browsed by feeding them identifiable images assuming cache is turned on.

Why do they need to be invisible. Either way they can see in their logs if it was requested or not.

I don't see how you would actually record this information without some PHP or whatever server-side language you want to use.

They don't use the vast majority of CSS, so I doubt this would even register with them.

It could load everything that could be lazy-loaded by css initially.

Is that you, Jim? Is tracking users with identifiable image names not reliable enough for ya?

This would increase load times tremendously, you have no idea how gigantic CSS files or "suites" are nowadays. I would also assume that it goes against the grain of how optimized CSS engines work

I asked for this

why do you need to pretend though?
any real life use cases?

dont' use VPS's that used a shared kernel, like OpenVZ. Use KVM.

Guys please, next time let's build a WWW that runs on static HTML only?

dysn☕mia!bO.8VNPLAE ## Board Volunteer 01/18/18 (Thu) 23:29:10 No.
>>>Holla Forums7711343

If you fags can get >>7777777 by tonight I will give the board to someone else.

But if you can't… I'm here forever.

>>>Holla Forums7712047
yea, that's probably true. I don't think we will get to 7777777 unless we get some serious help here soon.

everyone stop posting and call fucking reddit for help. I don't give a shit. GET THE WHOLE DAMN INTERNET IN HERE OR WE WONT GET 7777777. WE MUST GET IT, EVEN IF ITS JUST TO PROVE DYSNOMIA WRONG, THEN WE MUST GET THE WHOLE INTERNET TO LEAVE Holla Forums AGAIN AND MAKE IT EMPTY SO THAT DYSNOMIA GETS FIRED WHILE QUITTING FOR DOUBLE GTFO-ISH-NESS

HERE'S THE PLAN: call reddit and say dysnomia is quitting if we get the 888877777s7 dfyw839 and say "NO NO DYSNOMIA NO" so that reddit says "aahhhaa! lets bump the thread!' THEY WILL GET US TO 87878768777689 BEFORE 12 AM.
LISTEN TO ME

LISTEN!!!!!!!!!!!!!!!!!!!!!!!

WE CAN DO THIS
SAVE Holla Forums, SAVE Holla Forums, SAVE THE INTERNET, SAVE AMERICA, SAVE THE WORLD

CALLING ALL OTHER BOARDS FOR HELP
GO GET THEM! GO ASK THEM FOR HELP!

SOMEONE GO AND FUCKING CALL REDDIT NOW!!!!!!!!!!!!!!!!!!!!!!
CALL YOUR BIG FAT MOTHERS
CALL YOUR CAT
CALL ALL THE BITCHES IN THE YARD WITH BIG MILKSHAKES
CALL YOUR POOP IN THE TOILET

FUCKING GET YOUR DOCTOR TO PUT ON SOME GLOVES AND CALL YOUR PROSTATE

FUCKING CALLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL AND HURRY

dysn☕mia!bO.8VNPLAE ## Board Volunteer 01/18/18 (Thu) 23:29:10 No.
>>>Holla Forums7711343

If you fags can get >>7777777 by tonight I will give the board to someone else.

But if you can't… I'm here forever.

>>>Holla Forums7712047
yea, that's probably true. I don't think we will get to 7777777 unless we get some serious help here soon.

everyone stop posting and call fucking reddit for help. I don't give a shit. GET THE WHOLE DAMN INTERNET IN HERE OR WE WONT GET 7777777. WE MUST GET IT, EVEN IF ITS JUST TO PROVE DYSNOMIA WRONG, THEN WE MUST GET THE WHOLE INTERNET TO LEAVE Holla Forums AGAIN AND MAKE IT EMPTY SO THAT DYSNOMIA GETS FIRED WHILE QUITTING FOR DOUBLE GTFO-ISH-NESS

HERE'S THE PLAN: call reddit and say dysnomia is quitting if we get the 888877777s7 dfyw839 and say "NO NO DYSNOMIA NO" so that reddit says "aahhhaa! lets bump the thread!' THEY WILL GET US TO 87878768777689 BEFORE 12 AM.
LISTEN TO ME

LISTEN!!!!!!!!!!!!!!!!!!!!!!!

WE CAN DO THIS
SAVE Holla Forums, SAVE Holla Forums, SAVE THE INTERNET, SAVE AMERICA, SAVE THE WORLD

CALLING ALL OTHER BOARDS FOR HELP
GO GET THEM! GO ASK THEM FOR HELP!

SOMEONE GO AND FUCKING CALL REDDIT NOW!!!!!!!!!!!!!!!!!!!!!!
CALL YOUR BIG FAT MOTHERS
CALL YOUR CAT
CALL ALL THE BITCHES IN THE YARD WITH BIG MILKSHAKES
CALL YOUR POOP IN THE TOILET

FUCKING GET YOUR DOCTOR TO PUT ON SOME GLOVES AND CALL YOUR PROSTATE

FUCKING CALLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL AND HURRY

You can use gopher. It basically only allows a small amount of server-side scripting, and nothing on the client.
The guy that runs gopher.su tried to make a chan with it, but it's not well-suited for that. Might as well just run an NNTP server, or a BBS.