Possible Future Privacy Enhancement: Filter fonts/ disguise Shumway as original flash

[yoshimo]

I did a quick test of my browser uniqueness on https://panopticlick.eff.org
Quite a big chunk of identifying bits were discovered via flash .

"System Fonts 19.21 bits
1 in 604390 visitors has that font list" (via Flash)

It might be worth filtering down that list to make it more generic and less unique for each user.

Same is true for the plugin list that can also be remotely discovered.
I don't think we should list Shumway as Shumway, but as "Adobe Flash < official last secure version>"
Diffrences here, will either break a few flash sites that exspect a "proper" Adobe string and fail to accept diffrences, and/or will make a browser more unique as you can already see in the font example.

[tschneidereit]

That's an important point, thanks for bringing it up!

It shouldn't matter for the cases where we distribute Shumway with the
browser, as then, theoretically at least, Shumway shouldn't expose any
identifying information that isn't readily available anyway.

At the very least, though, a careful evaluation is certainly in order.

[yurydelendik]

1 in 604390 visitors has that font list" (via Flash)

Font detection can be done without Flash or Java, see http://pomax.nihongoresources.com/downloads/fonttest/

I don't think we should list Shumway as Shumway, but as "Adobe Flash < official last secure version>"

If Shumway works in click-to-play mode, there original native plugins string can be used. Otherwise there is a discussion about adding "fake" plugins entry, see https://bugzilla.mozilla.org/show_bug.cgi?id=867626#c12