Experiment - How I try to defeat fingerprinting with abrowser

WARNING - THESE STEPS WILL BREAK MANY/MOST, OR POSSIBLY ALL WEBSITES THAT YOU VISIT. THIS IS JUST AN EXPERIMENT, DON'T TRY THESE STEPS UNLESS YOU HAVE A LOT OF TIME TO WASTE AND DON'T MIND BREAKING YOUR BROWSING EXPERIENCE

Sorry in advance that this is overly long - please don't spend time reading or trying any of this unless you have a particular interest in overcoming browser fingerprinting. If this is an area of interest for you, I'd really like to hear about your methods for overcoming fingerprinting in the replies. I could probably learn more from you than you could from me in that case.

This is an experiment I've been trying when running abrowser to defeat or spoof attempts at fingerprinting. I used these steps with a vpn - without a vpn, I personally think there are other ways my IP would be tracked. I did not try these steps with the Tor Browser - the Tor Browser is supposed to be used exactly as it is downloaded, so that everyone has the same setup and my instance "blends in" with all other Tor instances.

These steps seem to defeat almost all fingerprinting attempts, but in so doing my browser is unique. However, due to the randomness that will be used with the fingerprint spoofing, my personal opinion is that my browser will be very hard to track. But if someone were watching for a browser that looked like something a spy would use, my lack of any fingerprints will probably stand out. The trouble for them will be figuring out how to track my browser.

First steps, I change some settings in about:config to prevent fingerprinting and tracking and tighten up against data leakage.

1. Type about:config in the URL bar, agree to the "Accept the Risk" warning. Change the following values.
2. Require 'Safe Negotiation' for SSL
security.ssl.require_safe_negotiation = true
3. Disable TLS 1.0 and disable TLS 1.1
security.tls.version.min = 3
4. Disable 0 round trip time to better secure my forward secrecy
security.tls.enable_0rtt_data = false
5. Disable Automatic Formfill
browser.formfill.enable = false
6. Disable disk caching
browser.cache.disk.enable = false
browser.cache.disk_cache_ssl = false
browser.cache.memory.enable = false
browser.cache.offline.enable = false
7. Disable some of the telemetery processes that were not already disabled by abrowser
toolkit.telemetry.archive.enabled = false
toolkit.telemetry.bhrping.enabled = false
toolkit.telemetry.firstshutdownping.enabled = false
toolkit.telemetry.newprofileping.enabled = false
toolkit.telemetry.unified = false
toolkit.telemetry.updateping.enabled = false
toolkit.telemetry.shutdownpingsender.enabled = false
8. Disable WebGL, which allows direct access to my GPU
webgl.disabled = true
9. Disable TLS false start
security.ssl.enable_false_start = false

Install some mozilla addons (these have various free software licenses)
1. Ublock origin, for ad-blocking and to prevent tracking: https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/
2. Decentraleyes - "prevents a lot of requests from reaching networks like Google Hosted Libraries": https://addons.mozilla.org/en-US/firefox/addon/decentraleyes/
3. NeatURL - "cleans URLs, removing parameters such as Google Analytics' utm parameters": https://addons.mozilla.org/en-US/firefox/addon/neat-url/
4. AudioContext Fingerprint Defender: https://addons.mozilla.org/en-US/firefox/addon/audioctx-fingerprint-defender/
5. Chameleon - User Agent spoofer and fingerprinting spoofer: https://sereneblue.github.io/chameleon/
6. (optional) - I also use either the Noscript addon (https://addons.mozilla.org/en-US/firefox/addon/noscript/) or the umatrix addon (https://addons.mozilla.org/en-US/firefox/addon/umatrix/?src=search) to give me more control over blocking scripts, iframes, ads, other items that web sites try to run on my browser. There is a steep learning curve with these two addons, and noscript seems to me to be the easier of the two to use. They break a lot of websites and require a lot of user interaction.

Set up Chameleon
Note - Chameleon also breaks a few websites which try to be more "secure" by tracking and fingerprinting their users. I found that especially one banking website did not like to have all my browser data randomly spoofed. My only choice was to stop using that certain website because they are so hostile to their users in the name of so-called security. Other users may find that this is too disruptive to their work flow.
1. Chameleon is controlled by clicking on its green lizard head icon on the abrowser add-on toolbar.
2. Along the left side are a few icons that are like "tabs". The 2nd icon down is a globe, which I use first. This is my 'Profile' tab, and I select a 'Random' profile, with changes every 10 minutes. Clicking on the Windows, MacOS, Linux, iOS, and Android words brings up sub-tabs, which have User Agent IDs that can be spoofed for different OS versions and different web browsers. I hit 'Exclude' for everything on the MacOS, iOS, and Android sub-tabs, as those User Agents will cause some websites to deliver content to me in a way that doesn't fit my screen well. Under 'Linux', I allow all the User Agents, and under 'Windows', I allow all but the "Windows Explorer 11" and "Edge 84" User Agents. I also exclude any User Agents from Windows 8 and Windows 8.1, since these versions of Windows are in very low usage and would make my browser stand out pretty badly.
3. The next tab down the left-hand side of the Chameleon screen is the <> tab. Here, I enable a several options: 'Prevent e-tag tracking', 'Spoof Accept Language', 'Spoof X-forwarded-For/via IP', and 'Disable Referer'. Some websites will not work with 'Disable Referer' enabled.
3. The next tab along the left-hand side is the Settings tab.
4. Under the 'Injection' sub-tab, I enable 'Spoof Media Devices', 'Limit Tab History', 'Protect Keyboard Fingerprint' with a setting of '1', 'Protect Window Name', 'Spoof Audio Context', 'Spoof Client Rects', and 'Spoof Font Fingerprint'. I select a screen size that's a bit smaller than my normal screen, and I allow my timezone to be 'Default' to match the location of my VPN server (otherwise it looks unique to have a VPN server in Switzerland but a time zone in Hawaii). The 'Protect Keyboard Fingerprint' setting sometimes changes the rate at which my key presses show up on the screen, so it can be a bit distracting. But I've learned to ignore it. For some people, I can imagine this would be intolerable.
5. Under the 'Standard' sub-tab of the 'Settings' tab, I enable the following options 'Enable 1st Party Isolation', 'Enable Resist Fingerprinting', and 'Disable WebRTC'. On Websockets, I select 'Block 3rd Party'.
6. Under the 'Cookie' sub-tab of the 'Settings' tab, I select 'Delete Cookies and site data after window is closed', and 'Reject 3rd Party Cookies'

All finished. Now, I go to the following website: deviceinfo.me
This website will test a very large number of fingerprinting and tracking aspects of my browser. Here's today's results:
1. It thinks my abrowser running on Trisquel is actually Firefox 80 running on Windows 7
2. Thinks I am in another part of the world because of my VPN
3. Could not detect anything about my Language
4. Canvas Fingerprinting is spoofed
5. AudioContext Fingerprinting is spoofed
6. It cannot detect my speakers, microphone, webcam, graphics card, RAM, Battery Status, Bluetooth status, Device Orientation (Tilt of the laptop), Device Rotation, Addons, WebRTC, Screen size, browser window size

There's still some things I would like to be able to disable or spoof like my TLS/SSL version and my encryption Cipher, but I'll have to educate myself further. It's very possible that spoofing these items would break secure web browsing completely. Probably the best bet for these items is to make sure I am using the versions that are most frequently in use, and "blend in" to the crowd.

-----------------------------------------------

Sorry, this is overly long. As I said at the beginning of the post, this is an experiment, and I doubtless will learn more and change a lot of the above steps as I move forward. This isn't terribly useful for doing a lot of online banking or visiting sites that make heavy use of javascript - the time spent trying to figure out which specific defense to disable to get them working is usually not worth the trouble.

Please leave anything that you've learned about defending against fingerprinting in the replies. I'd really like to learn from you. Thanks!