I have been studying browser fingerprinting for a while and have garnered some knowledge in that area. A demo of browser fingerprinting can be found at panopticlick.eff.org. However, one concern of mine is how easily they can be manipulated, or so I think. From what I understand there are 2 ways in which they can be manipulated.
1. Manipulating them directly
This is a given, to change the fingerprint, you just spoof the values in your browser that such fingerprinting scripts collect. For example, you can spoof:
a) User-Agent strings among other headers.
b) JS-Elements-and-API's by using ObjectDefineProperty to edit their values
c) More specific methods of fingerprinting like Canvas fingerprinting by installing an extension that manipulates the fingerprint
and so on......
This method, however, is not very effective against active fingerprinting methods such as WebGL-fingerprinting as they can't be spoofed easily.
But the second method is a little more interesting, and disappointingly, there isn't much info on whether it is plausible or not.
2. Editing the data before it is sent to the server
So basically, after the script has collected all the information, it either (I am guessing here) creates a hash there-and-then and sends it to the server, or it sends data to the server and a hash is created there. Now if I am determined to defeat the browser fingerprinting on a particular site, for malicious purposes, all I have to do is fire up an application like Fiddler, find the (presumably) POST through which data is being sent to the server, and edit the data. For those who don't know what Fiddler is, it's an app that routes all requests and responses made through your network from a proxy, so you can view and edit any request before sending it to the browser/server. Seems easy enough.
My Questions
Now, because I don't have much knowledge in all the request-response stuff, it makes me doubt my Method 2. So finally what I want to ask is :
1) Is my knowledge about how browser fingerprints are sent to the server correct? i.e, via POST. I believe it should be because that's the only way how you can transfer data to the server?
2) If it is possible, then what kind of counter-measures can sites implement (or have implemented) to make sure that data isn't being altered before it's sent to the server, or at the very least, make it harder for it to be done?
3) Is there a sure-fire way to catch such methods?