In practice, User-Agent strings (which are just HTTP headers) have been shown to be pretty effective at uniquely identifying and tracking most people. So even disabling JavaScript and Cookies only goes so far.
Source? Because the only information contained in user-agent strings in modern browsers are browser version (realistically limited to vendor since browsers auto-update) and operating system version. So basically all you're going to get is (Chrome/Firefox/Edge/Internet Explorer/Safari on Windows/Linux/Mac), which isn't much.
It's more than just the browser, it's the exact, EXACT version of the browser which can be very revealing if you're not updating your browser (almost) every day. For example: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.85 Safari/537.36
I can't speak for Chrome or Safari, but Firefox's UA is pretty sparse:
Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0
This a totally custom, self-compiled build--and there is absolutely no reflection of that in the UA. Also note that the Mozilla/5.0 and Gecko/20100101 fields are frozen and are only there because sites break if they're not there.
>It's more than just the browser, it's the exact, EXACT version of the browser which can be very revealing if you're not updating your browser (almost) every day
Is there a reason why you don't have auto-update enabled in your browser?
Also, auto-updaters don't apply updates right away, so as long as you're not a few versions behind the latest, you will blend into the crowd.
A quick Wikipedia search turns up more fields [1]. Although some of these fields are not 100% accurate due to historical reasons (I'm looking at you IE). I'd bet there are a couple other data points they gather via JS to finger print.
Example:
Mozilla/5.0 (iPad; U; CPU OS 3_2_1 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Mobile/7B405
I compared 2 chrome versions and it seems that most of the version numbers there are static.
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2979.0 Safari/537.36
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.10 Safari/537.36
As for iOS 10 it's pretty sparse as well.
Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1
It's slightly worse than windows because it probably discloses your device type, but there are tens (hundreds?) of thousands of users for each iphone variant.
Good read here.[1] An example could be using your installed fonts. Like I was saying they probably use a bunch of other JS tricks. These 3rd parties aren't going to disclose anything.
Due to how the site takes into account ALL user-agent strings ever collected, it overestimates how unique an user-agent string is. Realistically in a given point in time, there are only a few dozen user-agent strings in widespread use (due to how few bits of information actually gets put into it). Unless you're using a special snowflake browser/operating system you should be fine.
I misspoke when I said it was simply User-Agent - they appear to fingerprinting based on other items such as installed fonts, etc. I believe when they say it's unique, it means, "unique". Not, "reasonably uncommon". And if that's the case, it's been up for years and has never encountered a system exactly like my current one. I'm on a very popular Linux distro used by most of my co-workers at a mid-size company, and I have the same set of work-related plugins installed as all of them, plus LastPass and Ad Block Pro. So not mainstream by any means, but also not going out of my way to be a snowflake, either.
Maybe the next frontier in browser anti-tracking is to stop sending a User-Agent header, or to build in functionality like one of the browser add-ons that randomly pretend to be different browsers.
