NAN001

Nope. Don't try to appear incognito in crowd by wearing a ski mask.

Today, some privacy-conscious users may resort to tweaking multiple settings and installing a broad range of extensions that together have the paradoxical effect of facilitating fingerprinting - simply by making their browsers considerably more distinctive, no matter where they go. There is a compelling case for improving the clarity and effect of a handful of well-defined privacy settings as to limit the probability of such outcomes.

Source: https://sites.google.com/a/chromium.org/dev/Home/chromium-security/client-identification-mechanisms#TOC-Lower-level-protocol-identifiers

For people who think that changing their user-agent string or using private browsing makes them anonymous online, beware: it really makes you easy to detect! Rather than becoming anonymous, these "fake anonymous" steps make you appear even more unique. If you really want to be anonymous, it is better to tell the truth and blend into the crowd. (It kind of reminds me of the old joke: All you non-conformists are alike.)

Source: http://www.hackerfactor.com/blog/index.php?/archives/703-Invasion-of-Privacy.html

Sometimes, technologies intended to enhance user privacy turn out to make fingerprinting easier. Extreme examples include many forms of User Agent spoofing [...] and Flash blocking browser extensions [...] The paradox, essentially, is that many kinds of measures to make a device harder to fingerprint are themselves distinctive unless a lot of other people also take them.

Source: https://panopticlick.eff.org/static/browser-uniqueness.pdf Note: Flash is now obsolete and disabled on many configurations, so it's worth it to disable it.

Also

even with privacy blockers, sites can still track you based on your browser fingerprint

I don't know what do you mean exactly by "privacy blocker", but if you're referring to the Diconnect/Ghostery/µBlocko fleet, then blocked sites cannot track you because their is no connexion to them in a first place.

Maybe you wanted to say that even with cookies disabled, sites can still track you based on your browser fingerprint.

Please keep in mind that the browsers uniqueness tests such as Panopticlick or amiunique.org operate on a tiny subset of configurations (people who have taken the test) and being identified as unique on these websites doesn't mean that you're unique on large-scale databases kept by big web companies.

My recommendations are:

• Imperatively disable third-party cookies

• It's a good idea to remove all cookies when you close the browser. Keep in mind that when webmasters include scripts in their site, the script is able to save a first-party cookie (e.g. Google Analytics)

• Block third-party requests.

I recommend RequestPolicy, which is based on a whitelist instead of a blacklist. It'll break the web. You'll need to manually study what requests are necessary to make a site works properly and whitelist them. If you're not ready for that, I suggest sticking to µBlock Origin, but that's a butterfingers.

As for the fingerprints, just blend into the crowd. Don't use some exotic browser, don't download 3000 extensions, don't tinker settings nobody knows about. Don't do something unless everybody else do it to.

What is your opinion on Mozilla's project to redirect all of Firefox' DNS queries to Cloudflare? Can CF really be more trusted than ISPs?

Our second effort focuses on building a default configuration for DoH servers that puts privacy first.

...

Imagine calling up your residential ISP and asking them to agree to an audit that demonstrates they do not log your IP address on their DNS server. And then repeating the process for your favorite coffee shop, library, friend’s house — anywhere you and your browser go to connect.

...

Firefox improves user privacy by default by finding good partners, establishing legal agreements that put privacy first, and eventually shipping a default configuration we believe is best.

https://blog.nightly.mozilla.org/2018/06/01/improving-dns-privacy-in-firefox/

Sorry I might have been extrapolating a bit, but they clearly intend to eventually default to DoH and to some cloud-based servers for that. Cloudflare being the partner for experiments put them first in the candidates list for that. Schneier's answer holds for any Mozilla's partner, would Cloudflare eventually not be retained.

I don't see how advancement on a specific release changes anything about their communicated roadmap.