Comment Not entirely clear. (Score 5, Insightful) 194
Depending on what you mean by 'block', there may or may not be a properly satisfactory answer:
'Block' as in 'make this specific mechanism fail' is the relatively easy question. If the attacker can't manipulate a canvas element and read the result, it won't work. So the usual javascript blockers or more selective breaking of some or all of the canvas element (the TOR browser apparently already does this for methods that can be used to read back the contents of a canvas element, so you can still draw on one but not observe your handiwork) will do the job.
Unfortunately the attacker doesn't actually care about making your browser draw a picture, they care about achieving as accurate a UID as they can. Given that, you might actually make yourself more distinctive if your attempt to break a given fingerprinting mechanism succeeds. In the case of the TOR browser, for instance, attempts to read a canvas will always be handled as though the canvas is all opaque white. This does prevent the attacker from learning anything useful about font rendering peculiarities or other quirks of your environment's canvas implementation; but it's also a behavior that, for the moment at least, only the TOR browser has. Relatively uncommon. Possibly less common than the result that you'd receive from an unmodified browser.
That's the nasty thing about fingerprinting attacks. Fabricating or refusing to return many types of identifying information is relatively easy (at least once you know that attackers are looking for them); but unless you lie carefully, your fake data may actually be less common (and thus more trackable) than your real data.
'Block' as in 'make this specific mechanism fail' is the relatively easy question. If the attacker can't manipulate a canvas element and read the result, it won't work. So the usual javascript blockers or more selective breaking of some or all of the canvas element (the TOR browser apparently already does this for methods that can be used to read back the contents of a canvas element, so you can still draw on one but not observe your handiwork) will do the job.
Unfortunately the attacker doesn't actually care about making your browser draw a picture, they care about achieving as accurate a UID as they can. Given that, you might actually make yourself more distinctive if your attempt to break a given fingerprinting mechanism succeeds. In the case of the TOR browser, for instance, attempts to read a canvas will always be handled as though the canvas is all opaque white. This does prevent the attacker from learning anything useful about font rendering peculiarities or other quirks of your environment's canvas implementation; but it's also a behavior that, for the moment at least, only the TOR browser has. Relatively uncommon. Possibly less common than the result that you'd receive from an unmodified browser.
That's the nasty thing about fingerprinting attacks. Fabricating or refusing to return many types of identifying information is relatively easy (at least once you know that attackers are looking for them); but unless you lie carefully, your fake data may actually be less common (and thus more trackable) than your real data.