How do I hide the OS I am using from internet sites?
It is not currently possible to hide the type of OS from a website
A solution against general fingerprinting and obtaining more specific information about your system is to use Tor Browser with the security slider set to high (in order to disable JavaScript). It is designed with fingerprint resistance in mind, attempting to look identical to all other instances of the browser. It provides resistance in several ways:
Unlike a regular connection or a VPN, Tor exposes the network stack of the exit node, not of your own computer, so you do not have to mess with advanced TCP option mangling firewalls or modify low-level networking code in your operating system.
With JavaScript disabled, system-specific behavior like high resolution math libraries (certain trigonometry functions give unique results for each operating system) and data formatting functions (which format the data in an OS-specific way).
The user agent is standardized. There is no way to know what the underlying system is from just the user agent itself. Changing the user agent randomly makes you stand out as one of the few people doing it, so using a standard one is preferred.
The default window size is standardized, so CSS and JS functions which obtain the window size cannot guess your operating system based on things like the size of your task bar.
However, the task of preventing the general type of operating system from being known is currently impossible, even on Tor Browser. A list of whitelisted fonts is provided in order to prevent font rendering exploitation or font fingerprinting, but the whitelist is different for Linux, OSX, and Windows due to needing to use system fonts. There is currently no way around this. Until you find a way to provide system fonts without revealing what type of operating system you are using, you'll have no lock.
Also note that EFF's Panopticlick is only meant to bring awareness to the issue of fingerprinting. It is extremely limited in what signatures it looks for, and does not analyze a representative sample. You should instead look into https://amiunique.org/, which was designed from the current most extensive research into browser fingerprinting.
How does fingerprinting work in general?
While it is not possible to hide the general class of operating system you are running, you can make it so that you blend in with the so-called "anonymity set". A list of ways you can fingerprint a browser, with some notes, in case it is helpful:
TCP/IP stack fingerprinting - The TCP protocol provides some extra extensions changing its behavior such as window size (unrelated to browser window size), max segment size (MSS), time-to-live (TTL), and others. It is also padded by a nop option which does nothing but make sure the size of the options are consistent. Different classes of operating systems use different values. Linux for example sets the TTL to 64, whereas Windows uses 255. Additionally, the order of these options and where the nops are inserted differs from OS to OS.
Generic settings exposed by the browser - Certain things like the order of headers and the headers themselves can uniquely identify a browser. This includes thing like the system locale, DNT status, cookie status, etc. This is effectively all EFF's Panopticlick looks for, and a small subset at that.
WebGL fingerprinting - When certain types of hardware acceleration are enabled, the browser gets low-level access to your GPU. By telling the GPU to generate certain 3D shapes with special graphical properties (textures, light, transparency, etc) and applying various transforms to it and then hashing the resulting pixmap, quirks unique to your specific GPU can be identified. This allows a browser to be identified regardless of the operating system it is run as.
Audiocontext fingerprinting - Similar to WebGL fingerprinting, the browser can be told to generate triangle wave audio, then compress it, then increase gain and hash the resulting audio buffer. This hash will be unique to your system, regardless of what you have booted into. There is no need for the audio to actually be played for this to work.
Timezone fingerprinting - The system's timezone as set in environmental variables is available via JavaScript.
Math library fingerprinting* - When certain trigonometry functions are used, such as calculating the sin of the value 10, the system's math library is called, and this differs for each OS. It will likely be the same among classes of operating systems.
Canvas fingerprinting** - By generating a visual canvas element and hashing it, results unique to your browser can be obtained.
Window size fingerprinting** - The CSS @media elements can be used to selectively load resources based on the (often unique) size of the browser window. A website can create a large number of resources and see which ones your browser loads to tell the window size.
Font list fingerprinting - Your font list is often fairly unique, and differs between different OSes. As mentioned earlier, there is no practical way to avoid this. Keeping a list of whitelisted system fonts reduces the fingerprinting accuracy to the general class of OS you are running.
Date format fingerprinting* - If you call
Date().toLocaleFormat()
in the browser, the output string will depend on the operating system you are using. The output on Linux, OSX, and Windows 7 respectively is "Thu 26 Mar 2015 03:43:35 PM EDT", "Thu Mar 26 15:38:55 2015", and "Thursday, March 26, 2015 3:45:01 PM".Virtual core fingerprinting* - The hardwareConcurrency JavaScript feature can be used to automatically spawn a number of threads for performance. By starting with one and increasing it gradually, while giving the browser a CPU-heavy workload, the number of virtual cores can be guessed based on the point at which more threads no longer improve performance.
* Tor Browser only mitigates these if JavaScript is disabled.
** Tor browser mitigates these with help from the user, so the user must follow its recommendations.
So, there is different information leaking when requesting a website (from the user agent, the source port of your TCP connection to the TTL on your TCP packets.
A few good steps in the right direction are:
- Changing your user-agent string that is sent with every request with your browser,
- disable JavaScript and other script languages,
- use a multi-platform browser,
- use a TCP stack that does not allow to identify the operating system.
While the last point is hard to do without changing the operating system, the others are “just” reducing usability.
The biggest impact might be cause by the change of the user-agent string, because that is often logged by web servers, yet disabling scripting languages will have a big impact as well.
As the comments point out, hiding your operating system is not the same as gaining privacy; the opposite is the case. While a proxy server might fix most of this, there is no good way to gain privacy without losing a lot of comfort. Cookies and JavaScript make it easy to identify you and to disable them renders the web a pretty useless place.
The EFF (Electronic Freedom Frontier) have produced a "how unique is my web configuration" page for several years, https://panopticlick.eff.org
You can see just how unique you are. The results will be quite worrying I suspect.
A Web Server will usually try and attempt to understand which OS you are using by using a browser fingerprint.
They possibly can use some Javascript code that exploits known issues with say Windows 7 and html, or Mac and some other html calls.
The Web server could also - use a cookie that identifies you from an earlier session, or could try and IP range guess (although that seems a little unlikely as NAT for clients is much more widespread).
This issue has been around for at least the past 3 years, and there have been quite a few reports suggesting some commercial websites do this to alter the pricing.
Please see https://www.cnet.com/news/mac-users-pay-more-than-pc-users-says-orbitz/
It suggests, Mac users are charged more (aprox $30), than Windows users; I am guessing that the cost of Mac hardware indicates more disposable income.
Finally if you want to download and confuse Web Servers, the wonderful wget command line utility will allow you to fake your connection.
You can get more on this at http://www.danielmayor.com/how-to-fake-a-browser-connection-with-wget