[rvern]

I doubt it is possible to determine the exact version, or even the browser (though the accept headers might leak it), without JavaScript. Thus NoScript fixes that problem.

You are right that this gives more information to a determined person, but anyone who pushes fingerprinting to the point of detecting a user’s browser version and other characteristics through JavaScript will certainly be able to identify you uniquely anyway. In such a case, it doesn’t matter than this person has more or less information, since he can already identify you; and having a generic user agent makes people who only look at it know less about you.

[ryan-c]

It's possible to differentiate the major browsers and operating systems without javascript, and even the versions can be narrowed down without javascript even with user agent spoofing.

p0f, for example, can do this.

http://lcamtuf.coredump.cx/p0f3/

[rvern]

I didn’t know packets leaked this much information… Thank you for mentioning this.

[ryan-c]

One of the less obvious things is that the fact you're using a VPN may be leaked on a TCP session by the MTU/MSS values.