until there's a significant number of people doing the same thing, you're simply "that guy in <insert geoip lookup city here> with the randomized UA", and you're infinitely more fingerprintable than just about anybody else on the internet. got to EFF's panopticlick to see how unique your fingerprint is. using an iPad with up-to-date software gets me the same fingerprint as about 18000 other people in my geoip region, i haven't been able to do better than that yet.
if your other browser properties don't match the UA though, you're still showing up as a unique fingerprint. You'll be the guy with an IE8 UA sending an accept:image/webp header, or the guy with a Safari UA who's following link prefetching instructions that are only valid in chrome, or something else that makes you unique.
or my personal favourite: sending the do-not-track header, something that only a small number of people send that makes you much easier to fingerprint.
The combination of UA and accept headers need to be changed in sync. Good point - any other things like that that should be watched out for?
And DNT is currently at around ~8%, so, although it does leak some information, it doesn't leak an absurd amount (~3.6 bits). (That's using data from here [1], which is FF-only. If you have a better source of data for this, please let me know.)
Any number of things can out you as a fake. Whether or not the request's Accept-Encoding has sdch, can help you figure out if something's Chrome.
You can also abuse parsing quirks to figure out which rendering engine's being used, or just try to use request-generating features that shouldn't be present in whatever browser you're saying you are (<svg>, <video>, styling on engine-specific psuedoelements, etc.)
Here's an example[1] using just HTML+CSS that will request a different image depending on whether you use a webkit or gecko derivative. If you use neither, no image will be requested. Someone who says they're Chrome but requests Firefox's image is immediately outed as a liar.
I believe Mario Heiderich also posted some stuff using webkit's styleable scrollbars that could be used for fingerprinting screen sizes and how large certain elements are when rendered.
The list goes on, but my point is that fingerprinting at the rendering / layout engine level is trivial, so you're better off being legitimately ordinary if you're worried about fingerprinting.
Are your headers in the correct order for the given UA?
Correct capitalisation for the given UA?
Correct accept for the given UA?
Correct white space around or between values for the given UA?
It is far better to appear to be the same as everyone else if you want to be anonymous (i.e. to browse on an iPad) than it is to do anything to try and not be tracked.
Anonymity today is to be invisible within the crowd, not to stand out as you are the only sheep that is shorn.
In Bulgaria, we had a joke about our communist president Todor Zhivkov, who was supposedly hiding from the fascists in the forests. So, the joke was that he was hiding... but nobody was looking for him, because he hasn't done anything to get their attention. Anyway, trying to "hide" is "security by obscurity". It's like your defense being hiding your SSN from your computer, when other weaker systems can already be exploited and your SSN could be stolen from them. Whatever you have to hide, it's already kept somewhere else in most cases. Instead, find a defense strategy that does not depend on obscurity - this is the only defense.
And my UA string is randomized (unless I override it for a particular site), so that doesn't do anything either.
I wish someone could come up with a plugin that allowed a "safe" subset of JS to run without consent, though.