Saltar al contenido principal
en/blog/obscura/research/conclusions/

obscura/research/conclusions

6 min read

Meta-Conclusion (2026-07-08)

After comprehensive analysis of browser fingerprinting examining FingerprintJS (44 vectors), BrowserLeaks (15+ tools), EFF Cover Your Tracks, network-layer fingerprints (TCP, TLS, HTTP/2, QUIC), and hardware-level vectors the following conclusions inform Obscura's design.


Vector Inventory Summary

Category Total Vectors Proxy-Controllable Partial Uncontrollable
Network & Protocol 13 3 6 4
HTTP & Headers 12 11 1 0
JavaScript / DOM APIs 44 29 13 2
Browser Features ~100+ 0 ~10 ~90+
System & Hardware 15 6 4 5
Behavioral 8 1 4 3
Total Distinct ~60+ unique ~50 ~38 ~100+

Realistic coverage: Proxy controls ~55% of fingerprint surface. Remaining ~45% are hardware, behavioral, or inherent browser features.


Impact Assessment by Layer

Layer 1: Network & Protocol HIGH IMPACT, Controllable

Vector Controllable Priority for Obscura Method
TLS fingerprint (JA3/JA4) Yes Critical utls (Go) / custom Rust TLS
HTTP/2 fingerprint Partial High Custom SETTINGS frame control
HTTP headers (12 vectors) Yes High Header rewrite at proxy
DNS Yes High Local resolver + blocklists
WebRTC IP leak Yes High JS injection to block RTCPeerConnection
TCP/IP stack No Low Container's stack inherited
QUIC/HTTP/3 Block Medium Block UDP 443
Timing attacks Partial Low Round performance.now()

Layer 2: JavaScript APIs MEDIUM IMPACT, Partially Controllable

29 vectors fully spoofable via JS injection:

  • navigator.userAgent, platform, language, languages
  • navigator.hardwareConcurrency, deviceMemory
  • screen.width, height, colorDepth, pixelDepth, availTop/Left
  • navigator.cookieEnabled, webdriver
  • Intl.DateTimeFormat timezone
  • navigator.vendor, vendorFlavors
  • navigator.architecture, pdfViewerEnabled
  • Apple Pay, Private Click Measurement
  • Media queries (prefers-reduced-motion, color-gamut, etc.)
  • localStorage, sessionStorage, indexedDB, openDatabase

13 vectors partially spoofable:

  • Canvas noise injection is detectable
  • WebGL can block debug_renderer_info, not rendering
  • Audio can flatten output, hardware variation remains
  • Fonts can round measurements, not eliminate enumeration
  • Plugins can override, but limited
  • DOM blockers detectable

2 vectors unspoofable:

  • Math FPU fingerprint hardware floating-point behavior
  • Audio base latency hardware audio stack

Layer 3: Browser Features LOW IMPACT, Uncontrollable

~100+ feature support tests (WebGL, WebGPU, WebUSB, Service Workers, etc.) are inherent to the browser. Cannot be changed at proxy level.

Mitigation: DNS blocking of known fingerprinting domains prevents many feature-detection scripts from loading.

Layer 4: Hardware & System LOW IMPACT, Uncontrollable

GPU model, CPU features, audio hardware, keyboard layout, installed fonts these are local system properties the proxy cannot modify.

Layer 5: Behavioral OUT OF SCOPE

Mouse movements, keystroke dynamics, scroll patterns, session duration behavioral biometrics are outside any proxy's control.


Key Findings

1. TLS Fingerprint Spoofing is Non-Negotiable

If Obscura terminates TLS (required for MITM), the server sees the proxy's TLS stack. Without spoofing, the destination immediately detects a proxy is in use. This is the single most critical feature.

2. Internal Consistency is Mandatory

Every signal must match the same profile:

Profile: "Chrome 120 / Windows 11"
   User-Agent: Chrome 120 on Win11
   Sec-CH-UA-Platform: "Windows"
   JA3: Chrome 120 Win11
   HTTP/2 SETTINGS: Chrome's values
   timezone: matches Win11 locale
   screen: typical Win11 resolution
   platform: "Win32"

Inconsistency is itself a fingerprint.

3. DNS Blocking is Highest ROI

Blocking fingerprintjs.com, *.metrics.*, and tracking domains prevents the fingerprinting scripts from loading at all. This is the simplest and most effective protection.

4. Canvas/WebGL/WebGPU are the Hard Problems

These render on local hardware. The proxy can:

  • Block the debug info APIs (GPU model hidden)
  • Inject noise into canvas output (detectable by comparison)
  • Not control the actual pixel rendering

Tor Browser solves this by making all users identical (breaks WebGL entirely). Obscura cannot match this at network level.

5. QUIC/HTTP/3 Must be Blocked

QUIC is encrypted end-to-end. If allowed, traffic bypasses the proxy entirely. Block UDP 443.

6. WebRTC Must be Blocked

WebRTC bypasses the proxy via STUN. Block via JS injection RTCPeerConnection override.


Design Principles


  1. Consistency over comprehensiveness: A smaller set of perfectly consistent signals beats broad but inconsistent protection.



  2. Block over spoof: If a vector cannot be reliably spoofed (canvas, audio), block it rather than leaking partial data. Blocking is detectable but leaks less information.



  3. Defense in depth: DNS blocking (stops scripts from loading) + header spoofing (HTTP layer) + TLS spoofing (transport layer) + JS injection (browser API layer) each layer adds protection.



  4. Fail closed: When uncertain, block. Always prefer privacy loss prevention over functionality.



  5. Regular profile updates: Browsers release new versions monthly, changing fingerprints. Profiles must be updated or Obscura becomes detectable.



  6. Profile diversity: Different profiles for different contexts (work, personal, incognito-like) prevents cross-context correlation.



Scope for Obscura v1

[MVP]
 HTTP header spoofing          (all headers, 12 vectors)   
 TLS fingerprint spoofing      (JA3/JA4 via utls)          
 DNS blocking                  (blocklist management)      
 WebRTC blocking               (JS injection)              
 Navigator API spoofing        (29 JS vectors)             
 QUIC blocking                 (UDP 443 drop)              
 3-5 identity profiles         (Chrome, Firefox, Safari)   
 Web UI                        (TS + CSS, profile mgmt)    

[Post-MVP]
 Canvas noise injection         (best effort)              
 WebGL debug_info blocking      (partial)                  
 AudioContext blocking          (partial)                  
 HTTP/2 fingerprint spoofing    (custom SETTINGS)          
 Custom profile editor          (UI feature)               
 Traffic statistics             (dashboard)                
 Font enumeration reduction     (measurement rounding)     

Final Assessment

Aspect Verdict
Viability Viable as a meaningful privacy enhancement
Definitiveness Not definitive no tool can be
Uniqueness Unique no existing network-level multi-layer anti-fingerprint tool
Vector Coverage ~55% controllable, ~45% outside scope
Maintenance Medium-High TLS/HTTP profiles need updates
Performance Impact Low-Medium MITM adds latency
User Experience High transparent to end devices
Deployment Simple Docker container, configure once

Final Word


Obscura is worth building as a practical privacy layer that significantly raises the cost of fingerprinting, not as a silver bullet. Its unique value is network-wide, multi-layer protection without per-device configuration something no existing tool provides.



"Perfect privacy is impossible. Meaningful privacy is not."