A Technical Analysis of Hardware, Behavioral, and Inherent Browser Signals That Cannot Be Spoofed at the Network Layer
Obscura Research July 2026
Abstract
Network-level privacy tools like Obscura can effectively spoof HTTP headers, TLS fingerprints, DNS queries, and JavaScript-accessible browser properties. However, a significant class of fingerprinting vectors operates below, above, or outside the proxy's reach. These vectors derive from physical hardware characteristics, browser implementation details, user behavior patterns, and the inherent asymmetry of the detection arms race.
This paper catalogs these uncontrollable vectors, analyzes their strengths and weaknesses from an attacker's perspective, and proposes mitigation strategies both within Obscura's scope and through complementary tools.
1. Introduction
1.1 The Proxy Gap
Obscura operates at OSI Layers 3-7 (network to application). Signals that originate at:
- Layer 0-2 (physical hardware, GPU, audio chip, CPU)
- Layer 7+ (browser rendering engine, user behavior)
- Cross-layer inconsistencies (mismatches between spoofed and unspoofed signals)
...are outside the proxy's direct control.
1.2 Classification
| Category | Vectors | Root Cause | Proxy Leverage |
|---|---|---|---|
| GPU/Hardware | Canvas, WebGL, WebGPU rendering | Physical rendering pipeline | None |
| Audio Hardware | AudioContext, latency | Audio DSP, drivers | None |
| CPU/Platform | Math precision, Wasm features, SIMD | Microarchitecture | None |
| Browser Inherent | Feature support, CSS media, bugs, quirks | Engine implementation | None (DNS blocking only) |
| Behavioral | Mouse, keystrokes, scroll, timing | User | None |
| Network Residual | TCP/IP, clock skew, RTT | OS/container stack | Partial |
| Cross-Layer | Profile inconsistency, detection heuristics | Logic | Indirect |
1.3 The Asymmetry Problem
The fundamental asymmetry: the fingerprinting service needs only one successful vector to identify or correlate a user. The defender must block all vectors.
This paper does not claim to solve this asymmetry. It documents the residual risk.
2. GPU & Rendering Pipeline Fingerprinting
Full document: gpu-rendering.md
2.1 Why It Works
The GPU rendering pipeline is physically deterministic the same input always produces the same output on the same hardware. Differences arise from:
- GPU microarchitecture (ALU count, rasterizer units, TMUs, ROPs)
- Driver version and compiler optimizations
- Floating-point precision differences in shaders
- Anti-aliasing algorithms
- Subpixel rendering order (RGB vs BGR)
- Color space conversion matrices
2.2 Vectors
| Vector | Entropy | Detectable if Blocked |
|---|---|---|
Canvas toDataURL() hash |
~5-7 bits | Yes |
WEBGL_debug_renderer_info.UNMASKED_RENDERER |
~20 bits (exact GPU model) | Yes |
| WebGL scene render hash | ~10-15 bits | Yes |
WebGPU adapterInfo (vendor, arch, device, driver) |
~25+ bits | Yes |
| WebGPU limits (50+ numeric capabilities) | ~30+ bits | Yes |
| WebGL extension list | ~8-12 bits | Yes |
2.3 Attacker Advantages
- No network dependency: Rendering is local, no request needed
- Hardware-locked: Cannot be changed without different hardware
- Cross-browser: Same GPU produces similar fingerprints across Chrome/Firefox/Safari
- Passive: User cannot tell they are being fingerprinted
2.4 Weaknesses (from attacker's perspective)
- Blocking is easy for the user: Firefox flags
privacy.resistFingerprintingandCanvasBlockerwork - Tor Browser defeats it: Software rendering (SwiftShader) normalizes all output
- Driver updates change the fingerprint: Periodic instability
- Noise injection works: CanvasBlocker's random pixel injection breaks repeatability
- Statistical detection of tampering is imperfect: Attackers can only guess whether noise is injected
2.5 Proposed Mitigations
| Mitigation | Effectiveness | Impact | Implementation |
|---|---|---|---|
| Block WebGL/WebGPU entirely | High | Breaks 3D content | JS injection |
| Canvas noise injection | Medium-High | Detectable | JS injection (CanvasBlocker algorithm) |
| Consistent random per-session noise | Medium | Session correlation possible | JS injection |
Block WEBGL_debug_renderer_info |
Medium | Blocks GPU model leak | JS injection |
| Software GPU rendering (SwiftShader) | Very High | Massive perf hit | Client-side only (Tor Browser) |
| Round canvas dimensions to grid | Low | Reduces entropy | JS injection |
Best Obscura can do: Block + noise injection via JS. Cannot match Tor Browser's software rendering.
3. Audio Hardware Fingerprinting
Full document: audio-hardware.md
3.1 Why It Works
Audio processing involves:
- Audio driver implementation (ALSA, PulseAudio, PipeWire, CoreAudio, WASAPI)
- Hardware DAC/ADC characteristics
- Sample rate conversion algorithms
- Dynamics compression behavior
- Audio buffer handling
These produce consistent, measurable differences in oscillator output and compressor behavior.
3.2 Vectors
| Vector | Entropy | Notes |
|---|---|---|
AudioContext getChannelData on DynamicsCompressor output |
~8-12 bits | Most common |
| AudioContext base latency | ~4-6 bits | Hardware-dependent |
| Sample rate support | ~2-3 bits | Varies by hardware |
| Max channel count | ~1-2 bits | Stereo vs surround |
3.3 Attacker Advantages
- Consistent across sessions: Same hardware same audio fingerprint
- Hard to detect tampering: The site can compare multiple reads
- Works in background: No user interaction needed
3.4 Weaknesses
- DynamicsCompressor behavior changes across browser versions
- Can be blocked entirely (Firefox resistFingerprinting blocks AudioContext)
- Flattening output is detectable but cannot be distinguished from real hardware with identical behavior
3.5 Proposed Mitigations
| Mitigation | Effectiveness | Impact |
|---|---|---|
| Block AudioContext entirely | High | Breaks audio-dependent apps |
| Flatten compressor output (return all -100dB) | Medium | Detectable pattern |
| Inject periodic noise into output buffer | Medium-High | Complex, detectable |
| Override sample rate to fixed value | Low | Only one signal |
Best Obscura can do: Block AudioContext via JS injection.
4. CPU & Platform Fingerprinting
Full document: cpu-platform.md
4.1 Why It Works
The CPU is the most fundamental system component. Its behavior is deterministic and measurable from JavaScript:
- Floating-point arithmetic precision (IEEE 754 compliance varies slightly)
performance.now()resolution (depends on hardware timer, OS)- Wasm-based feature detection (SIMD, AES-NI, AVX, BMI1/BMI2, POPCNT)
- Cache timing side channels (though mitigated in browsers)
- WebAssembly execution speed (relative performance benchmark)
4.2 Vectors
| Vector | Entropy | Notes |
|---|---|---|
| Math fingerprint (FPU precision) | ~4-6 bits | Subtle, surprisingly identifying |
| Wasm feature detection | ~8-12 bits | CPU capabilities |
performance.now() resolution |
~2-3 bits | OS/CPU dependent |
navigator.hardwareConcurrency |
~3-4 bits | Core count (Spoofable via JS) |
4.3 Attacker Advantages
- Hardware-locked: CPU features don't change
- Wasm is fast: Binary feature detection in <1ms
- Cannot be spoofed at proxy level: Wasm runs locally
4.4 Weaknesses
performance.now()precision reduced in browsers (1ms 100s 5s see-saw)- Wasm feature detection depends on browser exposing it
hardwareConcurrencyis spoofable via JS already listed as controllable- Math fingerprint is very low entropy only useful in combination
4.5 Proposed Mitigations
| Mitigation | Effectiveness | Impact |
|---|---|---|
Reduce performance.now() precision via JS |
Low | Attackers use Wasm timing |
| Block Wasm entirely | High | Breaks many sites |
Override hardwareConcurrency |
High | Trivial via JS injection |
| Accept math FPU fingerprint | None | Too low entropy alone |
Best Obscura can do: Accept or block Wasm (drastic).
5. Inherent Browser Features & Implementation Quirks
Full document: browser-features-quirks.md
5.1 Why It Works
Each browser engine (Blink, Gecko, WebKit) has a unique set of:
- Supported Web APIs (100+ binary features)
- CSS property support
- Implementation bugs and quirks
- Default settings (font size, scrollbar width, form styling)
- Unicode rendering behavior
- Emoji support version
5.2 Vectors
| Vector | Entropy | Notes |
|---|---|---|
| Feature support vector (~100 features) | ~10-15 bits | Highly correlated |
| CSS rendering quirks | ~5-8 bits | Engine-specific |
| Unicode/emoji rendering | ~3-5 bits | OS+browser dependent |
| Scrollbar width | ~2-3 bits | OS-dependent |
| Default font metrics | ~4-6 bits | OS+browser dependent |
5.3 Attacker Advantages
- Cannot be changed: These are inherent to the browser/OS
- No permission needed: No user consent required
- Hard to block: Blocking features changes the feature vector itself
5.4 Weaknesses
- Mainly identifies browser family + version, not individual users
- Low entropy within same browser version (all Chrome 120 users look similar)
- Feature detection scripts can be DNS-blocked before they load
5.5 Proposed Mitigations
| Mitigation | Effectiveness | Impact |
|---|---|---|
| DNS block fingerprinting script domains | High | Stops feature enumeration entirely |
| Accept low individual entropy | Passive | May still correlate with other signals |
| Patch browser (not proxy-level) | Very High | Requires custom browser build |
Best Obscura can do: DNS blocking of known fingerprinting domains.
6. Behavioral Biometrics
Full document: behavioral-biometrics.md
6.1 Why It Works
User behavior patterns are highly individual:
- Mouse movement trajectories (speed, acceleration, jitter)
- Keystroke dynamics (key hold time, inter-key intervals, error patterns)
- Scroll patterns (speed, acceleration, pause behavior)
- Touch gestures (on mobile: swipe angle, pressure, speed)
- Reading patterns (scroll-then-pause rhythm)
- Click/tap timing and location preferences
6.2 Vectors
| Vector | Entropy | Notes |
|---|---|---|
| Keystroke dynamics | ~15-25 bits | Highly individual |
| Mouse movement | ~10-20 bits | Less stable over time |
| Scroll behavior | ~8-12 bits | Content-dependent |
| Touch gestures | ~12-18 bits | Mobile-specific |
6.3 Attacker Advantages
- Continuous authentication: Not a snapshot, but ongoing
- Hard to fake: Mimicking another user's behavior is extremely difficult
- No JS API restriction: All readable from JS event listeners
6.4 Weaknesses
- Requires significant user interaction: Cannot fingerprint passively
- High variance: Behavior changes with mood, fatigue, context
- Long collection time: Needs minutes of interaction
- Machine learning required: Simple hashing doesn't work
- Easily disrupted: Any script that interferes with timing breaks it
6.5 Proposed Mitigations
| Mitigation | Effectiveness | Impact |
|---|---|---|
| Block mouse/touch event listeners via JS override | Medium | Breaks interactive sites |
| Inject synthetic timing noise | Low | Can be filtered out |
| Use Tor Browser for high-sensitivity sessions | Very High | Most practical solution |
| Accept behavioral is narrow-context | Passive | Only works on logged-in sessions |
Best Obscura can do: Very limited. Tor Browser is the practical solution.
7. Residual Network-Level Fingerprints
Full document: residual-network.md
7.1 Why It Works
Even with TLS and HTTP spoofing, residual network signals remain:
- TCP/IP stack parameters (inherited from container OS)
- Network round-trip time (RTT) and its variance
- MTU path discovery
- Packet TTL (reveals approximate hop count)
- Clock skew between client and server
- HTTP/3 QUIC transport parameters (if not blocked)
7.2 Vectors
| Vector | Entropy | Notes |
|---|---|---|
| TCP window size | ~2-4 bits | Container OS-specific |
| Initial TTL | ~1-2 bits | 64 vs 128 |
| RTT + variance | ~5-8 bits | Network path-dependent |
| Clock skew | ~4-8 bits | Hardware clock drift |
| HTTP/2 SETTINGS (if unspoofed) | ~6-10 bits | Proxy library-specific |
7.3 Attacker Advantages
- Always present: Network signals are unavoidable
- Can be combined: Cross-referencing multiple weak signals increases entropy
- Stable: Network path changes infrequently
7.4 Weaknesses
- Low individual entropy: TCP/IP alone rarely identifies
- Shared container environment: Multiple users behind same container look similar
- TLS spoofing eliminates the most identifying signal
7.5 Proposed Mitigations
| Mitigation | Effectiveness | Impact |
|---|---|---|
| TLS fingerprint spoofing (JA3/JA4 via utls) | Very High | Critical for Obscura |
| HTTP/2 SETTINGS mirroring | High | Complex implementation |
| Normalize TCP parameters | None | Container inherits host |
| Route through VPN/Tor upstream | High | Changes network characteristics |
Best Obscura can do: TLS + HTTP/2 spoofing. TCP/IP is accepted.
8. Detection of Proxy & Spoofing Inconsistencies
Full document: proxy-detection.md
8.1 Why It Works
The act of spoofing creates detectable patterns:
- Profile inconsistency: Chrome User-Agent + Go TLS stack + Win32 platform + non-Windows fonts
- Missing signals: Blocked APIs (WebGL returns null) create a unique "blocked" fingerprint
- Timing anomalies: MITM adds measurable latency
- Certificate fingerprints: Self-signed CA certificates are detectable
- Header normalization: Overly clean/consistent headers (real browsers have variation)
- JavaScript override detection:
Object.getOwnPropertyDescriptor()can detectObject.definePropertyoverrides
8.2 Detection Techniques
| Technique | What It Detects | Reliability |
|---|---|---|
| TLS fingerprint mismatch | Proxy software vs claimed browser | Very High |
| Feature blocking | Privacy tool usage | High |
| JS override detection | Injected scripts | Medium |
| Certificate inspection | MITM proxy | High |
| Timing analysis | Proxy latency | Medium |
| Cross-signal correlation | Profile inconsistency | Very High |
8.3 Attacker Advantages
- Spoofing increases detectable surface: The more you change, the more there is to detect
- Statistical analysis: Comparing against large datasets reveals anomalies
- Machine learning: Can find patterns humans miss
8.4 Weaknesses
- Detection is probabilistic, not deterministic
- False positives: Legitimate browser updates look like spoofing
- Privacy tools are used by millions: Being detected as "privacy user" is not unique
- Cat-and-mouse: Override detection can be countered by deeper overrides
8.5 Proposed Mitigations
| Mitigation | Effectiveness | Impact |
|---|---|---|
| Perfect profile consistency | Very High | Requires continuous profile updates |
| Leak some real signals | Counterintuitive | Makes profile look more natural |
| Use real CA certificate | Medium | Avoids self-signed CA detection |
| Round timing instead of removing | Medium | Less suspicious than zero latency |
| Don't block spoof instead | High | Harder to detect than blocking |
Best Obscura can do: Rigorous profile consistency testing and continuous updates.
9. The Aggregation Problem
9.1 Individual vs Combined Entropy
A crucial insight: individual uncontrollable vectors have low entropy alone, but combined they become identifying.
Where is individual entropy and accounts for dependencies between vectors.
For uncontrollable vectors alone (GPU + Audio + CPU + Features + Network + Behavioral):
This is enough to uniquely identify a user among ~.
9.2 Implications
- Even perfect proxy spoofing of controllable vectors is insufficient if the uncontrollable ones remain
- DNS blocking is critical: It prevents the fingerprinting library from seeing the uncontrollable vectors
- Defense in depth: Each blocked vector reduces the aggregate entropy
10. Proposed Research Directions
10.1 Short-term (Obscura v1)
- Perfect profile consistency: Automated validation tools
- DNS blocklist maintenance: Fingerprinting domain feed
- Canvas noise injection: Algorithm from CanvasBlocker
- WebGL/WebGPU debug info blocking: JS injection
- AudioContext blocking: JS injection
10.2 Medium-term
- Machine learning for anomaly detection: Detect when Obscura's modifications create detectable patterns
- Adaptive profile selection: Choose the profile that best matches the user's real hardware (don't claim Safari on Windows)
- Graceful degradation: Fall back to less aggressive spoofing if detection risk is high
10.3 Long-term / Out of Scope
- Browser modification: Custom browser build that normalizes fingerprints (Tor Browser approach)
- Hardware-level GPU normalization: Driver-level rendering interception
- Behavioral obfuscation: AI-generated mouse/keyboard patterns
- Quantum-resistant fingerprinting: Future-proofing against new techniques
11. Conclusion
The uncontrollable vectors documented here represent the fundamental limit of network-level anti-fingerprinting. No proxy can fully eliminate them because they derive from:
- Physics: GPU rendering, audio processing, clock drift
- Biology: User behavior patterns
- Engineering: Browser implementation choices
Obscura's approach is pragmatic:
- Control what can be controlled (headers, TLS, DNS, JS APIs) ~55% of surface
- Block what cannot be spoofed (canvas, audio, WebGL) prevents observation
- Accept the residual risk document and monitor
The alternative perfect protection requires Tor Browser, which achieves it by normalizing every signal at the cost of functionality, performance, and convenience. Both approaches have their place.
References
- Acar, G. et al. (2014). "The Web Never Forgets: Persistent Tracking Mechanisms in the Wild." CCS 2014.
- Mowery, K. & Shacham, H. (2012). "Pixel Perfect: Fingerprinting Canvas in HTML5." WOOT 2012.
- Eckersley, P. (2010). "How Unique Is Your Web Browser?" PETS 2010.
- Englehardt, S. & Narayanan, A. (2016). "Online Tracking: A 1-million-site Measurement and Analysis." CCS 2016.
- Tor Browser Design Document (2024). "The Design and Implementation of the Tor Browser."
- FingerprintJS (2026). "Browser Fingerprinting Techniques." fingerprintjs.com.
- FoxIO (2024). "JA4: TLS Client Fingerprinting." GitHub.
- Laperdrix, P. et al. (2020). "Browser Fingerprinting: A Survey." ACM TOIT.