Saltar al contenido principal
en/blog/obscura/research/uncontrollable/index/

obscura/research/uncontrollable/index

15 min read

A Technical Analysis of Hardware, Behavioral, and Inherent Browser Signals That Cannot Be Spoofed at the Network Layer

Obscura Research July 2026


Abstract

Network-level privacy tools like Obscura can effectively spoof HTTP headers, TLS fingerprints, DNS queries, and JavaScript-accessible browser properties. However, a significant class of fingerprinting vectors operates below, above, or outside the proxy's reach. These vectors derive from physical hardware characteristics, browser implementation details, user behavior patterns, and the inherent asymmetry of the detection arms race.

This paper catalogs these uncontrollable vectors, analyzes their strengths and weaknesses from an attacker's perspective, and proposes mitigation strategies both within Obscura's scope and through complementary tools.


1. Introduction

1.1 The Proxy Gap

Obscura operates at OSI Layers 3-7 (network to application). Signals that originate at:

  • Layer 0-2 (physical hardware, GPU, audio chip, CPU)
  • Layer 7+ (browser rendering engine, user behavior)
  • Cross-layer inconsistencies (mismatches between spoofed and unspoofed signals)

...are outside the proxy's direct control.

1.2 Classification

Category Vectors Root Cause Proxy Leverage
GPU/Hardware Canvas, WebGL, WebGPU rendering Physical rendering pipeline None
Audio Hardware AudioContext, latency Audio DSP, drivers None
CPU/Platform Math precision, Wasm features, SIMD Microarchitecture None
Browser Inherent Feature support, CSS media, bugs, quirks Engine implementation None (DNS blocking only)
Behavioral Mouse, keystrokes, scroll, timing User None
Network Residual TCP/IP, clock skew, RTT OS/container stack Partial
Cross-Layer Profile inconsistency, detection heuristics Logic Indirect

1.3 The Asymmetry Problem

The fundamental asymmetry: the fingerprinting service needs only one successful vector to identify or correlate a user. The defender must block all vectors.

This paper does not claim to solve this asymmetry. It documents the residual risk.


2. GPU & Rendering Pipeline Fingerprinting

Full document: gpu-rendering.md

2.1 Why It Works

The GPU rendering pipeline is physically deterministic the same input always produces the same output on the same hardware. Differences arise from:

  • GPU microarchitecture (ALU count, rasterizer units, TMUs, ROPs)
  • Driver version and compiler optimizations
  • Floating-point precision differences in shaders
  • Anti-aliasing algorithms
  • Subpixel rendering order (RGB vs BGR)
  • Color space conversion matrices

2.2 Vectors

Vector Entropy Detectable if Blocked
Canvas toDataURL() hash ~5-7 bits Yes
WEBGL_debug_renderer_info.UNMASKED_RENDERER ~20 bits (exact GPU model) Yes
WebGL scene render hash ~10-15 bits Yes
WebGPU adapterInfo (vendor, arch, device, driver) ~25+ bits Yes
WebGPU limits (50+ numeric capabilities) ~30+ bits Yes
WebGL extension list ~8-12 bits Yes

2.3 Attacker Advantages

  • No network dependency: Rendering is local, no request needed
  • Hardware-locked: Cannot be changed without different hardware
  • Cross-browser: Same GPU produces similar fingerprints across Chrome/Firefox/Safari
  • Passive: User cannot tell they are being fingerprinted

2.4 Weaknesses (from attacker's perspective)

  • Blocking is easy for the user: Firefox flags privacy.resistFingerprinting and CanvasBlocker work
  • Tor Browser defeats it: Software rendering (SwiftShader) normalizes all output
  • Driver updates change the fingerprint: Periodic instability
  • Noise injection works: CanvasBlocker's random pixel injection breaks repeatability
  • Statistical detection of tampering is imperfect: Attackers can only guess whether noise is injected

2.5 Proposed Mitigations

Mitigation Effectiveness Impact Implementation
Block WebGL/WebGPU entirely High Breaks 3D content JS injection
Canvas noise injection Medium-High Detectable JS injection (CanvasBlocker algorithm)
Consistent random per-session noise Medium Session correlation possible JS injection
Block WEBGL_debug_renderer_info Medium Blocks GPU model leak JS injection
Software GPU rendering (SwiftShader) Very High Massive perf hit Client-side only (Tor Browser)
Round canvas dimensions to grid Low Reduces entropy JS injection

Best Obscura can do: Block + noise injection via JS. Cannot match Tor Browser's software rendering.


3. Audio Hardware Fingerprinting

Full document: audio-hardware.md

3.1 Why It Works

Audio processing involves:

  • Audio driver implementation (ALSA, PulseAudio, PipeWire, CoreAudio, WASAPI)
  • Hardware DAC/ADC characteristics
  • Sample rate conversion algorithms
  • Dynamics compression behavior
  • Audio buffer handling

These produce consistent, measurable differences in oscillator output and compressor behavior.

3.2 Vectors

Vector Entropy Notes
AudioContext getChannelData on DynamicsCompressor output ~8-12 bits Most common
AudioContext base latency ~4-6 bits Hardware-dependent
Sample rate support ~2-3 bits Varies by hardware
Max channel count ~1-2 bits Stereo vs surround

3.3 Attacker Advantages

  • Consistent across sessions: Same hardware same audio fingerprint
  • Hard to detect tampering: The site can compare multiple reads
  • Works in background: No user interaction needed

3.4 Weaknesses

  • DynamicsCompressor behavior changes across browser versions
  • Can be blocked entirely (Firefox resistFingerprinting blocks AudioContext)
  • Flattening output is detectable but cannot be distinguished from real hardware with identical behavior

3.5 Proposed Mitigations

Mitigation Effectiveness Impact
Block AudioContext entirely High Breaks audio-dependent apps
Flatten compressor output (return all -100dB) Medium Detectable pattern
Inject periodic noise into output buffer Medium-High Complex, detectable
Override sample rate to fixed value Low Only one signal

Best Obscura can do: Block AudioContext via JS injection.


4. CPU & Platform Fingerprinting

Full document: cpu-platform.md

4.1 Why It Works

The CPU is the most fundamental system component. Its behavior is deterministic and measurable from JavaScript:

  • Floating-point arithmetic precision (IEEE 754 compliance varies slightly)
  • performance.now() resolution (depends on hardware timer, OS)
  • Wasm-based feature detection (SIMD, AES-NI, AVX, BMI1/BMI2, POPCNT)
  • Cache timing side channels (though mitigated in browsers)
  • WebAssembly execution speed (relative performance benchmark)

4.2 Vectors

Vector Entropy Notes
Math fingerprint (FPU precision) ~4-6 bits Subtle, surprisingly identifying
Wasm feature detection ~8-12 bits CPU capabilities
performance.now() resolution ~2-3 bits OS/CPU dependent
navigator.hardwareConcurrency ~3-4 bits Core count (Spoofable via JS)

4.3 Attacker Advantages

  • Hardware-locked: CPU features don't change
  • Wasm is fast: Binary feature detection in <1ms
  • Cannot be spoofed at proxy level: Wasm runs locally

4.4 Weaknesses

  • performance.now() precision reduced in browsers (1ms 100s 5s see-saw)
  • Wasm feature detection depends on browser exposing it
  • hardwareConcurrency is spoofable via JS already listed as controllable
  • Math fingerprint is very low entropy only useful in combination

4.5 Proposed Mitigations

Mitigation Effectiveness Impact
Reduce performance.now() precision via JS Low Attackers use Wasm timing
Block Wasm entirely High Breaks many sites
Override hardwareConcurrency High Trivial via JS injection
Accept math FPU fingerprint None Too low entropy alone

Best Obscura can do: Accept or block Wasm (drastic).


5. Inherent Browser Features & Implementation Quirks

Full document: browser-features-quirks.md

5.1 Why It Works

Each browser engine (Blink, Gecko, WebKit) has a unique set of:

  • Supported Web APIs (100+ binary features)
  • CSS property support
  • Implementation bugs and quirks
  • Default settings (font size, scrollbar width, form styling)
  • Unicode rendering behavior
  • Emoji support version

5.2 Vectors

Vector Entropy Notes
Feature support vector (~100 features) ~10-15 bits Highly correlated
CSS rendering quirks ~5-8 bits Engine-specific
Unicode/emoji rendering ~3-5 bits OS+browser dependent
Scrollbar width ~2-3 bits OS-dependent
Default font metrics ~4-6 bits OS+browser dependent

5.3 Attacker Advantages

  • Cannot be changed: These are inherent to the browser/OS
  • No permission needed: No user consent required
  • Hard to block: Blocking features changes the feature vector itself

5.4 Weaknesses

  • Mainly identifies browser family + version, not individual users
  • Low entropy within same browser version (all Chrome 120 users look similar)
  • Feature detection scripts can be DNS-blocked before they load

5.5 Proposed Mitigations

Mitigation Effectiveness Impact
DNS block fingerprinting script domains High Stops feature enumeration entirely
Accept low individual entropy Passive May still correlate with other signals
Patch browser (not proxy-level) Very High Requires custom browser build

Best Obscura can do: DNS blocking of known fingerprinting domains.


6. Behavioral Biometrics

Full document: behavioral-biometrics.md

6.1 Why It Works

User behavior patterns are highly individual:

  • Mouse movement trajectories (speed, acceleration, jitter)
  • Keystroke dynamics (key hold time, inter-key intervals, error patterns)
  • Scroll patterns (speed, acceleration, pause behavior)
  • Touch gestures (on mobile: swipe angle, pressure, speed)
  • Reading patterns (scroll-then-pause rhythm)
  • Click/tap timing and location preferences

6.2 Vectors

Vector Entropy Notes
Keystroke dynamics ~15-25 bits Highly individual
Mouse movement ~10-20 bits Less stable over time
Scroll behavior ~8-12 bits Content-dependent
Touch gestures ~12-18 bits Mobile-specific

6.3 Attacker Advantages

  • Continuous authentication: Not a snapshot, but ongoing
  • Hard to fake: Mimicking another user's behavior is extremely difficult
  • No JS API restriction: All readable from JS event listeners

6.4 Weaknesses

  • Requires significant user interaction: Cannot fingerprint passively
  • High variance: Behavior changes with mood, fatigue, context
  • Long collection time: Needs minutes of interaction
  • Machine learning required: Simple hashing doesn't work
  • Easily disrupted: Any script that interferes with timing breaks it

6.5 Proposed Mitigations

Mitigation Effectiveness Impact
Block mouse/touch event listeners via JS override Medium Breaks interactive sites
Inject synthetic timing noise Low Can be filtered out
Use Tor Browser for high-sensitivity sessions Very High Most practical solution
Accept behavioral is narrow-context Passive Only works on logged-in sessions

Best Obscura can do: Very limited. Tor Browser is the practical solution.


7. Residual Network-Level Fingerprints

Full document: residual-network.md

7.1 Why It Works

Even with TLS and HTTP spoofing, residual network signals remain:

  • TCP/IP stack parameters (inherited from container OS)
  • Network round-trip time (RTT) and its variance
  • MTU path discovery
  • Packet TTL (reveals approximate hop count)
  • Clock skew between client and server
  • HTTP/3 QUIC transport parameters (if not blocked)

7.2 Vectors

Vector Entropy Notes
TCP window size ~2-4 bits Container OS-specific
Initial TTL ~1-2 bits 64 vs 128
RTT + variance ~5-8 bits Network path-dependent
Clock skew ~4-8 bits Hardware clock drift
HTTP/2 SETTINGS (if unspoofed) ~6-10 bits Proxy library-specific

7.3 Attacker Advantages

  • Always present: Network signals are unavoidable
  • Can be combined: Cross-referencing multiple weak signals increases entropy
  • Stable: Network path changes infrequently

7.4 Weaknesses

  • Low individual entropy: TCP/IP alone rarely identifies
  • Shared container environment: Multiple users behind same container look similar
  • TLS spoofing eliminates the most identifying signal

7.5 Proposed Mitigations

Mitigation Effectiveness Impact
TLS fingerprint spoofing (JA3/JA4 via utls) Very High Critical for Obscura
HTTP/2 SETTINGS mirroring High Complex implementation
Normalize TCP parameters None Container inherits host
Route through VPN/Tor upstream High Changes network characteristics

Best Obscura can do: TLS + HTTP/2 spoofing. TCP/IP is accepted.


8. Detection of Proxy & Spoofing Inconsistencies

Full document: proxy-detection.md

8.1 Why It Works

The act of spoofing creates detectable patterns:

  • Profile inconsistency: Chrome User-Agent + Go TLS stack + Win32 platform + non-Windows fonts
  • Missing signals: Blocked APIs (WebGL returns null) create a unique "blocked" fingerprint
  • Timing anomalies: MITM adds measurable latency
  • Certificate fingerprints: Self-signed CA certificates are detectable
  • Header normalization: Overly clean/consistent headers (real browsers have variation)
  • JavaScript override detection: Object.getOwnPropertyDescriptor() can detect Object.defineProperty overrides

8.2 Detection Techniques

Technique What It Detects Reliability
TLS fingerprint mismatch Proxy software vs claimed browser Very High
Feature blocking Privacy tool usage High
JS override detection Injected scripts Medium
Certificate inspection MITM proxy High
Timing analysis Proxy latency Medium
Cross-signal correlation Profile inconsistency Very High

8.3 Attacker Advantages

  • Spoofing increases detectable surface: The more you change, the more there is to detect
  • Statistical analysis: Comparing against large datasets reveals anomalies
  • Machine learning: Can find patterns humans miss

8.4 Weaknesses

  • Detection is probabilistic, not deterministic
  • False positives: Legitimate browser updates look like spoofing
  • Privacy tools are used by millions: Being detected as "privacy user" is not unique
  • Cat-and-mouse: Override detection can be countered by deeper overrides

8.5 Proposed Mitigations

Mitigation Effectiveness Impact
Perfect profile consistency Very High Requires continuous profile updates
Leak some real signals Counterintuitive Makes profile look more natural
Use real CA certificate Medium Avoids self-signed CA detection
Round timing instead of removing Medium Less suspicious than zero latency
Don't block spoof instead High Harder to detect than blocking

Best Obscura can do: Rigorous profile consistency testing and continuous updates.


9. The Aggregation Problem

9.1 Individual vs Combined Entropy

A crucial insight: individual uncontrollable vectors have low entropy alone, but combined they become identifying.

Htotal=i=1nHiHcorrelationH_{total} = \sum_{i=1}^{n} H_i - H_{correlation}

Where HiH_i is individual entropy and HcorrelationH_{correlation} accounts for dependencies between vectors.

For uncontrollable vectors alone (GPU + Audio + CPU + Features + Network + Behavioral):

Huncontrollable5+8+4+12+6+1550 bitsH_{uncontrollable} \approx 5 + 8 + 4 + 12 + 6 + 15 \approx 50 \text{ bits}

This is enough to uniquely identify a user among ~101510^{15}.

9.2 Implications

  • Even perfect proxy spoofing of controllable vectors is insufficient if the uncontrollable ones remain
  • DNS blocking is critical: It prevents the fingerprinting library from seeing the uncontrollable vectors
  • Defense in depth: Each blocked vector reduces the aggregate entropy

10. Proposed Research Directions

10.1 Short-term (Obscura v1)

  1. Perfect profile consistency: Automated validation tools
  2. DNS blocklist maintenance: Fingerprinting domain feed
  3. Canvas noise injection: Algorithm from CanvasBlocker
  4. WebGL/WebGPU debug info blocking: JS injection
  5. AudioContext blocking: JS injection

10.2 Medium-term

  1. Machine learning for anomaly detection: Detect when Obscura's modifications create detectable patterns
  2. Adaptive profile selection: Choose the profile that best matches the user's real hardware (don't claim Safari on Windows)
  3. Graceful degradation: Fall back to less aggressive spoofing if detection risk is high

10.3 Long-term / Out of Scope

  1. Browser modification: Custom browser build that normalizes fingerprints (Tor Browser approach)
  2. Hardware-level GPU normalization: Driver-level rendering interception
  3. Behavioral obfuscation: AI-generated mouse/keyboard patterns
  4. Quantum-resistant fingerprinting: Future-proofing against new techniques

11. Conclusion

The uncontrollable vectors documented here represent the fundamental limit of network-level anti-fingerprinting. No proxy can fully eliminate them because they derive from:

  • Physics: GPU rendering, audio processing, clock drift
  • Biology: User behavior patterns
  • Engineering: Browser implementation choices

Obscura's approach is pragmatic:

  1. Control what can be controlled (headers, TLS, DNS, JS APIs) ~55% of surface
  2. Block what cannot be spoofed (canvas, audio, WebGL) prevents observation
  3. Accept the residual risk document and monitor

The alternative perfect protection requires Tor Browser, which achieves it by normalizing every signal at the cost of functionality, performance, and convenience. Both approaches have their place.


References

  1. Acar, G. et al. (2014). "The Web Never Forgets: Persistent Tracking Mechanisms in the Wild." CCS 2014.
  2. Mowery, K. & Shacham, H. (2012). "Pixel Perfect: Fingerprinting Canvas in HTML5." WOOT 2012.
  3. Eckersley, P. (2010). "How Unique Is Your Web Browser?" PETS 2010.
  4. Englehardt, S. & Narayanan, A. (2016). "Online Tracking: A 1-million-site Measurement and Analysis." CCS 2016.
  5. Tor Browser Design Document (2024). "The Design and Implementation of the Tor Browser."
  6. FingerprintJS (2026). "Browser Fingerprinting Techniques." fingerprintjs.com.
  7. FoxIO (2024). "JA4: TLS Client Fingerprinting." GitHub.
  8. Laperdrix, P. et al. (2020). "Browser Fingerprinting: A Survey." ACM TOIT.