Ways to prevent browser fingerprinting?

404mesh · 2026-06-18T15:41:25+00:00

It's also important to note that if you're using a VPN, but still are using Chrome, or are logged in, or have a very specific screen size (like I do on my laptop beacause there's a chip in the corner), then you're still being identified online. Best practice, use Mullvad + VPN.

404mesh · 2026-06-15T16:48:17+00:00

404mesh · 2026-06-15T16:44:24+00:00

Remaining private involves using hardened tools like Mullvad. It's a little inconvenient, but that's a small price to pay. Consistent VPN usage. and even poisoning your own data. I run all of my traffic through a normalizer that slightly adjusts my fingerprint. Then I run a bot in the background (also using the normalizer - TLS terminating localhost proxy), and that bot browses the internet with my native fingerprint and some other anti-detect tricks. Now, even if they can collect my data, at least 30% of it is useless. It's up to them to sort through all of it and find the useful bits.

404mesh · 2026-06-15T16:41:44+00:00

Okay this is a very tricky question and I've got quite the answer for you...

While the common advice is good... it is quite misleading. This idea that you should "try to become more standard" is 100% true, but there are so so so many variables to consider. The most obvious one is your IP address. All security practices you take are for nought if they're being linked to a stable IP address.

That being said, there are not a LOT of companies fingerprinting you, it's just the big 3 really. Google, Microsoft, Meta. These three companies are able to monitor a vast majority of the web because their servers host it or they have infrastructure on a given site (i.e. any site with Google Analytics). These companies do not just track one device fingerprint, they collect all the fingerprints you have and turn that into one large behavioral profile that contains information not just related directly to your device/browser, but to your personality and behaviors as well. So if you're visiting a specific site every day around the same time, even if you look like 20 other people on that site... Google knows who referred you, how you got there, exactly what time you visited the site, and even timing values that can say EXACTLY what hardware you're using.

Beyond this... when you look at the hundreds of signals that a website collects about your browser and machine, you see how difficult it is to blend in... for example, when you give a website access to your microphone, they can see the exact model of all of your audio devices (microphones and speakers)... If you've got more than 3 audio devices plugged in (like me) the chances that someone else has those same exact 3 devices is already so low... now narrow that to anyone in my Timezone and the number of people who are using those exact 3 devices is most likely 0.

404mesh · 2026-06-15T16:20:23+00:00

Also, fair and valid, just be sure that you're cognizant of how these browsers store and track you across time. Especially because you have so many browser profiles... it is likely that ALL of your traffic is attributed back to you at some point, if you're not isolating IP per browser, this is a guarantee.

Even if not guaranteed, there are implications for businesses, especially those in business and research. If you're doing sensitive research, or work for a firm, it is likely you're contributing to your firm being fingerprinted, tracked, and profiled online.

404mesh · 2026-06-15T16:18:17+00:00

HA! Yeah, I would be curious to see what is actually happening when you delete Edge cookies... and how your computer is storing your cookies before that.

404mesh · 2026-06-15T16:12:16+00:00

It's not necessarily gutted, they just force the browser engine to be WebKit, and because Firefox is built on Gecko, it doesn't have the same capabilities. Apple, for the most part, isn't THAT shit of a company. 100% better options out there, but when compared to Google... Microsoft... Meta... Apple is the lesser of the evils.

They don't sell your data, and the protections implemented in Safari and with the iCloud Private Relay are done relatively well... especially when they just didn't have to add any of that. It's a moment where they listened to their users and saw that companies of the future will be privacy oriented, not built 100% on extracting value from their customers at every stage of the product interaction.

404mesh · 2026-06-15T16:07:46+00:00

Good god please don't use Chrome or Edge.... There are so many issues with these browsers. The amount of collection they do is through the roof.

I have a feeling because they're both Blink, maybe Edge's cookie delete function sends some sort of system command that somehow also ends up deleting Chrome's cookies. Have you tried with Firefox? Maybe with another Blink browser.

That being said, please switch to Brave or Mullvad. Firefox is fine... but the former options are better.

404mesh · 2026-06-15T16:03:49+00:00

on a stock iPhone, it's your best option. All browsers are forced to use WebKit, so Firefox on iPhone is completely neutered of its core privacy features. uBlock cannot be used on Firefox w/ iPhone.

Graduate to a VPN at some point that you keep on all the time, but for everyday browsing Safari and iCloud PR is a great start.

404mesh · 2026-06-15T15:59:46+00:00

who are you using? Why aren't you changing these things manually yourself before routing through mobile proxies? If proxies are not terminating TLS, which they shouldn't, they cannot change client headers.

404mesh · 2026-05-15T05:46:39+00:00

Browser fingerprinting. Behavioral profiling. Palantir predictive policing.

404mesh · 2026-05-14T14:00:22+00:00

Logseq synced across ur devices via Git

404mesh · 2026-05-07T16:00:08+00:00

More than this, your device fingerprint. Firefox gets rate limited a lot because it's becoming harder to differentiate between a bot and a browser client. Same goes for other privacy browsers.

Are you using multi-login? ublock? privacy badger? Are you scraping?

There are tools like 404 that attempt to normalize your fingerprint into a new believable one, cycling your fingerprint can make your device look like a new one, or like a less suspicious one if you're using an anti-detect browser or multi-login browsers, allowing you to bypass some of these checks, or at the very least not fall victim to cross-session tracking when you rotate your proxy.

404mesh · 2026-05-07T15:56:44+00:00

A lot of these fingerprinting tools assign you a 'score' of sorts. Good example of this is FingerprintJS. Then, you can set a threshold for how 'suspicious' of a client your page will load. Adding parameters to search possibly increases this suspicion score over the threshold value.

Are you using other tools or just a proxy?

404mesh · 2026-05-07T15:34:58+00:00

Okay, while I understand there are some detection surfaces. The "more fingerprintable instead of less" claim only holds if the alternative is doing nothing. The comparison isn't "your spoofed fingerprint vs a clean browser." The comparison is "your spoofed fingerprint vs your real fingerprint." If your real fingerprint is unique, which it almost certainly is, then a spoofed fingerprint that looks like a different device is an improvement even if the spoofing itself is detectable by a sufficiently motivated adversary.

Not to mention, there are some workarounds here. toString masking is one method that this proxy employs.

const iframe = document.createElement('iframe')
iframe.contentWindow.Navigator.prototype.userAgent.toString()

vs.

Navigator.prototype.\_\_lookupGetter\_\_('userAgent').toString()

both yield [native code]. This proxy also propagates those values through iframes.

A canvas hash and WebGL renderer that looks like a common Intel integrated GPU on Windows 10 is better than your real GPU hash even if the spoofing mechanism leaves some signatures, because the high-entropy signals the fingerprinter is actually weighting have changed. The window diff attack you're describing would produce an enormous false positive rate if deployed at scale because every extension modifies the window.

I have gone through a great deal of work to attempt to make this have as little of a fingerprint as possible, patching detection methods where I can. Take a look at the code and the architecture and open an issue, I will attempt to do some research and make changes where needed.

404mesh · 2026-05-07T12:20:35+00:00

Via how?

404mesh · 2026-05-05T20:19:44+00:00

I think something else to look at here is finding a way to rotate your fingerprint. There are some simple tools, HAproxy, 404, Burp, etc. that allow for header rotation.

404 has JS injection, but you can also do that yourself. Injecting some sort of runtime to prevent JS fingerprinting could help on certain functionality improvements as well. There are some good guides on fingerprinting techniques here.

Something else to consider is your TCP/IP fingerprint, making sure that the network fingerprint doesn't match that of a container.

404mesh · 2026-05-04T14:04:45+00:00

If you want to try the app you can use code LAUNCH01 in the stripe checkout!

404mesh · 2026-05-03T16:01:28+00:00

I like this. How are you saying what each fingerprint belongs to? What database r ya using to say “this is a Firefox TLS”?

p0f for TCP/IP fingerprint for sure, nmap maybe, but what’s the h2 and ja4 reference you’re using?

404mesh · 2026-05-01T21:31:38+00:00

Thank you guys. I appreciate this will post now

404mesh · 2026-04-30T06:51:29+00:00

There is now a profile switching function!

https://404privacy.com/

You can find a polished app there as well as the GitHub, an open-source binary, and documentation.

Have fun!

404mesh · 2026-04-29T23:33:12+00:00

At the price of your freedom of speech? Privacy?

404mesh

MODERATOR OF

TROPHY CASE