Traces how websites enumerate a visitor's installed extensions: web-accessible-resource probing, DOM and stylesheet artifacts, intra-browser messages, and timing side channels, plus the Chrome and Firefox mitigations that close some of those doors.
Traces where residential and mobile proxy IPs actually come from: bundled SDKs, free-VPN monetization, peer-payout apps, and outright malware, plus the consent gap that runs through all of them.
How ECH encrypts the inner ClientHello, including SNI, with an HPKE key fetched from DNS, what the outer ClientHello still leaks, and where deployment actually stands now that RFC 9849 has shipped.
Traces how rendering text and shapes to an HTML5 canvas and hashing the toDataURL output yields a stable per-device value, the GPU, driver and font causes behind the variation, the 2012 origin, and how much entropy it really carries.
A primary-source reference on WebGL fingerprinting: the UNMASKED_RENDERER and UNMASKED_VENDOR strings, supported extensions, shader precision formats, rendered-image hashing, and the browser mitigations that bucket or hide them.
Traces how rendering an oscillator through OfflineAudioContext and a DynamicsCompressor produces a stable per-device float, the floating-point and FFT causes behind the variation, the 2016 origin, and how much entropy it really carries.
Traces how the installed-font set became a high-entropy fingerprint, the text-width and ClientRects measurement that reads it without any font API, the @font-face/local() side channel, and the browser defenses that tried to close it.
Traces how screen width, height, availWidth, colorDepth and devicePixelRatio became fingerprint entropy, why zoom, multi-monitor and OS scaling make them unstable, and how the same numbers turn into a bot tell.
Traces how four read-only battery properties became a cross-site tracking vector, the 2015 Olejnik research that proved it, the in-the-wild scripts Princeton caught, and the Firefox and WebKit removals that followed.
Traces how getClientRects() and measureText() turn fractional layout geometry into a stable device label, why two machines render the same glyph to different floating-point boxes, and why spoofing the values consistently is so hard.
Traces how WebRTC ICE candidate gathering uses STUN to surface local and real public IPs in JavaScript regardless of an HTTP proxy or VPN, the mDNS hostname mitigation Chrome shipped in 2019, and how anti-fraud systems use the mismatch.
How the same emoji codepoint and ZWJ sequence render to different pixels and bounding-box widths across OS emoji fonts, and how canvas and getClientRects turn that variation into a platform-revealing fingerprint.
Traces how canPlayType, MediaSource.isTypeSupported, MediaCapabilities.decodingInfo, and the EME key-system probe report which codecs and DRM a device admits to, why those answers vary by OS, browser, and hardware, and how much entropy they carry.
A primary-source reference on the 2017 Cao, Li, and Wijmans cross-browser fingerprint: the WebGL rendering tasks, audio and CPU signals, and why OS- and hardware-level features survive a browser switch.
Traces how the speechSynthesis.getVoices() list reveals OS, locale, and version through bundled TTS voices, the async-loading quirk that returns an empty array on first call, the entropy it carries, and the browser defenses.
A reference on session-replay pipelines: the DOM snapshot plus incremental-mutation model, the mouse, scroll, focus and input events that get streamed, the FullStory and Hotjar lineage versus fraud-vendor use, and the privacy leaks.
Traces how DoT (RFC 7858) and DoH (RFC 8484) encrypt the stub-to-resolver hop, what privacy they actually buy, why DoH inside the browser collided with enterprise filtering and parental controls, and where the deployment debate landed by 2026.
Traces the HTTP cookie from a 1994 shopping-cart hack to the web's identity layer: how SameSite reshaped it, why the third-party-cookie phase-out collapsed in 2024-2025, and what partitioning leaves behind.
A primary-source walk through CHIPS: the Partitioned cookie attribute, the double-keyed cookie jar, the cross-site ancestor chain bit, the 10 KiB per-partition budget, and where it sits now that Privacy Sandbox is gone.
A history of encrypting the TLS server name, from the 2018 ESNI experiment and why it failed to the ECH design that encrypts the whole inner ClientHello with HPKE, finished as RFC 9849 in 2026.
Traces browser fingerprinting from Mayer's 2009 deanonymization experiment and Eckersley's Panopticlick through canvas, the AmIUnique and Hiding-in-the-Crowd studies, the commercial anti-fraud market, and the browser-vendor pushback.
Traces the 2010 EFF Panopticlick experiment and Eckersley's 'How Unique Is Your Web Browser?' paper: the 18.1-bit result, the eight measurements, the entropy math, the fingerprint-tracking heuristic, and the Cover Your Tracks rebrand.
Tracing Tor from the 1995 Naval Research Lab onion-routing prototype through the 2002 release, the 2006 nonprofit, the v3 onion-service rewrite, and the Tor Browser's uniform-fingerprint defense against tracking.