| They can use at least everything available up to the end of the first HTTP request: * IP path selected & latency * TCP TTL, window settings & extensions * TLS ClientHello: extensions, ciphers, hash algos, etc * HTTP/2 settings & behavior * HTTP request headers If you're interested in digging further into this set, look up JA3, which has variants that address most or all of those above. If they redirect you to an intermediate page, their attack surface gets much larger, including everything in the JavaScript APIs and browser behavior. * Extended client hints * Canvas fingerprint * WebGPU fingerprint * WebRTC fingerprint * TTS voices * Fonts * Battery state * <link> preload behavior and timing (and the list goes on and on and on, because browsers are huge and only slightly designed for privacy) This is assuming they aren't willing to use any of the persistent state techniques, like cache poisoning, HSTS pinning, or simple old cookies. These are mostly useful for catching cases where someone is trying to lie about which OS or browser they are using, or where they are using the same machine and instrumented browser foolishly. |