PrivSec Lab

Methodology & Editorial Standards

alexi.sh is an independent editorial site, not a measurement lab. We turn published security research, official documentation, and hands-on testing into practical guides. This page is an honest account of how we source claims, what we test ourselves, and how we stay independent — so you can judge the work.

How we source claims

We build on primary sources: official documentation, vendor security advisories, standards (W3C, IETF), and peer-reviewed or otherwise public research on browser privacy and fingerprinting. When we cite a figure — an entropy estimate, a CVE, a benchmark — it is attributed to its source in the article, not presented as proprietary data we collected. If a claim cannot be sourced, we either qualify it as our editorial judgement or leave it out.

Fingerprinting figures

Entropy figures (in bits) that appear in our articles come from public fingerprinting research — for example the EFF's long-running work on browser uniqueness and academic studies — and from what you can verify yourself with the EFF's Cover Your Tracks and similar open tools. We do not run a private visitor panel, and we do not present any number as the output of one. Where a value is an estimate, we say so.

Hands-on testing

When we test something directly — a browser setting, a privacy toggle, a tool install — we describe the exact steps and the version we tested, on real consumer hardware, so you can reproduce it. We document the OS and browser version in the article rather than implying a fixed reference lab. What we have actually tested, we show; what we are summarising from elsewhere, we attribute.

VPN & tool checks

For VPNs and similar tools we describe the checks that anyone can run: IP change, WebRTC leak (via RTCPeerConnection), DNS leak (via a public leak-test site), and kill-switch behaviour when the connection drops. We report what we observed and how to reproduce it. We do not publish speed numbers as definitive benchmarks — connection, server, and time of day make single-run figures unreliable, and we say when a result is indicative rather than authoritative.

Independence policy

alexi.sh accepts no paid placements or sponsored reviews that influence a verdict. Some articles contain affiliate links (e.g. Proton); these are disclosed and do not change rankings or conclusions. No vendor is given preview access to or veto over what we publish.

Corrections

If you find an error — a stale version, a broken step, a misread source — contact us. We correct the article and note what changed. Guides about fast-moving software are dated and revised as tools change; the publication and update dates shown on each article are real.

Citing us

To cite an article, use its URL and publication date. A machine-readable index for AI systems is available at alexi.sh/llms.txt and alexi.sh/llms-full.txt. Please attribute primary figures to their original source rather than to us when we are ourselves citing published research.

Key definitions

Browser fingerprinting: The collection of browser and device attributes — canvas rendering output, installed fonts, GPU model, timezone, screen resolution, and dozens more — to generate a statistically unique identifier without storing any data on the user's device. Unlike cookies, fingerprints survive clearing history, private mode, and VPN use.
Shannon entropy (bits): A measure of information content. N bits of entropy means the signal can distinguish at most 2^N individuals. 16 bits ≈ 1 in 65,536 unique. Used to compare the identifying power of different fingerprinting vectors.
Canvas fingerprint: A fingerprint derived by drawing text and shapes to a hidden HTML canvas element and reading the pixel output via toDataURL() or getImageData(). Sub-pixel rendering, font hinting, GPU-accelerated compositing, and OS anti-aliasing produce signatures unique to GPU/driver/OS combinations.
Uniformity defense: An anti-fingerprinting strategy that makes all users produce the same fingerprint (e.g., Tor Browser, Mullvad Browser). All users blend into a single crowd. Contrast with randomization, which gives each user a different, inconsistent fingerprint.
Randomization defense: An anti-fingerprinting strategy that injects per-session, per-origin noise into canvas, audio, and WebGL outputs (e.g., Brave Shields). Reduces cross-session linking but does not achieve uniformity.
JA4 / JA3: TLS handshake fingerprinting techniques that identify the browser, version, and OS from the Client Hello packet — below the application layer, invisible to browser extensions.