PrivSec Lab · 36 terms

Browser Privacy & Security Glossary

Precise, technical definitions for the terminology used throughout our research. Each entry is self-contained and anchored with a stable URL for citation. Terms span browser fingerprinting vectors, transport security, authentication, and security frameworks.

Browser Fingerprinting#browser-fingerprinting: The collection of browser and device attributes — canvas rendering, installed fonts, GPU model, timezone, screen resolution, and dozens more — to generate a statistically unique identifier without cookies. Unlike cookies, fingerprints survive clearing history, private mode, and VPN use.
Canvas Fingerprint#canvas-fingerprint: A fingerprint derived by drawing text and shapes to a hidden HTML canvas element and reading the pixel output via toDataURL() or getImageData(). Sub-pixel rendering, font hinting, GPU-accelerated compositing, and OS anti-aliasing produce unique signatures per GPU/driver/OS combination.
WebRTC Leak#webrtc-leak: A privacy vulnerability where a browser's WebRTC stack exposes the user's real IP address — including local network IPs — via ICE candidates, even when a VPN is active. Can be mitigated by disabling WebRTC media permissions or using a browser that blocks non-proxied ICE candidates.
DNS-over-HTTPS (DoH)#doh: A protocol that encrypts DNS queries by sending them over HTTPS to a resolver, preventing ISP interception and on-path surveillance. Hides domain lookups from network observers but centralizes queries at the chosen resolver; supported natively in Firefox, Chrome, and most major browsers.
DNS-over-TLS (DoT)#dot: A protocol that encrypts DNS queries using TLS on port 853. Unlike DoH, it uses a dedicated port that firewalls can detect and block. Preferred in enterprise or OS-level configurations; functionally equivalent to DoH in privacy protection for end users.
HTTP Strict Transport Security (HSTS)#hsts: An HTTP response header that instructs browsers to only access a site over HTTPS for a specified duration (max-age). Prevents SSL stripping attacks. Sites can apply to the HSTS preload list to be hardcoded into browsers before the first visit.
Content Security Policy (CSP)#csp: An HTTP response header that declares which sources a page is allowed to load scripts, styles, images, and other resources from. A strict CSP — particularly with nonces or hashes — eliminates most XSS attack vectors by blocking inline scripts and unauthorized external hosts.
Referrer Policy#referrer-policy: An HTTP header or meta tag controlling how much of the current URL is sent in the Referer header when navigating to another page. The strictest value, no-referrer, omits the header entirely; strict-origin-when-cross-origin is the browser default since 2021 and recommended for most sites.
First-Party Cookie#first-party-cookie: A cookie set by the domain the user is visiting directly. Used for session management, preferences, and authentication. Browsers preserve first-party cookies by default, though modern browsers apply expiry limits (ITP caps them at 7 days when set via JavaScript).
Third-Party Cookie#third-party-cookie: A cookie set by a domain different from the one the user is visiting, typically via embedded resources like ad pixels or analytics scripts. Historically the main mechanism for cross-site tracking; blocked by default in Safari and Firefox, and phased out in Chrome through the Privacy Sandbox initiative.
Enhanced Tracking Protection (ETP)#etp: Firefox's built-in anti-tracking system that blocks third-party trackers, cryptominers, and fingerprinters based on the Disconnect.me block list. Available in Standard, Strict, and Custom modes; Strict mode additionally blocks cross-site cookies from all third parties.
Intelligent Tracking Prevention (ITP)#itp: Safari's machine-learning-based anti-tracking system that identifies domains capable of cross-site tracking and restricts their cookies. ITP caps JavaScript-set cookies to 7 days and first-party cookies attributed to tracking to 24 hours, disrupting long-lived tracking identifiers.
User-Agent String#user-agent: An HTTP request header sent by the browser identifying the browser name, version, OS, and rendering engine. Historically a high-entropy fingerprinting vector; Google's User-Agent Reduction initiative progressively froze most OS and browser version details in Chrome to reduce its identifying power.
Entropy (fingerprinting)#entropy: Shannon entropy measured in bits: H = −Σ p(x) log₂ p(x) over the observed distribution of a signal. N bits means the signal can distinguish at most 2^N individuals. Canvas entropy of 16.3 bits means roughly 1 in 80,000 users has a unique value for that signal alone.
TOTP (Time-based One-Time Password)#totp: A two-factor authentication method standardized in RFC 6238 that generates a 6-digit code valid for 30 seconds, derived from a shared secret and the current Unix timestamp. Used by authenticator apps (Google Authenticator, Aegis). Resistant to replay attacks but vulnerable to real-time phishing.
Passkey / FIDO2#passkey: A phishing-resistant authentication credential based on public-key cryptography (WebAuthn / FIDO2). The private key never leaves the device; the server stores only a public key. Passkeys are bound to the origin, making them immune to credential phishing and domain spoofing attacks.
Threat Model#threat-model: A structured analysis of who could attack a system, what assets they would target, and which mitigations are proportionate to the risk. A practical threat model identifies assets, enumerates adversaries and their capabilities, maps attack paths, and prioritizes controls by likelihood and impact.
STRIDE#stride: A threat classification framework developed at Microsoft: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege. Used during design reviews to systematically identify which threat categories apply to each component or data flow of a system.
Supply Chain Attack#supply-chain-attack: An attack that targets a trusted upstream dependency — an npm package, a CI/CD tool, a build server, or a certificate authority — rather than the final target directly. Compromising a widely used library or pipeline can propagate malicious code to thousands of downstream projects simultaneously.
Zero-Day#zero-day: A vulnerability that is unknown to the software vendor and has no available patch. A zero-day exploit leverages this gap before the developer can issue a fix. Browser zero-days in JavaScript engines (JIT compilers, regex parsers) are especially critical because they can be triggered remotely via a web page.
Sandboxing#sandboxing: A security boundary that isolates a process and restricts its access to system resources, other processes, and the network. Browser renderer processes run in OS-level sandboxes to contain the damage from a compromised page; a sandbox escape vulnerability lets an attacker break this boundary.
Site Isolation#site-isolation: A browser architecture where each origin (scheme + hostname + port) is rendered in a separate OS process. Prevents a malicious page from reading memory belonging to another origin through Spectre-class side-channel attacks. Enabled by default in Chrome since 2018 and in Firefox as Project Fission.
WebGL Fingerprint#webgl-fingerprint: A fingerprint derived from the GPU renderer string (RENDERER, VENDOR) and unique shader output produced by the WebGL API. GPU vendor, model, and driver version produce distinct rendering artifacts across machines, making WebGL the second-highest entropy browser fingerprinting vector after canvas.
Audio Fingerprint (AudioContext)#audio-fingerprint: A fingerprint computed by running a sine wave through the OfflineAudioContext API and measuring the resulting signal. Floating-point audio processing differences across OS/hardware combinations produce stable, unique values. Resistant to reset because it reflects hardware and driver behavior.
Encrypted Client Hello (ECH)#ech: A TLS extension that encrypts the Server Name Indication (SNI) field in the TLS handshake, hiding the destination hostname from on-path observers. Without ECH, even HTTPS traffic reveals which domain a user is connecting to; ECH closes this gap when supported by both client and server.
Server Name Indication (SNI)#sni: A TLS extension that tells the server which hostname the client wants to connect to during the handshake, enabling virtual hosting of multiple HTTPS sites on one IP. SNI is transmitted in plaintext by default, leaking the destination domain to network observers until ECH adoption.
CNAME Cloaking#cname-cloaking: A tracking technique where a first-party subdomain (e.g., metrics.example.com) is aliased via CNAME to a third-party tracker host. Because the cookie is set under the first-party domain, ITP and cookie-blocking rules that target third-party domains are bypassed.
Permissions Policy (Feature Policy)#permission-policy: An HTTP header that lets a site disable or restrict browser features — camera, microphone, geolocation, payment, USB — for its own frame and for embedded third-party iframes. Reduces the attack surface by preventing unused powerful APIs from being accessible in a compromised or malicious context.
Cross-Site Scripting (XSS)#xss: A class of injection vulnerabilities where an attacker injects malicious JavaScript into a page that is then executed in other users' browsers. Reflected XSS targets URL parameters; stored XSS persists in a database; DOM XSS manipulates client-side code. CSP is the primary mitigation layer.
Clickjacking#clickjacking: An attack that overlays a transparent iframe over a visible UI element, tricking the user into clicking on something they cannot see. Mitigated by the X-Frame-Options or frame-ancestors CSP directive, which prevents a page from being embedded in an iframe on another origin.
Cross-Origin Resource Sharing (CORS)#cors: A browser mechanism that restricts JavaScript on one origin from reading responses from another origin, unless the target server explicitly allows it via Access-Control-Allow-Origin headers. Enforces the same-origin policy at the HTTP response level for cross-origin fetch and XHR requests.
SameSite Cookie Attribute#cookie-samesite: A cookie attribute controlling when cookies are sent in cross-site requests. SameSite=Strict omits cookies entirely in cross-site navigation; Lax sends them only on top-level navigations; None allows cross-site transmission but requires Secure. Browsers default to Lax since 2020, mitigating many CSRF attacks.
Private Browsing / Incognito Mode#private-browsing: A browser mode that discards history, cookies, and cached data at the end of a session. It does not prevent real-time tracking: the IP address, WebRTC leaks, TLS fingerprint, and canvas fingerprint remain fully active. A common misconception is that private mode provides anonymity.
Uniformity Defense#uniformity-defense: An anti-fingerprinting strategy that makes all users produce the same browser fingerprint — identical canvas output, fonts, screen size — so no individual can be singled out. Tor Browser and Mullvad Browser implement this approach. Contrast with randomization, which changes the fingerprint per session.
Randomization Defense#randomization-defense: An anti-fingerprinting strategy that injects per-session, per-origin noise into canvas, audio, and WebGL outputs. Brave Shields uses this approach. It prevents stable long-term tracking but does not achieve crowd-level uniformity, so session-to-session unlinkability varies by signal.
Spectre / Side-Channel Attack#spectre: A class of microarchitectural attacks that leak data from other processes by exploiting speculative execution in modern CPUs. In browsers, JavaScript-based Spectre attacks prompted disabling SharedArrayBuffer and reducing timer precision; site isolation and cross-origin isolation headers are the primary mitigations.

Related research & tools