404 Privacy uses local proxy protection to foil browser fingerprinting

Browser fingerprinting is hard to outrun when the same machine keeps handing out the same canvas, WebGL, timezone, and TLS clues. 404 Privacy tries to break that pattern by moving the fight onto the user’s own box.

The project describes itself as a “Rust privacy proxy & Linux kernel module” and a “dual-module network application,” which is the first clue that this is not another browser extension with a few header tweaks. Its model is local-first: 404 generates a local CA and key pair on first run, terminates TLS locally, and then rewrites or controls signals across TCP/IP, TLS cipher suites, HTTP headers, browser APIs, canvas, and WebRTC. That matters because ad blockers and ordinary privacy add-ons usually focus on content blocking, while 404 is built to make a session look internally consistent across the layers trackers actually compare.

That broader surface is the point. Current fingerprinting guidance treats browser identity as a multi-layer problem, combining WebGL, audio, user-agent strings, screen resolution, time zone, installed fonts, TLS ClientHello details, and HTTP/2 settings into a profile that can follow a user across sessions. The Electronic Frontier Foundation’s Cover Your Tracks project frames the problem the same way, showing how trackers view a browser and how web headers and JavaScript-derived traits, including fonts and canvas fingerprints, contribute to identification. Johns Hopkins researchers have also warned that clearing cookies is not enough when fingerprinting can still track people across sites and browser sessions.

404 is aimed at the people who feel that pressure most sharply: journalists, lawyers, researchers, human-rights workers, and other users with a real need to resist cross-session tracking. The repository’s own warnings make the threat model plain. It says the software is beta, comes with no warranty or guarantees, and advises users not to rely on primary accounts or share the CA certificate. It also notes that usernames and passwords may be temporarily visible in local-only logs, a reminder that this is a hardening tool, not a turnkey anonymity product.

For Rust readers, the interesting part is the architecture. 404’s value does not come from a clever browser skin or a single anti-fingerprinting trick. It comes from pushing control down into a local proxy and kernel-module design, then trying to keep the whole stack coherent enough that one spoofed detail does not become a new identifier. The repository is licensed AGPL-3.0 and currently shows 103 stars and 6 forks, early but real traction for a project that treats fingerprinting as an operating problem, not a browser setting.