Digital Mirror - Reflect Your Digital Vulnerabilities

[THREAT-MODEL] WHO IS WATCHING YOU

ADVERTISERS

TRACKERS

DATA BROKERS

STATE SURVEILLANCE

Each data point your browser exposes feeds different threat actors. Advertisers monetize behavior; trackers link cross-site identity; data brokers aggregate and sell profiles; state actors use network-level observation.

[COMPARE] BROWSER BASELINE

BROWSER	EXPOSURE SCORE	CANVAS FP	WEBRTC LEAK	TRACKER BLOCK
Chrome (default)	85	Exposed	Exposed	None
Firefox (default)	58	Partial	Partial	Basic
Brave (default shields)	28	Faked	Blocked	Aggressive
Tor Browser	12	Blocked	Blocked	Aggressive
YOU NOW	--	--	--	--

[STABILITY] FINGERPRINT ACROSS SESSIONS

Canvas Fingerprint

--

FIRST VISIT

Audio Fingerprint

--

FIRST VISIT

Visit Count

--

TRACKED

Last Seen

--

STORED

Even without cookies, your canvas and audio fingerprints remain highly stable across browser restarts and sessions — making cookie-less re-identification straightforward for trackers.

[ADVANCED] MODERN TRACKING METHODS

CNAME CLOAKING

DNS-LEVEL

Trackers register a subdomain on a first-party domain (e.g. analytics.yoursite.com) that is a CNAME alias for their tracking server. Browsers treat it as first-party, bypassing most blockers.

Bypass: DNS-based blockers (NextDNS, Pi-hole), or browsers that resolve CNAMEs before applying policies (Firefox + uBlock).

BOUNCE TRACKING

REDIRECT CHAIN

Clicking a link sends you through a tracker's server first (e.g. click.tracker.io → real-site.com). Cookies and identifiers are set during the bounce even if the tracker domain is blocked.

Bypass: Brave's Debounce feature, Firefox Total Cookie Protection, or manual URL stripping.

ETAG / CACHE TRACKING

HTTP HEADER

Servers embed a unique identifier inside HTTP cache headers (ETag, Last-Modified). On subsequent visits, the browser automatically sends the identifier back — no cookies needed.

Bypass: Private/incognito mode clears cache. Browser extensions that strip cache headers. Hard-refresh (Ctrl+Shift+R).

LINK DECORATION

URL PARAMETER

Tracking IDs appended to URLs (utm_*, fbclid, gclid) persist your identity when you share or click links. Even if you don't accept cookies, the ID in the URL identifies you.

Bypass: ClearURLs extension, Firefox Enhanced Tracking Protection strips known parameters.

FONT / RENDERING FP

CANVAS SIDE-CHANNEL

Every GPU renders the same text slightly differently. Combined with your installed fonts, this produces a fingerprint stable across all browsers on your machine — no storage required.

Bypass: Tor Browser forces uniform rendering. Brave randomizes canvas output per site.

[SIMULATE] DEFENSE EFFECTIVENESS

Estimated exposure score if you add each defense to your current setup:

[AUDIT] OUTBOUND REQUEST LOG SOURCE-ONLY TOOL

api.ipify.org Resolve your public IP address FETCH — READ ONLY

ipapi.co Geo-locate IP (country, city, ISP) FETCH — READ ONLY

fonts.googleapis.com Load Orbitron / JetBrains Mono / Inter fonts CSS LOAD

stun.l.google.com:19302 WebRTC STUN — detect local IP (no data sent) STUN ONLY

All other analysis Canvas, Audio, WebGL, navigator, screen APIs 100% LOCAL

This tool makes exactly 2 outbound API requests (IP + geo). No fingerprint data, scores, or behavioral traces are transmitted anywhere. All analysis is computed locally in your browser and discarded when you close this tab. You can verify this by inspecting the page source — there is no backend.

DIGITAL MIRROR BETA

[REFLECT] YOUR DIGITAL REFLECTION

[NOTICE] PRIVACY DISCLAIMER

[DOCS] SYSTEM DOCUMENTATION

[REFLECT] YOUR DIGITAL REFLECTION