my two "separated" browser profiles had identical canvas and audio fingerprints
I have read the rules.
Threat model: adversary is commercial tracking and fingerprinting infrastructure. Asset is identity separation between two Firefox profiles for different research contexts, each routed through a separate proxy. Goal is preventing any passive observer from linking profile A to profile B.
I set up both profiles with separate containers, separate proxies, resistFingerprinting enabled, WebRTC disabled in about:config, DoH on different resolvers per profile. Thought I was probably fine, but I realized I had never actually tested any of it. I found an open source eight surface scanner on GitHub, read the source to confirm fingerprint checks run locally, and pointed both profiles at it.
WebRTC was bad. One profile had an extension that silently re enabled peerconnection. The STUN probe returned my real IP behind the proxy. HTTP was routing correctly so nothing else surfaced it.
Canvas and audio were worse in a way. Both profiles produced identical Canvas 2D hashes and identical AudioContext signatures. resistFingerprinting was on. Did not matter. Enough to link both profiles to one machine. I honestly do not know how to fix the audio surface without breaking playback.
DNS leaked on one profile because the OS resolver grabbed DoH fallback before Firefox did. Font enumeration, WebGL, automation flags, and egress ASN all came back clean.
Three of eight surfaces were quietly burning my separation model and I had no idea until I measured.