The security community published a significant findings paper in February 2026 documenting three previously undisclosed browser fingerprinting vectors that affect Tor Browser users under specific configurations. The research, produced by a team at a European university's digital privacy lab, identified timing-based inference attacks, CSS rendering differences exploitable for OS fingerprinting, and Web API behavioral quirks that persist across Tor circuits.
Browser fingerprinting is a technique that creates a unique identifier for a browser based on its technical characteristics — installed fonts, screen resolution, timezone, hardware performance metrics, and hundreds of other properties. Even without IP-level identification, consistent fingerprints can be used to correlate visits across sessions.
The Three Vectors
Vector 1 — CSS rendering differences: Subtle differences in how different operating systems render certain CSS properties (particularly font metrics and subpixel antialiasing) can identify the underlying OS with ~85% accuracy. Tor Browser's "Safest" security level mitigates this by disabling many CSS features.
Vector 2 — WebGL timing attacks: When WebGL is enabled, GPU hardware timing differences create a unique fingerprint. The fix is simple: disable WebGL entirely. In Tor Browser, setting security level to "Safest" disables it.
Vector 3 — Media API: Even when no media devices are present, the enumeration of media capabilities can create device-specific patterns. Mitigation: disable media access in about:config.
The Nexus security blog published a detailed countermeasures guide in response to the paper. The core recommendation remains unchanged: use Tor Browser at "Safest" security level, ideally via Tails OS, which implements additional mitigation at the OS level.