IdeaWell

Project ideas from Hacker News discussions.

We found a stable Firefox identifier linking all your private Tor identities

Original Article

Hacker News Discussion

📝 Discussion Summary (Click to expand)

1. Fast Tor Browser updates– “Tor Browser is always quick to rebase on the latest Firefox ESR. They released an update the next day:” – flotzam

2. How most people use Tor – “I would imagine most users of Tor are using Tor Browser.” – crazysim

3. Persistent IndexedDB fingerprint – “The identifier can also persist after all private windows are closed, as long as the Firefox process remains running.” – fc417fc802

4. Questionable corporate motives – “They probably are not relying on it and disclosure means others can't either.” – hrimfaxi

5. Practical mitigations – “The cleanest mitigation is to return results in a canonical order, such as lexicographic sorting.” – lxgr

🚀 Project Ideas

IndexedDB Randomizer Extension

Summary

  • Fixes the IndexedDB ordering fingerprint vulnerability that persists across Tor Browser “New Identity” sessions.
  • Provides per‑session UUID per origin, eliminating a stable identifier for trackers.

Details

Key Value
Target Audience Privacy‑focused Tor, Brave, and Firefox users who rely on Tor Browser
Core Feature Randomly generate a unique UUID for each IndexedDB database per origin on every browser restart
Tech Stack WebExtension API (browser.storage, browser.indexedDB), background script, optional Firefox/Chrome compatibility layer
Difficulty Medium
Monetization Hobby

Notes

  • HN commenters repeatedly called out the lack of a clear fix after the disclosure; this extension gives them an immediate mitigation.
  • The problem is practical—users can install it today and stop being fingerprinted across private sessions, making it both discussion‑worthy and immediately useful.

Ephemeral Remote Browser Service

Summary

  • Delivers a disposable, Tor‑routed browser instance that resets all fingerprintable state after each use.
  • Eliminates persistent identifiers like the IndexedDB ordering bug without requiring manual VM setup.

Details

Key Value
Target Audience Journalists, activists, security researchers needing short‑lived anonymous browsing
Core Feature Spin up a Docker‑based remote browser (Chromium or Firefox) connected to a Tor SOCKS proxy; automatically destroys the container after the session, wiping all cookies, IndexedDB, and process state
Tech Stack Docker, Chrome/Chromium binary, torsocks, WebRTC signaling, simple web UI, optional BrowserBox open‑source core
Difficulty High
Monetization Revenue-ready: Subscription $5/month for dedicated instances

Notes

  • Users in the thread lamented the complexity of using Qubes or Tails; a hosted yet privacy‑preserving solution would let them focus on content rather than environment configuration.
  • The service directly addresses the “no stable identifier” desire expressed by several commenters, turning a technical concern into a practical product.

Fingerprint Transparency Dashboard

Summary

  • Shows users in real time which browser characteristics are being used to fingerprint them and lets them spoof or block them on demand.
  • Turns opaque tracking into an actionable, visible control panel.

Details

Key Value
Target Audience General privacy‑conscious web users, especially those using Tor or privacy‑focused browsers
Core Feature Browser extension that injects a dashboard overlay listing exposed data (User‑Agent, canvas hash, font list, timezone, etc.) with one‑click spoof options and toggle switches
Tech Stack WebExtension (browser.action, React UI), background script, storage API
Difficulty Low
Monetization Hobby

Notes

  • The discussion included repeated calls for “opt‑in” permissions and clearer feedback; this dashboard fulfills that need.
  • By making fingerprinting data visible, it invites community feedback and extensions, fitting HN’s appetite for developer‑centric tools.

Tor Identity Reset Coordinator

Summary

  • Automates the creation of truly isolated Tor Browser identities that reset all fingerprintable state, including IndexedDB ordering.
  • Removes the manual pitfalls highlighted by community members.

Details

Key Value
Target Audience Tor power users, privacy activists, researchers who habitually use “New Identity”
Core Feature Wrapper script that spawns a fresh disposable VM or container per identity, launches Tor Browser inside it, and ensures all fingerprintable storage is cleared before the session starts
Tech Stack Python orchestration, Qubes‑VM API or Docker‑in‑Docker for non‑Qubes users, Tor Browser binary
Difficulty High
Monetization Hobby

Notes

  • Several commenters (e.g., “aboardRat4”, “hrimfaxi”) expressed frustration that “New Identity” does not fully reset the process, leading to cross‑session tracking; this tool directly solves that pain point.
  • It also opens discussion about integrating with Qubes or other VM isolation frameworks, a hot topic in the HN thread.

PrivacyLite Browser

Summary

  • A minimalist, open‑source browser that disables all fingerprinting APIs by default and only allows essential rendering.
  • Provides a truly privacy‑first baseline without user configuration.

Details

Key Value
Target Audience Everyday internet users who want privacy without technical tweaks
Core Feature Stripped‑down rendering engine (Rust + custom layout engine) that blocks IndexedDB, canvas, WebGL, JavaScript by default, forces static fonts, UTC timezone, and static window size; optional whitelist for sites that need limited functionality
Tech Stack Rust, Servo‑style architecture, WebExtensions for optional feature toggles
Difficulty High
Monetization Revenue-ready: One‑time purchase $12 for desktop version, $5 for mobile companion app

Notes

  • The thread repeatedly mentioned the desire for a “dumb” browser that can’t be fingerprinted; PrivacyLite fulfills that vision.
  • It would spark debate about the trade‑off between usability and privacy, a classic HN discussion catalyst, and could attract contributors looking to build a privacy‑first web platform.

Read Later