{"id":44068495,"url":"https://github.com/un-nf/404","last_synced_at":"2026-04-21T02:01:43.863Z","repository":{"id":321487664,"uuid":"1084667356","full_name":"un-nf/404","owner":"un-nf","description":"A new approach to fighting cross-session tracking: multi-layer online fingerprint obfuscation. Spoofs browser/OS (headers \u0026 JS), hardware, TLS cipher-suite, canvas, peripherals and much more.","archived":false,"fork":false,"pushed_at":"2026-04-18T02:28:24.000Z","size":8769,"stargazers_count":81,"open_issues_count":10,"forks_count":5,"subscribers_count":7,"default_branch":"main","last_synced_at":"2026-04-18T02:44:16.716Z","etag":null,"topics":["browser","browser-fingerprinting","ebpf","fingerprinting","fingerprintjs","https-proxy","ja3","ja4","nightmarejs","obfuscation","privacy","privacy-tools","proxy","reverse-proxy","traffic-control"],"latest_commit_sha":null,"homepage":"https://404privacy.com","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/un-nf.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"docs/SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":["sethzhonda","un-nf"],"patreon":null,"open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"lfx_crowdfunding":null,"polar":null,"buy_me_a_coffee":null,"thanks_dev":null,"custom":null}},"created_at":"2025-10-28T01:55:05.000Z","updated_at":"2026-04-18T02:28:09.000Z","dependencies_parsed_at":null,"dependency_job_id":"769af023-8f0c-43ab-bc71-3185dd4e9b82","html_url":"https://github.com/un-nf/404","commit_stats":null,"previous_names":["un-nf/404"],"tags_count":27,"template":false,"template_full_name":null,"purl":"pkg:github/un-nf/404","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/un-nf%2F404","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/un-nf%2F404/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/un-nf%2F404/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/un-nf%2F404/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/un-nf","download_url":"https://codeload.github.com/un-nf/404/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/un-nf%2F404/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32073496,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-21T01:35:38.224Z","status":"online","status_checked_at":"2026-04-21T02:00:06.111Z","response_time":128,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["browser","browser-fingerprinting","ebpf","fingerprinting","fingerprintjs","https-proxy","ja3","ja4","nightmarejs","obfuscation","privacy","privacy-tools","proxy","reverse-proxy","traffic-control"],"created_at":"2026-02-08T04:00:24.687Z","updated_at":"2026-04-21T02:01:43.858Z","avatar_url":"https://github.com/un-nf.png","language":"Rust","funding_links":["https://github.com/sponsors/sethzhonda","https://github.com/sponsors/un-nf"],"categories":["Rust"],"sub_categories":[],"readme":"# 404 v2.2.1\n*404 acts as the middleman between you and those collecting your data.* [more...](https://404privacy.com)\nRust privacy proxy \u0026 Linux kernel module. Full client-fingerprint control. \n\n\u003e **404 is a dual-module network application designed to give uers profile-driven control over multiple layers of their fingerprint: TCP/IP options (TTL, MSS, etc.), TLS cipher-suite, HTTP headers, browser APIs, canvas, WebRTC, and more...**\n\n---\n\n**Manual Links:**\n- [***View the manual instead***](https://un-nf.github.io/404-docs/)\n- [What is 404?](https://un-nf.github.io/404-docs/Overview/whatIs/)\n- [Quick Start](https://un-nf.github.io/404-docs/dev/downloadDev/)\n- [Why does this matter?](https://un-nf.github.io/404-docs/Overview/why404/)\n\n---\n\nhttps://github.com/user-attachments/assets/fb403522-ac09-4c49-a599-5edd53f33994\n\n---\n\n## Quick consent \u0026 warning\n\n*By running this software you understand that:*\n- This proxy will generate a local CA and key-pair on its first run. As of now, there is no functionality or instructions for removing these from your trust store.\n- **This proxy terminates TLS**, usernames and passwords that pass through this proxy may be temporarily stored/visible in ***local only*** logs. Do not share logs. \n- This is beta software - no warranty, no guarantees, minimal support.\n\n*...and agree that:*\n- You will not use your primary accounts.\n- You will not share your CA certificate with anyone.\n- If you find a security issue report it to 404co@proton.me\n\n[Join the Discord for support!](https://discord.gg/X9QrVm6dqS)\n\n**Main Discussion:** GitHub discussions\n\n*Alternative community options coming soon!*\n\n---\n\n## What is 404?\n\n404 houses two main modules:\n- STATIC Proxy - *Synthetic Traffic and TLS Identity Camouflage*\n- Linux eBPF module\n\n### STATIC Proxy\n#### *Synthetic Traffic and TLS Identity Camouflage*\n\nThe STATIC proxy is built from the ground up and wired specifically to give the user granular control over their online fingerprint. Not just their browser fingerprint, but any device or app they choose to route through the proxy.\n\nThat runtime contract now reaches:\n- request headers and client hints\n- upstream TLS hello variants and HTTP/2 behavior\n- iframe propagation and worker bootstrap state\n- canvas, WebGL, audio, media device, and related browser surfaces\n\nProfile data does still drive the upstream TLS plan. STATIC passes profile-defined cipher suites, signature algorithms, curves, ALPN, and extension ordering into the `wreq` adapter, but exact wire-level parity is still bounded by what `wreq` and its TLS backend can actually emit. Unsupported claims stay in the validator as warnings, not promises of packet-perfect parity.\n\nBest practice is to stay within your native browser family. Chromium users should choose Chromium-family profiles such as Chrome or Edge. Firefox users should choose Firefox-family profiles such as Firefox. STATIC does not hard-enforce that policy for manual operators; higher-level wrappers can be stricter if they want to be.\n\nDon't believe me? Check my work... \n1. https://demo.fingerprint.com/playground\n2. https://browserleaks.com/\n3. https://coveryourtracks.eff.org/\n4. https://whatismybrowser.com/\n5. https://httpbin.org/headers\n\n### Linux eBPF module\n\nThe eBPF module is, again, quite simple. It leverages powerful, fast, well documented, low-level Linux kernel hooks. By attaching eBPF programs to Linux's `Traffic Control` (`tc`) egress hooks, we can mutate packets extensively.\n\nCurrently, the following is implemented:\n```md\n**IPv4:**\n- TTL (Time To Live) -\u003e forced to 255\n- TOS (Type of Service) -\u003e set to 0x10\n- IP ID (Identification) -\u003e randomized per packet\n- TCP window size -\u003e 65535\n- TCP initial sequence number -\u003e randomized (again)\n- TCP window scale -\u003e 5\n- TCP MSS (Maximum Segment Size) -\u003e 1460\n- TCP timestamps -\u003e randomized\n\n**IPv6:**\n- Hop limit -\u003e forced to 255\n- Flow label -\u003e randomized\n```\n\n---\n\n## How do I install and run 404 on my machine?\n\n### 1. Run the downloaded binary\n\nIf you downloaded a release build, keep the `profiles/` directory beside the binary.\n\nThe proxy now requires an explicit profile selection. If no profile is set, it will refuse to start instead of silently picking one for you.\n\nPick the profile that matches your native browser family. For example, use `edge-windows` or `chrome-windows` on Chromium-family browsers, and `firefox-windows` on Firefox-family browsers.\n\n**Windows**\n\n```powershell\ncd $HOME\\Downloads\\404_REL # wherever your ./static binary lives.\n.\\static.exe --list-profiles\n.\\static.exe --profile edge-windows\n```\n\n**Linux / macOS**\n\n```bash\ncd ~/Downloads/404_REL # wherever your ./static binary lives.\nchmod +x ./static\n./static --list-profiles\n./static --profile edge-windows\n```\n\nUseful flags:\n\n- `--profile \u003cname\u003e` selects the active runtime profile.\n- `--profiles-path \u003cpath\u003e` points STATIC at a different profile directory.\n- `--bind-address \u003caddr\u003e` changes the listener address. *default 127.0.0.1*\n- `--bind-port \u003cport\u003e` changes the listener port.\n- `--list-profiles` prints the discovered profiles and exits.\n\nImportant listener note:\n- If you run with the repo sample config, the listener is `127.0.0.1:4040`.\n- If you run the standalone binary without a config file, STATIC falls back to built-in CLI defaults and listens on `127.0.0.1:8443`.\n- The localhost control plane binds on `listener_port + 2`.\n\nExample with an explicit listener override:\n\n```powershell\n.\\static.exe --profile edge-windows --bind-address 127.0.0.1 --bind-port 4040\n```\n\n### 2. Build from source\n\n#### Install dependencies \u0026 configure PATH\n\n\u003e **Developer Tip:** All commands can be copy pasted into your terminal for easy usage!\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eWindows\u003c/b\u003e\u003c/summary\u003e\n\n**Install via winget**\n\n1. Click [here](https://static.rust-lang.org/rustup/dist/i686-pc-windows-msvc/rustup-init.exe) (32-bit) to download rust-up. Open the downloaded `.exe` file and follow setup instructions.\n\n   - Use the \"Workload\" tab to select the \"Desktop Development with C++\" option.\n   - [Help](https://rust-lang.github.io/rustup/installation/windows-msvc.html)\n\n2. Open the Command Prompt\n\n   - Press Windows + R\n   - Type \"cmd\" into the run dialogue box.\n\n3. Download the dependencies\n\n```bash\nwinget install --id Kitware.CMake -e \u0026\u0026 winget install --id NASM.NASM -e\n\n```\n\nCurrent source builds also require LLVM/libclang, Ninja, and Perl available on your `PATH`.\n\n*Restart your shell after installation. Tools should be on your PATH automatically.*\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003emacOS\u003c/b\u003e\u003c/summary\u003e\n\n**Install via homebrew (recommended)**\n\n1. Open the Terminal\n\n   - Press Command + Space\n   - Search \"Terminal\" and press Enter\n\n2. Ensure you have homebrew installed\n\na.\n```zsh\nxcode-select --install\n\n```\n\nb.\n```zsh\n/bin/bash -c \"$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)\"\n\n```\n\n3. Download dependencies w/ homebrew:\n\n```zsh\nbrew install rust nasm cmake ninja perl\n\n```\n\n*Restart your shell after installation. Tools should be on your PATH automatically.*\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eLinux\u003c/b\u003e\u003c/summary\u003e\n\n**Install via package manager**\n\n```bash\n# Debian/Ubuntu\n$ sudo apt update\n$ sudo apt install -y curl build-essential clang pkg-config cmake ninja-build perl nasm\n\n# Arch\n$ sudo pacman -S rust clang pkgconf cmake ninja perl nasm\n\n# Fedora/RHEL\n$ sudo dnf install -y rust cargo clang pkgconf-pkg-config cmake ninja-build perl gcc-c++ nasm\n\n# Install Rust via rustup (if not installed via package manager)\n$ curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh\n$ source $HOME/.cargo/env\n\n```\n\n\u003c/details\u003e\n\n#### Run the proxy\n\n\u003e **Info:** All steps assume that there is a folder named `404/` located at `~/git/`\n\n**Linux/macOS:**\n\n```bash\ncd ~/git/404/src/STATIC_proxy # CHANGE to wherever you unzipped the 404 folder.\ncargo run -- --list-profiles\ncargo run -- --profile edge-windows  # This will take a while on the first run (~5-minutes)\n\n```\n\n**Windows:**\n\n```bash\ncd %USERPROFILE%\\git\\404\\src\\STATIC_proxy # CHANGE to wherever you unzipped the 404 folder.\ncargo run -- --list-profiles\ncargo run -- --profile edge-windows  # This will take a while on the first run (~5-minutes)\n\n```\n\nIf you omit `--profile` and there is no profile selected in config, STATIC will stop at startup and tell you to choose one.\n\n### 3. Trust proxy-generated CA\n\nSTATIC now manages its CA material in the platform app-data directory instead of treating `src/STATIC_proxy/certs/` as the canonical runtime location.\n\nIf you need the exact CA path on disk, use the value reported by STATIC's localhost control plane at `GET /ca/status`, or locate `static-ca.crt` in STATIC's managed app-data directory.\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eFirefox\u003c/b\u003e\u003c/summary\u003e\n\n**Firefox uses its own trust store, you must trust the CA in the application:**\n\nFirefox -\u003e Settings -\u003e Privacy \u0026 Security -\u003e Certificates -\u003e View Certificates -\u003e Authorities tab -\u003e Import -\u003e select `static-ca.crt` from STATIC's managed CA path -\u003e Check \"Trust this CA to identify websites\" -\u003e OK\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eWindows\u003c/b\u003e\u003c/summary\u003e\n\n**Trust the CA using `certutil`:**\n\n```bash\ncertutil.exe -addstore root C:\\\\path\\\\to\\\\static-ca.crt\n\n```\n\n**...or manually:**\n\n1. Locate the `static-ca.crt` path reported by STATIC.\n\n2. Double-click the file labeled `static-ca.crt` (may appear without .crt extension)\n\n3. Click `Install Certificate...`\n\n4. Select `Current User` and click `Next`\n\n5. Choose `Place all certificates in the following store` and click `Browse...`\n\n6. Select `Trusted Root Certification Authorities` and click `OK`\n\n7. Click `Next` then `Finish`\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003emacOS\u003c/b\u003e\u003c/summary\u003e\n\n```zsh\nsudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /path/to/static-ca.crt\n\n```\n\n**Or use the GUI:**\n\n1. Open Keychain Access\n2. File -\u003e Import Items -\u003e select `static-ca.crt` from STATIC's managed CA path\n3. Find the certificate, double-click it\n4. Expand \"Trust\" and set \"When using this certificate\" to \"Always Trust\"\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eLinux\u003c/b\u003e\u003c/summary\u003e\n\n```bash\n# Copy CA to system trust store\nsudo cp /path/to/static-ca.crt /usr/local/share/ca-certificates/static-ca.crt\nsudo update-ca-certificates\n\n```\n\n\u003c/details\u003e\n\n### 4. Configure your Browser\n\nSet your browser (or system) to use the STATIC listener address and port that you actually launched.\n\nCommon cases:\n- repo sample config: `127.0.0.1:4040`\n- standalone binary with no config file: `127.0.0.1:8443`\n\n- **Chrome/Edge:** Settings -\u003e System -\u003e Open your computer's proxy settings\n- **Firefox:** Settings -\u003e Network Settings -\u003e Manual proxy configuration -\u003e HTTP Proxy: `127.0.0.1`, Port: `4040` or `8443` depending on how you launched STATIC, then check \"Also use this proxy for HTTPS\"\n\n**Important:** **This tool is a TLS-terminating proxy (man-in-the-middle) and has access to your plaintext HTTPS data (usernames, passwords, certain message protocols, etc.). Do NOT share your CA cert with *anyone* for *anything, ever*.**\n\n*The current runtime is designed around staying inside the native rendering-engine family rather than pretending Chromium is Firefox or vice versa. That makes the remaining complexity more load-bearing and easier to reason about.*\n\n### 5. *Optional* - Configure a Linux VM (if not using Linux)\n\n**VM Setup:**\n\n\u003e *VM images coming soon. I am using an Alpine distribution on WSL2 (Windows). Works well, but a little heavy. Definitely going to be looking into distributing the VMs as dedicated server images, not gerry-rigged forwarding machines with desktop environments.*\n\nYou *100% could* configure a VM and route traffic from your host machine to a VM guest, instructions for VM configuration available in the [eBPF documentation](https://un-nf.github.io/404-docs/dev/ebpf/).\n\nFor now, just running STATIC should be enough, though network level obfuscation is not possible without a Linux kernel (yet).\n\n---\n\n## Why should I install and run this on my machine?\n\nYour online fingerprint is becoming increasingly unique. Modern tracking doesn't just rely on cookies; it builds \"personality clouds\" from hundreds of data points: TLS handshake patterns (JA3/JA4), HTTP header combinations, canvas rendering quirks, microphone/speaker/headset model and brand, font enumeration, WebGL parameters, audio context characteristics, and behavioral timing patterns... to name a few.\n\nThe collection of these semi-unique values (.nav properties, timezone, screen resolution, browser type, etc.) allows servers to pretty confidently identify users as not semi-unique, but entirely. \n\nCommercial fingerprinting services like FingerprintJS, Fingerprint.com, and DataDome can identify users across...\n- Different browsers on the same device\n- Private/incognito modes (linked to 'public' browsing profile)\n- VPN connections (or proxies, even residential ones)\n- Cookie \u0026 cache clearing \n- Different networks\n\nThis isn't paranoia. This is surveillance capitalism.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fun-nf%2F404","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fun-nf%2F404","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fun-nf%2F404/lists"}