Obscura Stealth — Fingerprint Spoofing, TLS Fingerprint, and Anti-Detection

How Obscura Stealth works: 8 built-in browser profiles, wreq BoringSSL TLS client fingerprint, tracker blocking, and identity consistency configuration.

16Yun Engineering TeamJul 3, 20262 min read

Why Automation Traffic Gets Detected

A headless browser is usually detected at multiple layers simultaneously:

  • TLS layer: HTTP libraries in Go or Python send ClientHello with different cipher suites, ALPN extensions, and elliptic curves than Chrome
  • JS API layer: navigator.webdriver is true, Function.prototype.toString returns non-native code
  • navigator consistency: userAgent says Mozilla/5.0... but platform is Linux, userAgentData is missing
  • Behavioral: Missing or abnormal responses to canvas, audio, and WebGL fingerprinting APIs
  • Network: IP from a datacenter range that does not match the browser fingerprint's geography

Obscura Stealth addresses the first four at the architecture level.

8 Built-in Browser Profiles

Each profile keeps userAgent, platform, uaPlatform, and uaPlatformVersion consistent:

IndexPlatformChrome
0 (default)Windows 10143
1Windows 10144
2Windows 10145
3Windows 10146
4macOS 13.6143
5macOS 14.4144
6macOS 14.5145
7macOS 14.6146

Control profiles via environment variables:

# Pin a specific profile
OBSCURA_PROFILE=2 obscura serve
 
# Random profile per context (opt-in)
OBSCURA_ROTATE_PROFILE=1 obscura serve
```bash
 
## TLS Fingerprint Spoofing
 
This is Stealth's core capability. It uses the **wreq** crate with **BoringSSL**, configured to match Chrome's:
 
- Cipher suite order
- TLS version preferences
- ALPN protocol list
- Elliptic curve selection
 
```bash
# Stealth build requires cmake for BoringSSL
cargo build --release --features stealth
 
# TLS ClientHello now matches real Chrome
obscura fetch https://example.16yun.cn --stealth
```bash
 
## JS API Layer
 
Stealth hides automation signals at the V8 level:
 
```javascript
// Without stealth: exposed
navigator.webdriver  // true
 
// With stealth: matches real Chrome
navigator.webdriver  // undefined
```bash
 
`Function.prototype.toString` returns `[native code]` for internal properties. Dispatched events have `event.isTrusted = true`.
 
Hidden internal properties are not exposed by `Object.keys(window)`.
 
## Tracker Blocking
 
Stealth ships with Peter Lowe's ad and tracker domain list — 3500+ domains blocked at the net layer:
 
```bash
# Blocks automatically:
# - Analytics (Google Analytics, Mixpanel, Hotjar)
# - Ad networks (DoubleClick, Criteo, Adnxs)
# - Social tracking (Facebook.net)
# - Fingerprinting scripts
```bash
 
Supports exact match and subdomain wildcard matching.
 
## Identity Consistency
 
Time zone, geolocation, and proxy region must all agree:
 
```bash
# Complete anti-detection config
OBSCURA_TIMEZONE=America/New_York \
OBSCURA_GEOLOCATION="40.7128,-74.0060" \
OBSCURA_PROFILE=2 \
  obscura serve --stealth --proxy http://user:pass@proxy.16yun.cn:8888
```bash
 
Any inconsistency between profile, timezone, and proxy location becomes a detection signal.
 
## Limitations
 
Stealth does not handle:
 
- Cloudflare interactive challenges (Turnstile, JS Challenge, CAPTCHA)
- Datadome and Akamai bot managers
- Any CAPTCHA system
- IP-based rate limiting (needs proxies)
 
## Best Practice
 
```bash
OBSCURA_TIMEZONE=Asia/Shanghai \
OBSCURA_GEOLOCATION="31.2304,121.4737" \
OBSCURA_PROFILE=0 \
  obscura serve \
    --stealth \
    --proxy http://user:pass@proxy.16yun.cn:8888
```bash
 
## Summary
 
Obscura Stealth builds anti-detection at four layers:
 
1. **TLS layer**: BoringSSL wreq client matching Chrome's fingerprint
2. **Profile layer**: 8 profiles with consistent navigator properties
3. **JS API layer**: webdriver hiding, native code masking, event.isTrusted
4. **Network layer**: 3500+ domain tracker blocking

Need an enterprise proxy plan?

We can tailor architecture to your target domains, concurrency, and reliability goals.