Hardware concurrency—specifically the number of logical processor cores available on your system—is one of the simpler yet effective signals used in browser fingerprinting. While it may seem like innocuous information, this single data point contributes to creating a unique fingerprint that can track you across websites without cookies. For developers and power users, understanding how this fingerprinting technique works is essential for building more private applications and protecting your own privacy.
What Is Hardware Concurrency?
Hardware concurrency refers to the number of parallel execution units (threads) your CPU can handle simultaneously. Modern processors use techniques like hyper-threading or simultaneous multithreading to provide more logical cores than physical cores. A quad-core processor with hyper-threading typically reports 8 logical processors to the operating system and applications.
JavaScript provides access to this information through the navigator.hardwareConcurrency property, which returns the number of logical processor cores available:
console.log(navigator.hardwareConcurrency);
// Output: 8 (on a quad-core system with hyper-threading)
This API was originally designed to help developers optimize web applications—for example, deciding how many Web Workers to spawn for parallel processing. However, the same information proves valuable for fingerprinting because core counts vary significantly between different system configurations.
Why CPU Core Count Matters for Fingerprinting
The effectiveness of hardware concurrency as a fingerprinting signal comes from its ability to narrow down the pool of potential users. While many people have 8 cores, fewer have exactly 6, and fewer still have 12. When combined with other signals, this creates a more unique identifier.
Consider how different user segments cluster around specific core counts:
- Office productivity users: Typically 4-6 cores (Intel Core i5, AMD Ryzen 5)
- Developers and power users: Often 8-12 cores (Intel Core i7/i9, AMD Ryzen 7/9)
- High-end workstations: 16-64+ cores (Threadripper, EPYC, Apple Silicon Max)
- Mobile devices: 4-8 cores (varying by age and tier)
- Older systems: 2-4 cores
A user with 16 cores is far more distinctive than one with 8, and this uniqueness increases the probability of being uniquely identified. Fingerprinting libraries often treat hardware concurrency as a medium-entropy signal—useful but not definitive on its own.
How Websites Detect Your Core Count
The primary detection method uses the JavaScript API directly:
function getHardwareConcurrency() {
if ('hardwareConcurrency' in navigator) {
return navigator.hardwareConcurrency;
}
return null; // Not available or blocked
}
More sophisticated fingerprinting scripts combine this with additional detection methods:
function detectCores() {
// Primary method: navigator.hardwareConcurrency
if (navigator.hardwareConcurrency) {
return navigator.hardwareConcurrency;
}
// Fallback: Estimate via CPU曹
// This creates a timing attack to estimate parallelism
const cores = estimateViaTiming();
return cores;
}
function estimateViaTiming() {
const duration = 1000;
const start = performance.now();
// Run parallel tasks and measure completion
// Fewer cores = slower completion for parallel workloads
// This is imprecise but provides an estimate
return Math.max(navigator.cores || 4, 4);
}
The detection is remarkably simple, which makes blocking it relatively straightforward compared to more complex fingerprinting vectors like canvas or WebGL.
Browser Behavior and Inconsistencies
Different browsers handle hardware concurrency reporting differently, which actually creates additional fingerprinting opportunities. The same user might appear different across browsers:
| Browser | Reports Core Count | Notes |
|---|---|---|
| Chrome | Actual logical cores | Full disclosure |
| Firefox | Rounded to 2^n or limited | Privacy protection |
| Safari | Actual cores | Limited privacy |
| Tor Browser | Spoofed (typically 2) | Maximum protection |
Firefox and Tor Browser attempt to normalize this value, but inconsistencies between browsers can actually increase fingerprintability. If a user runs both Chrome and Tor, the mismatch between the two core count values helps identify them.
Privacy Implications
The core count fingerprinting vector has several concerning implications:
Cross-site tracking: Unlike cookies, hardware concurrency persists across sessions and cannot be cleared. Combined with other signals, it helps build a persistent identifier.
Device profiling: Core count reveals information about your hardware. A user with 32 cores is likely running a high-end workstation, which advertisers can use for profiling.
Fingerprint entropy accumulation: Each additional signal makes your fingerprint more unique. Even a simple value like core count contributes to the overall uniqueness calculation.
Mitigation Strategies
Several approaches can help protect against hardware concurrency fingerprinting:
1. Use Privacy-Focused Browsers
Tor Browser spoofs this value to a constant (typically 2), making all users appear identical. Brave Browser randomizes or limits the reported value. Firefox includes privacy.resistFingerprinting which modifies this value.
2. Browser Extensions
Extensions like Canvas Blocker or Privacy Badger can help block fingerprinting scripts. However, specifically targeting hardware concurrency requires careful configuration.
3. Custom Browser Configuration
For Firefox, add to about:config:
privacy.resistFingerprinting = true
This modifies hardwareConcurrency to report a generic value. The副作用 is some web applications may not work optimally.
4. JavaScript Override (Advanced)
For developers testing fingerprint resistance:
// Override in console for testing
Object.defineProperty(navigator, 'hardwareConcurrency', {
value: 4,
writable: false
});
Note: This is for testing only. Persistent modification requires browser extensions.
For Developers: Building Privacy-Aware Applications
If you’re building web applications, consider whether you actually need hardware concurrency information:
// Instead of relying on hardwareConcurrency for feature detection
// Consider progressive enhancement
function getOptimalWorkerCount() {
// Default to a safe assumption
let cores = 2;
// Only use the API if privacy.resistFingerprinting is not active
if (navigator.hardwareConcurrency &&
!window.isFingerprintResistant) {
cores = Math.min(navigator.hardwareConcurrency, 4);
}
// Or use a more conservative default
return cores;
}
By using fallback values and avoiding unnecessary hardware queries, developers can reduce the fingerprinting surface area of their applications.
Testing Your Exposure
To see how your browser handles this fingerprinting vector:
- Visit amiunique.org or cover-your-tracks.com
- Note your reported hardware concurrency value
- Enable privacy protections (Tor Browser, Firefox resistFingerprinting)
- Re-test and compare results
The goal is making your core count appear common—typically 2-4 cores—rather than distinctive.
Advanced Fingerprinting Combinations
While hardware concurrency alone is weak, it becomes powerful when combined with other signals.
Multi-Signal Fingerprinting
Websites combine multiple weak signals to create strong fingerprints:
function buildFingerprint() {
const signals = {
hardwareConcurrency: navigator.hardwareConcurrency,
deviceMemory: navigator.deviceMemory, // RAM (if available)
maxTouchPoints: navigator.maxTouchPoints, // Touch screen support
platform: navigator.platform, // OS (often inaccurate)
userAgent: navigator.userAgent, // Outdated but still used
canvas: canvasFingerprint(), // Canvas rendering uniqueness
webGL: webGLFingerprint(), // GPU fingerprint
fonts: detectInstalledFonts(), // System fonts
timezone: Intl.DateTimeFormat().resolvedOptions().timeZone,
language: navigator.language,
plugins: Object.values(navigator.plugins).map(p => p.name),
};
return hashSignals(signals);
}
// Even if each signal has weak entropy, combined entropy multiplies
// 4-core system (common) × 8GB RAM (common) × Chrome browser (common)
// × 50 detected fonts (somewhat distinctive) = relatively unique
Hardware concurrency contributes 2-3 bits of entropy to the combined fingerprint. While not decisive alone, it’s part of the bundle.
Entropy Analysis
Fingerprinting researchers measure entropy in bits:
| Signal | Bits of Entropy | Distinctiveness |
|---|---|---|
| Hardware concurrency | 2-3 bits | Weak |
| Device memory | 3-4 bits | Weak |
| Screen resolution | 5-7 bits | Moderate |
| Canvas fingerprint | 10-15 bits | Strong |
| WebGL fingerprint | 10-20 bits | Strong |
| Font collection | 5-10 bits | Moderate |
| Combined (typical) | 45-70 bits | Very Strong |
Only ~30 bits are needed to uniquely identify most users. Hardware concurrency provides 2-3 of those 30 bits, making it a minor but measurable contribution.
Browser-Specific Defenses
Different browsers implement different protections:
Firefox Fingerprinting Resistance
Firefox provides the most user-friendly protection:
// About:config settings for maximum fingerprinting resistance
// privacy.resistFingerprinting = true
// What changes:
// navigator.hardwareConcurrency → 2 (always)
// navigator.deviceMemory → undefined
// navigator.maxTouchPoints → 0
// plugins → empty array
// Canvas fingerprinting → spoofed with noise
// WebGL → disabled
Enable this with one setting. Trade-off: Some web applications may not work optimally.
Brave Browser Protections
Brave randomizes values rather than spoofing:
// Brave's approach: randomize per-site
// Same site always sees same fingerprint (for functionality)
// Different sites see different core count
// User visits site1.com: sees 4 cores
// User visits site2.com: sees 8 cores (different random)
// User returns to site1.com: sees 4 cores again (consistent)
// This prevents cross-site tracking while maintaining functionality
Brave’s randomization is a good balance between privacy and functionality.
Tor Browser Maximum Protection
Tor Browser uses extreme normalization:
// Tor Browser normalizes to lowest common denominator
// navigator.hardwareConcurrency = 2 (almost always)
// navigator.deviceMemory = 8GB (always)
// All Tor Browser users appear identical
// No fingerprinting is possible
// Trade-off: Websites can detect Tor Browser by the standardized values
The cost: Tor Browser itself becomes detectable as it stands out from normal browsers.
Developer Considerations: Building Private Applications
If you’re building web applications, avoid relying on hardware concurrency:
Anti-Pattern: Core-Based Optimization
// DON'T DO THIS - relies on fingerprint
function initializeWorkerPool() {
const cores = navigator.hardwareConcurrency;
// User with 16 cores gets different worker count
// than user with 4 cores
// This is fingerprinting-friendly
const workerCount = cores;
return new WorkerPool(workerCount);
}
Pattern: Progressive Enhancement
// DO THIS - graceful degradation
function initializeWorkerPool() {
// Default to safe value
const defaultWorkers = 2;
// Only optimize if explicitly requested
const urlParams = new URLSearchParams(window.location.search);
const requestedWorkers = urlParams.get('workers');
if (requestedWorkers && parseInt(requestedWorkers) <= 8) {
return new WorkerPool(parseInt(requestedWorkers));
}
return new WorkerPool(defaultWorkers);
}
Progressive enhancement prevents fingerprinting while allowing power users to optimize if needed.
Testing for Privacy Issues
// Test whether your application contributes to fingerprinting
function testPrivacyIssues() {
const issues = [];
// Check if hardware concurrency accessed
if (Object.getOwnPropertyNames(navigator).includes('hardwareConcurrency')) {
// Not a problem by itself, but note it
}
// Check if device memory queried
if (navigator.deviceMemory) {
issues.push("Application accesses deviceMemory");
}
// Check for canvas fingerprinting
const canvas = document.createElement('canvas');
const ctx = canvas.getContext('2d');
ctx.textBaseline = 'top';
ctx.font = '17px "Arial"';
ctx.textBaseline = 'alphabetic';
ctx.fillStyle = '#f60';
ctx.fillRect(125, 1, 62, 20);
ctx.fillStyle = '#069';
ctx.fillText('Browser fingerprint test', 2, 15);
if (canvas.toDataURL() !== precomputedCanvasHash) {
issues.push("Canvas fingerprinting detected");
}
return issues;
}
Regular privacy audits catch fingerprinting issues before deployment.
System-Level Spoof Attempts
Power users sometimes attempt to spoof hardware concurrency at the OS level:
Linux Core Hiding
# Using cgroups to limit visible cores
# Create cgroup with restricted CPU access
sudo cgcreate -g cpuset:/limited_cores
sudo cgset -r cpuset.cpus=0-3 /limited_cores # Only cores 0-3
# Run browser in this cgroup
sudo cgexec -g cpuset:/limited_cores chromium-browser
# Browser reports only 4 cores to JavaScript
# But system still uses all cores for heavy computation
This provides limited protection—JavaScript still reads the true value if restrictions are inadequate.
Virtual Machine Approach
# Use virtual machine with limited cores
# VirtualBox example
# Create VM with 2 vCPU instead of host's 8 cores
VBoxManage createvm --name "PrivacyBrowsing" --ostype Ubuntu_64
VBoxManage modifyvm "PrivacyBrowsing" --cpus 2 --memory 2048
# Run browser in VM
VBoxManage startvm "PrivacyBrowsing"
# JavaScript reports 2 cores as expected
Virtual machines provide perfect isolation but introduce performance overhead.
Tracking Fingerprint Consistency
Understanding fingerprint tracking helps identify privacy threats:
def analyze_fingerprint_tracking():
"""Analyze how fingerprints are tracked across time."""
# Scenario 1: Same browser, different sites
# Site1: fingerprint_1a
# Site2: fingerprint_1b
# If fingerprint_1a == fingerprint_1b: cross-site tracking possible
# Scenario 2: Same browser, over time
# Day 1: fingerprint_1
# Day 7: fingerprint_1 (unchanged)
# Consistency enables temporal tracking
# Scenario 3: After clearing cookies/history
# Before clear: fingerprint_1
# After clear: fingerprint_1 (unchanged)
# Fingerprint survives cookie deletion
# Hardware concurrency never changes on same device
# So it's maximally consistent for tracking
return {
"cross_site_tracking": True, # Always same value
"persistence": "until hardware upgrade",
"clearable_via": "None - truly persistent",
}
Hardware concurrency represents a permanent device identifier that survives all standard privacy practices.
Fingerprinting Resistance Testing
Test your resistance to fingerprint tracking:
# Use online fingerprinting tests
# amiunique.org - Shows your complete fingerprint
# cover-your-tracks.eff.org - EFF's test suite
# panopticlick.eff.org - Historic test
# Key metrics to monitor:
# 1. Entropy (bits) - Lower is better
# 2. Uniqueness - Percentage of unique fingerprints
# 3. Hardware concurrency reported - Should be common value
# Repeat tests across:
# - Multiple browsers
# - With/without VPN
# - In incognito/private mode
# - After browser restart
# Consistent fingerprints across tests = inadequate resistance
Related Articles
- How To Use Signal Without Phone Number Verification In Count
- Android Attestation Key Privacy What Hardware Backed Keys Re
- Best Hardware Security Key Comparison: A Developer’s Guide
- Best Hardware Security Key for Developers: A Practical Guide
- Hardware Wallet Inheritance Instructions How To Write Clear
Built by theluckystrike — More at zovo.one