v1.0.0

Threat Model

OCCLUDE's security boundary is precise: it normalizes passive network fingerprints. Understanding what falls inside and outside this boundary is essential for using it correctly.

What OCCLUDE protects against

Passive network observers who use TCP/IP parameters, TLS ClientHello fields, and HTTP/2 SETTINGS frames to identify your operating system, browser, and software stack. These observers include ISPs, nation-state surveillance systems, CDN providers, and any entity with access to your network traffic.

Specifically, OCCLUDE normalizes the fields used by tools like p0f, JA3/JA4, and Akamai's HTTP/2 fingerprinting to make your traffic indistinguishable from a large population of hosts running the same profile.

What OCCLUDE does NOT protect against

Application-layer fingerprinting (cookies, canvas, WebGL, fonts, audio context)
Active probing by an adversary who controls the server
IP-based identification (your exit IP is unchanged)
Timing-based traffic analysis
Endpoint compromise (malware on your machine)
DNS fingerprinting (resolver choice, query patterns)

Important OCCLUDE is one layer in a defense-in-depth strategy. It should be combined with a VPN or Tor for IP privacy, and a hardened browser for application-layer privacy.

Profile consistency

Switching profiles frequently creates a new fingerprinting vector: the same IP emitting different fingerprints at different times. Pick a profile and stay with it. If you must switch, do so when your IP changes.