> the reality is that even a really precise fingerprint has a half-life of only a few days (especially if it's based on characteristics like window size or software versions).
The size of a maximized window is unlikely to change unless either the desktop environment is updated in some way or the monitor (hardware) itself is swapped out.
GPU hardware is unlikely to change frequently and various idiosyncrasies can be fingerprinted via either webgl or webgpu.
Installed fonts probably don't change all that frequently.
I'd expect TCP stack fingerprinting to be fairly stable.
That's but a few examples off the top of my head. As long as only one characteristic changes at a time you can link the cluster together. Worse, if client side identifiers (ex cookies) aren't wiped simultaneously then you can link two entirely distinct fingerprints with full confidence.
In theory, this would be a rich landscape for an entirely different abstraction layer for fingerprinting… However, I am skeptical that the typical fingerprinting tool chains are receiving data that reaches that far down in the stack…
Also TCP timestamp if the network stack doesn't apply a randomized offset. As of 4.10 Linux added randomization; no idea about others.
Getting a bit farther out there, CPU clock skew can be derived from the (randomly offset) TCP timestamps. That varies with temperature and thus load so it can be used to pick out otherwise indistinguishable traffic streams originating on the same physical host.
Back in the realm of commonly employed techniques, higher levels of the networking stack are fingerprinted in the wild. https://blog.cloudflare.com/ja4-signals/
Moving even farther up, the human interaction streams themselves are commonly fingerprinted. I realize that's a bit of a tangent but OP had suggested that fingerprints had short half lives and this is a very strong counterexample that I failed to mention earlier. https://www.whonix.org/wiki/Keystroke_and_Mouse_Deanonymizat...
The size of a maximized window is unlikely to change unless either the desktop environment is updated in some way or the monitor (hardware) itself is swapped out.
GPU hardware is unlikely to change frequently and various idiosyncrasies can be fingerprinted via either webgl or webgpu.
Installed fonts probably don't change all that frequently.
I'd expect TCP stack fingerprinting to be fairly stable.
That's but a few examples off the top of my head. As long as only one characteristic changes at a time you can link the cluster together. Worse, if client side identifiers (ex cookies) aren't wiped simultaneously then you can link two entirely distinct fingerprints with full confidence.