Imagine that Suppose that a user's browser allows an HTTPS page to run JavaScript code fetched from an HTTP URL;however, the code cannot read or write any persistent client-side state. For example, the JavaScript code cannot read or write cookies, nor can it read or write DOM storage. The browser also ensures that the attacker.com web server cannot set client-side cookies using the Set-Cookie header, or receive client-side cookies in the HTTP request for the JavaScript ?le.
Suppose that the user visits website once in private browsing mode, closes the tab, and then visits the site again in regular browsing mode; in both cases, the user's web traf?c goes through Tor. The attacker.com web server would like to determine with high likelihood that the same user has visited the site twice. However, the attacker does not control any Tor nodes.
Why is it unlikely that the attacker.com server can use TCP ?ngerprinting to identify the user? Recall that TCP ?ngerprinting involves looking at TCP connection parameters, such as the initial TCP window size, TCP options, TCP ?ags, etc