This thread is making my head hurt.
This is half true and half not. Assuming the tracking pixel is just a 1x1 .gif file, the server sending you the file can see:
- all the headers your browser sends in the request, which includes
- the referrer (if you haven't blocked it from being sent by your browser)
- browser user agent (what browser, version, and OS you're using, sometimes down to the processor architecture)
- if HTTPS, the server sees what SSL cipher methods your browser supports
However, a lot of that information isn't enough to actually uniquely fingerprint your browser. Instead, the site trying to fingerprint you needs to run javascript and/or flash code to really pin you down. Using javascript and/or flash you can get:
- the list of browser plugins installed (not entirely true anymore but it used to be a big deal, and older browser versions may still do this)
- get and set browser local storage data, sort of like a more persistent cookie and with larger storage capacity. There are sites that use this legitimately as well - Holla Forums uses js local storage to store your post history so it can add the (You)s locally in your browser - the Holla Forums server itself does not necessarily have that list. Browser local storage is a good thing in this case because it allows your post ID history to remain solely on your browser and not be sent to anybody.
- get browser client area resolution. This is the width and height of the visible area of the webpage, so if you use an uncommon screen resolution or have your browser toolbars sized in a somewhat unique way, that also reduces your entropy.
- canvas element fingerprint, which is a particularly sneaky attack. There's an HTML element called "canvas" that allows js code to draw images inside the browser. There are plenty of legitimate uses - almost all js based browser games use canvas to draw the game graphics. Sites like soundcloud use canvas to load small thumbnail images and upscale them + blur them while the larger full image loads. However, there are ways to issue a consistent set of canvas drawing commands, but based on a variety of factors, each individual browser may draw them slightly differently. These are things like screen resolution, your OSes font rendering preferences, whether your browser supports certain types of canvas graphics well or not, and so forth. Canvas fingerprinting by itself is capable of almost uniquely fingerprinting each internet user, especially in combination with the other factors. Browser plug-ins like CanvasBlocker are very useful in this respect.
- VPN de-anonymization through WebSocket or WebRTC requests. These are methods for javascript code to open a remote connection to another server, sometimes capable of bypassing proxy or VPN protection and causing your private IP address to leak. This can also be used in conjunction with DNS leaks - for example, if a WebRTC request connects to a malicious site like "hotwheelsisdisabled.com" and you're not using a DNS server provided by your VPN provider, the malicious site can log DNS requests and unveil your private IP address. uBlock Origin has a setting that allows you to disable harmful WebRTC requests, but correct VPN configuration goes a long way in mitigating this itself.
Long story short, if you have javascript totally disabled the tracking pixel can only see a little bit of information. It's enough to figure out what site you came from if you're running a vanilla browser with very lax security settings, and know your IP address, but it's not enough to put together a unique browser fingerprint. That requires javascript execution. If you're using something like uBlock Origin + uMatrix, I'd suggest setting your uMatrix prefs to allow only css and images to load from 1st party and forcibly block everything else by default. You can then selectively enable specific sites to load that information, as well as javascript and xhr requests, and effectively whitelist only the sites you trust. A properly configured uMatrix setup would not expose you to a malicious archive.is page whatsoever.
Looks like I really need to write up a proper Holla Forums infosec post since nobody seems to be able to explain this stuff or write up a good howto. Certainly the people that claim they are Holla Forums are very assmad and like to rant about the mods instead of actually helping their fellow anons.