Jump to content
Nytro

Cookieless cookies

Recommended Posts

Posted

[h=2]Cookieless cookies[/h] There is another obscure way of tracking users without using cookies or even Javascript. It has already been used by numerous websites but few people know of it. This page explains how it works and how to protect yourself.

This tracking method works without needing to use:

  • Cookies
  • Javascript
  • LocalStorage/SessionStorage/GlobalStorage
  • Flash, Java or other plugins
  • Your IP address or user agent string
  • Any methods employed by Panopticlick

Instead it uses another type of storage that is persistent between browser restarts: caching.

Even when you disabled cookies entirely, have Javascript turned off and use a VPN service, this technique will still be able to track you.


[h=3]Demonstration[/h] As you read this, you have already been tagged. Sorry. The good news is that I don't link your session id to any personally identifiable information. Here is everything I store about you right now:

Number of visits: 2

Last visit: Thu, 09 Oct 2014 15:34:32 +0200

Want to store some text here?

(max. 350 characters)

Go ahead, type something and store it. Then close your browser and open this page again. Is it still there?

Check your cookies, is anything there? Nope, it's all in a fake image checksum that almost noone is aware of. Saw that eye on the right top of the page? That's our tracker.


[h=3]So how does this work?[/h] This is a general overview:

etags.jpg

The ETag shown in the image is a sort of checksum. When the image changes, the checksum changes. So when the browser has the image and knows the checksum, it can send it to the webserver for verification. The webserver then checks whether the image has changed. If it hasn't, the image does not need to be retransmitted and lots of data is saved.

Attentive readers might have noticed already how you can use this to track people: the browser sends the information back to the server that it previously received (the ETag). That sounds an awful lot like cookies, doesn't it? The server can simply give each browser an unique ETag, and when they connect again it can look it up in its database.

Technical stuff (and bugs) specifically about this demo

To demonstrate how this works without having to use Javascript, I had to find a piece of information that's relatively unique to you besides this ETag. The image is loaded after the page is loaded, but only the image contains the ETag. How can I display up to date info on the page? Turns out I can't really do that without dynamically updating the page, which requires javascript, which I wanted to avoid to show that it can be done without.

This chicken and egg problem introduces a few bugs:

- All information you see was from your previous pageload. Press F5 to see updated data.

- When you visit a page where you don't have an ETag (like incognito mode), your session will be emptied. Again, this is only visible when you reload the page.

I did not see a simple solution to these issues. Sure some things can be done, but nothing that other websites would use, and I wanted to keep the code as simple and as close to reality as possible.

Note that these bugs normally don't exist when you really want to track someone because then you don't intend to show users that they are being tracked.

Source code

What's a project without source code? Oh right, Microsoft Windows.

https://github.com/lucb1e/cookielesscookies


[h=3]What can we do to stop it?[/h] One thing I would strongly recommend you to do anytime you visit a page where you want a little more security, is opening a private navigation window and using https exclusively. Doing this single-handedly eliminates attacks like BREACH (the latest https hack), disables any and all tracking cookies that you might have, and also eliminates cache tracking issues like I'm demonstrating on this page. I use this private navigation mode when I do online banking. In Firefox (and I think MSIE too) it's Ctrl+Shift+P, in Chrome it's Ctrl+Shift+N.

Besides that, it depends on your level of paranoia.

I currently have no straightforward answer since cache tracking is virtually undetectable, but also because caching itself is useful and saves people (including you) time and money. Website admins will consume less bandwidth (and if you think about it, in the end users are the ones that will have to pay the bill), your pages will load faster, and especially on mobile devices it makes a big difference if you don't have an unlimited 4G plan. It's even worse when you have a high-latency or low-bandwidth connection because you live in a rural area.

If you're very paranoid, it's best to just disable caching altogether. This will stop any such tracking from happening, but I personally don't believe it's worth the downsides.

The Firefox add-on Self-Destructing Cookies has the ability to empty your cache when you're not using your browser for a while. This might be an okay alternative to disabling caching; you can only be tracked during your visit, and they can already do that anyway by following which pages were visited by which IP address, so that's no big deal. Any later visits will appear as from a different user, assuming all other tracking methods have already been prevented.

I'm not aware of any add-on that periodically removes your cache (e.g. once per 72 hours), but there might be. This would be another good alternative for 99% of the users because it has a relatively low performance impact while still limiting the tracking capabilities.

Update: I've heard the Firefox add-on SecretAgent also does ETag overwriting to prevent this kind of tracking method. You can whitelist websites to re-enable caching there while blocking tracking by other domains. It has been confirmed that this add-on stops the tracking. SecretAgent's website.

SURSA: Lucb1e.com :: Cookieless Cookies

Posted

Foarte bun articol, ai mai pus 1 sau 2 asemanatoare dar diferite. Pana la urma poate se trezeste prostimea cu ideea de anonimitate bazate pe ascunderea ip-ului, cookies and shit

Posted

mai sunt metode de tracking, prezentate succing in articolele de care vorbeam mai sus.

Bineinteles ca toate au metode de a fi combatute (unele foarte usoare) dar trebuie sa stii aceste lucruri.

Posted
Foarte bun articol, ai mai pus 1 sau 2 asemanatoare dar diferite. Pana la urma poate se trezeste prostimea cu ideea de anonimitate bazate pe ascunderea ip-ului, cookies and shit

Identificarea se face pe IP, UserAgent:

$etag = substr(sha1($secret . sha1($_SERVER["REMOTE_ADDR"]) . sha1($_SERVER["HTTP_USER_AGENT"])), 0, 18);

Momentan, daca schimbi IP + stergi cookies + stergi cache esti protejat(cel putin de metodele publice), bineinteles ca pot exista apllet-uri sau alte nebunii semnate anumite authority-uri prin care se pot vedea seriile de hardware, dar asta e viata.

Off-topic: Daca vrei sa fi invizibil, lasi tehnologia acasa si intri intr-un buncar sub pamant la 50-100m adancime(nu mai merge nici daca esti in padure, te gasi dupa ritmul batailor inimii).

Posted

Intra pe link-ul asta:

https://panopticlick.eff.org/

1. Fa testul

2. Sterge cookies, schimba ip, mergi la cafenea si stai cu laptop-ul sub o masa.

3. Refa testul

4. Surpriza

Tine cont ca este ceva public.

Identificarea se face pe IP, UserAgent:

$etag = substr(sha1($secret . sha1($_SERVER["REMOTE_ADDR"]) . sha1($_SERVER["HTTP_USER_AGENT"])), 0, 18);

Momentan, daca schimbi IP + stergi cookies + stergi cache esti protejat(cel putin de metodele publice), bineinteles ca pot exista apllet-uri sau alte nebunii semnate anumite authority-uri prin care se pot vedea seriile de hardware, dar asta e viata.

Off-topic: Daca vrei sa fi invizibil, lasi tehnologia acasa si intri intr-un buncar sub pamant la 50-100m adancime(nu mai merge nici daca esti in padure, te gasi dupa ritmul batailor inimii).

Posted
Intra pe link-ul asta:

https://panopticlick.eff.org/

1. Fa testul

2. Sterge cookies, schimba ip, mergi la cafenea si stai cu laptop-ul sub o masa.

3. Refa testul

4. Surpriza

Tine cont ca este ceva public.

Misto, dar tot nu te identifica unic pe tine, ci te incadreaza intr-un tipar... Daca as folosi browser-ul respectiv si pentru lucruri care tin de viata de zi cu zi, sau daca as iesi direct cu adresa de acasa, sau m-as loga pe conturi personale, GLUGA ar putea sa ma gaseasca dupa user behaviour.

Oricum daca faci magarii si vrea sa te gaseasca downloadeaza ceva cu un 0day la tine si-ti activeaza camera, iti ia seriile de la componente si "tãti shele"(daca au bagat in New York Times, cred ca ar putea sa bage si-n alte site-uri).

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...