Tracking Users Via the Browser's Cache

Mukund writes to point us to an article he has written about a method of tracking using the browser cache instead of cookies. A demonstration shows that tracking can remain continuous if you clear only cookies or only the cache, but not both. (Firefox's Clear Private Data tool can be set to clear both when closing the browser.)

Pretty clever..

[CTho9305]

For those of you who aren't going to RTFA, basically you send a JS file with a unique ID and tell the browser to cache it... then any page that includes that JS script gets your unique ID... even if you disallow all cookies.

Re:Pretty clever..

[corychristison]

But what if the user has disabled Javascript? Then this method would be useless, no?

Re:Pretty clever..

[Feyr]

proxies are going to wreak havoc on this scheme :)
still a nice trick though

Re:Pretty clever..

[MarkRose]

Well if anyone tosses their cookies in my java, I, for one, am sure not going to drink it!

Re:Pretty clever..

[icepick72]

Actually, yes.

Re:Pretty clever..

[userlappy]

Even chocolate chip?

You're missing out!

Re:Pretty clever..

[Zonnald]

Whoosh! I for one love Chocolate Chip, have for over 40years, but I never could stomach regurged chocolate chip.

Re:Pretty clever..

[Breakfast+Pants]

Sure, but they could just put a small iframe to foo.html and mark that page as cacheable, on that page have a small image, dynamically generated, to [unique_id].gif and mark the image uncacheable on your server. Now when you visit, your cached copy of foo.html tries to download [unique_id].gif every visit.

Re:Pretty clever..

[mTor]

Exactly. That's why I use NoScript... and everyone else should too! Get it and you'll eliminate all kinds of attacks.

Re:Pretty clever..

[TheLink]

It'll be useless.

But do a search on "Timing attacks on Web privacy".

ALSO, I don't think you even need to use timing attacks because a browser that caches that has stuff cached will behave differently from a browser that caches but doesn't have stuff cached. Pretty obvious isn't it?

There is no way around that except to use a browser that doesn't cache at all - which will affect browsing performance. For slightly less privacy you can use a browser that always starts in the same state for each browsing session.

AND even if you use such a browser, if you have a distinctive browsing pattern and fingerprint, people could still identify you.

e.g. you use a noncaching, no-js browser, with a fake User-Agent (says it's IE but behaves like Firefox), and you start browsing with a particular site first at a certain time followed by another site etc - or you load a particular bunch of sites in the morning (opened in tabs). Could get quite distinctive ;).

But there are far more important things that people should be worried about. What their government is doing for instance.

Re:Pretty clever..

[fm6]

Well, I did RTFA, and I wish I been lazy for once. The dude takes 3 or 4 long paragraphs to say what you said in a single sentence. I am so tired of Slashdot stories where TFA is a half-witted rant by some blogger who flunked Freshman English.

Re:Pretty clever..

[dotgain]

"... at the current rate of growth, it is estimated that by 2010, 'toss' will have as many as 16,000 meanings"

Re:Pretty clever..

[baadger]

Another approach to try and prevent this might be to get the browser not to send conditional GET requests *at all* and to just reload silently from cache.

This however would of course mean that everyone has to make sure their webpages are properly cache able with reasonable (perhaps dynamically generated) expiry dates.

The nature of HTTP and the web make it very difficult to remain totally untrackable all you can really do is prevent the worst of it.

Re:Pretty clever..

[OldManAndTheC++]

Well if anyone tosses their cookies in my java, I, for one, am sure not going to drink it!

Not even for cache?

Re:Pretty clever..

[x2A]

But why bother even visiting a website where you distrust its creators so much as to need to employ such methods against them?

Re:Pretty clever..

[Ed+Avis]

Another approach to try and prevent this might be to get the browser not to send conditional GET requests *at all* and to just reload silently from cache.

Back when I used a modem I had the wwwoffle proxy server set to always used cached pages whenever possible - the only way to get an updated version from the site was to hit Reload. It was nice and fast, and sometimes useful to be able to still browse a site that had disappeared in the real world, although on hitting Reload your precious page would disappear.

Re:Pretty clever..

[RAMMS+EIN]

Unless you use a browser that doesn't need an extension for that, e.g. Konqueror.

Re:Pretty clever..

[jesuscyborg]

NoScript eh? That is a very angry looking "S"

Re:Pretty clever..

[TheLink]

Not sending "conditional gets" won't prevent my proposed method from working since that method involves an item/url that is marked as cacheable that causes the loading of another item/url that is marked as noncacheable.

When the browser first loads the cacheable item, it will get a unique cacheable item which points to a unique noncacheable item.
Thereafter if it is "properly behaved" it will keep loading the same unique noncacheable item everytime it is pointed to the cacheable item.

The trick of course is to get around the "F5 refresh" problem - because if the browser is forced to fully refresh the cacheable item it could get a different unique string. But of course, in most cases the user is the one who requests that, so by that time you should have identified the browser (by IP and other characteristics) and thus the page being forced to serve up the "cacheable item" should serve the same id to that browser.

An interesting idea

[FonzCam]

But seriously most people leave cookies on and those who know to turn them off are probably the sort of people who regularly clear their cache. The percentage of users you could target with this would be very small for the effort required. If tracking user usage is that important to you then just refuse to serve the page with cookies disabled.

Re:An interesting idea

[shird]

Except IE6+ has a default setup to block cookies from being set by sites other than the one you are on, cross domain cookies or whatever theyre called. ie. banner ads that set cookies etc.

Re:An interesting idea

[jp10558]

Wouldn't someone figure out how this works and write a proxomitron filter, userJS and or Greasemonky script to kill it, forget about those who care and run with JS off and turn it on in site specific prefs, use NoScript or something similar in proxomitron?

Requires Javascript to work.

[Elgonn]

So it still doesn't work on some of us.

Re:Requires Javascript to work.

[misleb]

That's OK because the browsing habits of the type of people who turn off Javascript are not particularly interesting anyway. So it all works out.

-matthew

Re:Requires Javascript to work.

[jZnat]

I'm sure you'd find just as many porn sites in their history as users who blindly enable JS for everything.

Re:Requires Javascript to work.

[misleb]

Keep in mind that we're not talking about raw, unfiltered browsing history or a compete dump of the cache. We're talking about a single thread of tracking. Like you visit one site which puts the said javascript in your cache and later visit another site which references the same item and they knew you were at the first site. They can't read your whole history.

Re:Requires Javascript to work.

[ArsenneLupin]

I'm sure you'd find just as many porn sites in their history as users who blindly enable JS for everything.

... but it would be the other kind of porn ;-) Think about why they disabled javascript and cookies in the first place!

Funny thing: my captcha for this post was backside. I kid you not!

Seems a bit paranoid

Regarding Sourceforge/Google. Did he consider that Google's automated email may have gone to sourceforge alias which was then forwarded to his email address?

Re:Seems a bit paranoid

[chrisd]

That is indeed what we do, send the confirmation email to the blah@sourceforge.net alias. We do -not- have the translated email addresses and thus the only information we are using is that which is displayed on the project home on SF.

Re:Seems a bit paranoid

[mukund]

Hi Chris

I did receive the email on my sourceforge.net address. My problem was not with which email address I received the mail at. I don't see why I have to be contacted for a Google service, when my subscription is with Sourceforge.net.

Don't take this the wrong way. I have used Google services for a very long time, but I think this is a bad precedent. Picking up an email address in an automated way from a website and mailing me about your services, when I haven't asked for it is as good as what a spammer would do. And the email suggested you had a table of projects, which made me assume Sourceforge shared this with you. If Sourceforge.net didn't and you can attest that I'll edit out that part of my article (I would not want to blame Sourceforge for something that they didn't do).

To the parent poster: This may seem paranoid.. some other poster suggested the same to the other Canonical-Debian issue too (on the other blog). When something is not right, it simply needs to be questioned. That's all.

Kind regards,
Mukund

Re:Seems a bit paranoid

[rossturk]

Mukund:

We provided Google with a list of registered project names on SourceForge.net to allow future integration between the open-source repositories with minimized namespace conflicts.

The email you saw, if I am not mistaken, was generated when someone tried to create a project at Google with the same name as a SF.net project you belong to.

Unless I am very mistaken about Google's intentions (and I don't think I am), your email address was not picked in an automated way. It was a direct result of an action that was relevent to you, specifically. That may or may not make it seem any better to you, but I don't find it particularly nefarious. Rather, I think it's good that Google and SourceForge are working together to protect your interests..

Ross Turk
SourceForge.net

Re:Seems a bit paranoid

Rather, I think it's good that Google and SourceForge are working together to protect your interests..

This is the exact reason given for the majority of private data sharing cases. I do not doubt that this was done for what you believe are project users' best interests (I'm not being sarcastic). And I did state that this may well fall within your TOS.

My issue with the email was that I got an email from a 3rd party about my Sourceforge.net account. If it were anyone else, I might just well have ignored it, but I look up to Sourceforge.net and Google as companies which set examples for others to follow. And IMHO, this is simply a bad precedent, because this's the type of data sharing that makes private data get out into other hands. I was not impressed in getting an email from a 3rd party which identified my project with me.

If anything, Sourceforge should have asked me if I wanted this data (records relevant to me) shared with Google's code hosting, making a list of those which do and sharing that. That would be protecting my interests. Sourceforge already sends out emails for other causes to its users, and I wouldn't have minded an email about this with a link to set my preference, and you then make a list out of those who have expressed interest in reserving the same names, by having their data shared with Google. This email would come from Sourceforge, which is relevant to my account. But then I guess your TOS already allows such data sharing to happen.

I told this to Chris as well and I'll tell you this: I don't dislike Sourceforge.net or Google. I want them to do the right thing, as that's the level of service I expect.

Kind regards,
Mukund

Re:Seems a bit paranoid

I'm just a disinterested third party reading this, but I have a question:

Suppose Google hadn't been checking for dupes, and as an anonymous user of your sourceforge project, I noticed a project on Google with the same name, but it's not the same project. If I were to then notify you via your sourceforge email account about the situation, would you have a similar reaction to that? How would that be so much different from your protest: My issue with the email was that I got an email from a 3rd party about my Sourceforge.net account. other than the fact that it would be too late for you to do anything about it. I'm also curious whether or not you allowed the other project on Google to share your sourceforge project name.

Aren't sourceforge projects and associated contact email addresses publicly available through their website? Couldn't Google (or any other party) have simply scraped that if they wanted to? I'm wondering why they asked sourceforge for a list in the first place -- seems like they could have asked googlebot, which would allow them to continually maintain an up-to-date list.

Re:Seems a bit paranoid

[rossturk]

There are projects on SourceForge.net that are in a holding, pending, or otherwise non-public state. We wanted to make sure that the namespace was also protected for projects that are not viewable.

Besides, this way we get greater data integrity. There's no great way to screen-scrape the entire project list. The Software Map only gets projects that have categorized themselves, and there's no "show all projects" feature since it would surely cause a PHP timeout. ;)

Ross

Re:Seems a bit paranoid

[Bob+Uhl]

I'm pretty certain that sf.net email addresses/project associations are public.

NoScript Extension

[rdwald]

Saved by NoScript again. If you're not using it, you really should; it can block exploits before anyone knows they exist! (Since they may require JavaScript, and this would block them. My statement is strictly true.)

Re:NoScript Extension

NoScript is great. Hear hear!

Re:NoScript Extension

[ShakaZ]

I agree that NoScript is a must have and would by default block this tracking method... However let's imagine it's integrated in a website for which you have enabled javascripts, then you're f@cked... and from my personal experience it looks like everyday there are more sites which you can't use correctly whith scripts disabled

Re:NoScript Extension

Depends on the site. That's why I would've preferred that the authors of NoScript utilized a blacklist (as opposed to a whitelist). There's no legitimate need for JavaScript on a site like Myspace--it should be blocked. Nor is there a need for JavaScript on Yahoo (disabling it makes for a faster and more enjoyable experience!)

Re:NoScript Extension

[rdwald]

A whitelist is strictly better than a blacklist in this context. Out of the box, NoScript will block Yahoo, MySpace, and any number of other sites which shouldn't get JavaScript. In fact, it'll only allow JS on sites you explicitly allow. How is that worse than a blacklist? The only problem with a whitelist is that you need to change settings to make stuff work (for your bank, or whatever), but I feel more comfortable only needing to change settings when I know there's a problem, rather than when I don't.

Re:NoScript Extension

That's why I like the NoScript ability to temporarilly enable javascript for a website because if it doesn't add features that could and should be done with basic html/xml/css then I don't need to visit there again.

Re:NoScript Extension

[zippthorne]

erm.. but with a blacklist, you'd have to disallow just about every site you visit as opposed to the current whitelist version which allows for the very few sites that need it. Further, there's the UI issue: how do you impliment a blacklist that blocks javascript from malicious or just sloppy sites before you've visited the site and told it to block it?

Re:NoScript Extension

[rapidweather]

I am trying it now using Mozilla Firefox version 2.0b2 running in my knoppix remaster (see screenshots, below).

Here is my brief description for those who have not tried it:
The extension shows a bar at the bottom of the browser when one goes to a website, showing the status of the blocker. Then, if it is something like etrade.com, and you want to work with it, you can easily allow it. One can close the bar when on a page, and the NoScript icon remains at the bottom right of the browser window. If you click on it and then "options", you get a nice options dialog that shows the current sites you have worked with. The "S" icon is covered with a red "blocking" cross if the page's scripts have been blocked, at least partially.

It does keep you busy controlling those incoming scripts, especially if a page does not render correctly, and you feel safe in allowing the page's scripts into your system. lots of fun working with it, but this is a serious subject, controlling access to your computer.

--Rapidweather

Re:NoScript Extension

your only choices are greasemonkey or a magical proxy.

basically you either have to rewrite the content as it comes across the wire or you have to change the engine model to behave "differently".

both are definitely possible using gecko. i've worked for places which did both.

note that of course either system requires someone to somehow decide what changes to make. for greasemonkey, there's opera's userjs repository which is specific enhancements to either streamline or unbreak sites. (i'm sure greasemonkey has their own similar sets of repositories.)

for the wire changes, you'll probably want to rely on a project to come from ibm or google (or microsoft if you trust them) where they manage the proxy for you and somehow evolve rewriting rules. and by the way if you use a proxy you'll basically have to let the proxy install its own SSL certificate that allows it to identify itself as *all* services (probably involving its own trusted root certificate, where the server actively generates new certificates for all web sites). yes that means the service you pick (ibm, google, microsoft) will be *reading* your decrypted ssl traffic, because in order for such a service to work, it will have to be a trusted man in the middle. otherwise someone just uses https: to get around your lame-magical proxy.

this would of course mean that if there's a misconfigured cert on the remote web site, you'll probably have to get a page from your proxy explaining how broken it is. currently your web browser does a bad job of either explaining that the server cert is confused/broken, or a worse job of explaining why it refused to go to the site at all.

Re:NoScript Extension

[x2A]

"However let's imagine it's integrated in a website for which you have enabled javascripts, then you're f@cked"

Only if you frequent websites that are trying to f@ck you. If you are, perhaps you should look at your own browsing habits.

Re:NoScript Extension

[Fulkkari]

Well, uh. Blocking JavaScript will only block this particular implementation of tracking, but it won't fix the problem. And please stop sending this Firefox propaganda here. It is not informative, as pretty much everyone here are already aware of the extension mentioned. Why are these comments are modded up?

Then it should read...

[MacDork]

Javascript can compromise anonymity! ... Wow. ... What else is new? I mean, even if this particular story hasn't been referenced, I think this could qualify as a dupe ;-)

Serious question

[Tibor+the+Hun]

How often does an average Slash reader close his Firefox window?

(I ask because I leave my Deer Park and Safari windows opened for months.)

Re:Serious question

[WilliamSChips]

Very rarely. Usually when installing an extension.

Re:Serious question

[Feyr]

a couple of days, then it usually crash/get so slow it's unuseable and i have to restart it

Re:Serious question

[mini+me]

I close all of the windows often, but leave the application running all the time.

Re:Serious question

I press Ctrl+Shift+Delete every hour or so.

Re:Serious question

[cheater512]

Whenever the power fails. Thats very rarely.

Re:Serious question

[mackyrae]

Not usually more than a few hours--overnight at the most. I'm always turning it off when going to classes or at least disconnecting the internet and "sleep"ing it.

Re:Serious question

I actually close my browser quite often. Usually when my browsing session is done? I really don't like leaving apps running on my box if I'm not using them. I also clear my cache and cookies after every browsing session. I've been doing that since the late 90's! So it's nothing new to me...

Re:Serious question

[Fred_A]

Almost never, Firefox closes when I log out which mostly only happens when I decide to play a game and have to reboot. I rarely had memory/performance issues with it.

Re:Serious question

[treeves]

Don't know about average but I close ff every night, before unplugging from the network.
More often if too many tabs locks it up and forces me to.

In other news

[$RANDOMLUSER]

You can have total anonymity or marginal functionality. Since HTML alone offers almost nothing in the way of functionality (beyond rendering) you need something more (JavaScript, Java, Flash, ActiveX (arguably in ascending order of dangerousness)) to provide even rudimentary functionality. If I'm really so tinfoil-hat that I'm worried about my browser cache betraying what I'm up to, I probably need some medication and/or an air-gap between me and the Internet(s).

Re:In other news

[ResidntGeek]

What? How is it paranoid if a method is demonstrated to allow you to be tracked through your cache? You think people won't use this? Do you think only people with tinfoil hats think advertising companies have been tracking people on the web for over a decade? I'm honestly confused, please explain yourself. By the way, if you clear your cache and cookies often, you CAN have both anonymity and functionality.

Re:In other news

[$RANDOMLUSER]

I didn't say you were paranoid, you must have imagined that.

Re:In other news

[ResidntGeek]

If I'm really so tinfoil-hat that I'm worried about my browser cache betraying what I'm up to, I probably need some medication and/or an air-gap between me and the Internet(s).

You're right, you didn't say paranoid, you said tinfoil-hat. And my imagination has been systematically sterilized by the American school system, so there's no danger of me imagining things.

Re:In other news

Off the top of my head I could tell you at least one similar method which works without active content.

Re:In other news

[$RANDOMLUSER]

OK, I tease, and you come up with a cute ("systematically sterilized"/"no danger of imagining") answer.
Seriously. I live in a state (Illinois) where you have those radio transponder thingies for the toll roads. I can use them, and ponder that the owners (the state) of the system are tracking which (and when) gates I go through, or I can wait longer in the cash-only lines (ignoring the fact that they've got cameras on my license plates anyways), or I can imagine that "they" have "satellites" tracking my every movement; or I can stay off the toll roads altogether. The choice is mine.

Re:In other news

[ResidntGeek]

Wait... I'm really tired, and I can't tell if I'm missing another joke, so forgive me if I am.

I used to live in Florida, and used the radio transponder thingie for toll roads. I know the owners were tracking me, because I could view all the gates I'd gone through in the past month. I think you're drawing the line between knowledgeable and paranoid a bit off the mark.

Re:In other news

[x2A]

"Do you think only people with tinfoil hats think advertising companies have been tracking people on the web for over a decade?"

No, just that only people with tinfoil hats /care/ that advertising companies are tracking people. Not everyone has the level of self-shame where they feel the need to hide what they're doing.

Old news

[christo]

Move on folks, there's nothing to see here.

This was done last year, by these guys: Browser Recon @ Indiana University

Defenses against this, and other attacks have been created and deployed through two firefox extensions
put out by Stanford University: Safe History and Safe Cache

This stuff ain't new.

Re:Old news

[ExcalHM]

Yeah... it's pretty old news... although I know very few who this actually works for.

Re:Old news

[The+MAZZTer]

Wow that's even scarier than this one in the story. Yours only needs CSS.

It stems from the whole idea of marking links "visited". CSS attributes can be applied to visited links to set them apart from unvisited ones. The page in your example uses CSS to tell the browser to request a page from the server if a link is visited. This page, when loaded, knows that the load means you visited the website in the link.

The worst thing is that this is a perfectly legitimate use of CSS by current w3 standards. A preventive measure for browser vendors may be to not allow any external resources to be used in :visited CSS.

Re:Old news

[jZnat]

Oh my, I never thought of tracking like that. Ouch...

Re:Old news

Yeah except you have to explicitly ask about each URL to find out if it's been visited. Unless you're looking for something very, very specific it's pretty useless.

Re:Old news

That's a pretty different mechanism here: your story inspects the browser history, while TFA uses the cache, which is certainly a more powerful attack -- many privacy tools don't clear the cache automatically because it provides a useful speedup when reloading a website (convenience over security anyone?). In addition while it is immediately visible to the user whether the history has been cleared, there is no visible clue if the cache has not been cleared, making it far less obvious to the user that there is a privacy breach.

TFA's method is also quite robust, since Javascript is not even needed: you might just as well use CSS by loading a uniquely-identifying image as a background image...

Re:Old news

It's a pretty clever trick, although unlike the method presented in TFA it could easily be mitigated in future browsers by systematically prefetching the contents of :visited CSS even though the link was never visited -- plus, aside from security, it might be useful to prefetch it anyway should the link become :hovered or :visited later on... So I predict that this will become a non-issue in a few years, at the least in the security-conscious browsers like Firefox.

On the other hand, apart from either clearing the cache regularly or pooling together the caches from a huge number of people (e.g. by proxying at the ISP level), I really don't see any way of getting around the attack from TFA, which is much more worrying...

Re:Old news

[TheLink]

There was an even older published idea that involved caching of images and timing stuff - I can't find the link at the moment - but it did get mention on a fairly mainstream tech site I think.

But anyway, I'm not sure why this is such a big deal - this is pretty old and obvious stuff. In general terms if the browser has stuff cached it will behave differently from a browser that doesn't have stuff cached.

Just a bit of thinking and you can come up with many ways to distinguish between the different browsers that visit a bunch of pages.

You could send a cacheable page/file/URL to each user (always the same URL), which causes another page/file/url to load (with a unique URL) that's marked as not cacheable. And then you link to the first cacheable URL in all your pages.

I believe most browsers support frames and other stuff. I don't think Javascript and CSS are required at all.

BTW, there are also some naughty things you can do with tinyurl type sites, given that various sites are often blocked or restricted but the tinyurl sites aren't.

Anyway, if you're paranoid just browse using a virtual machine ("browser appliance" VM?) and rollback after each session. If enough people are using the same _identical_ virtual machine image to browse, then it gets pretty hard to distinguish amongst them...

Re:Old news

Hey, thanks for the links to those undocumented pages that offer to INSTAL NOW.

We need more of those. The last FF extension I installed was No-Script and well how disappointed I was when I found out it was actually legitimate.

We NEED more blind help links like those links to increase the percentage infected and destroyed machines.

And there are probably some who actually installed them. And I was fool enough to look at them. But I will be safe 'cause I set my cache to 1k.

Really now..... :):):):)

Re:How websites block dissident political posters

[McGiraf]

"This is how various forums/websites block dissident political posters (sites such as slashdot, metafilter, DU, FR, Fark, etc., all block dissident political posters, otherwise they would not get as much mention in the corporate media, causing those sites to be less valuable)."

uh? err, I think you forgot to take one of your pills.

Um, no

The file does not have to be JavaScript. It could just as easily be an image.

Re:Um, no

[eurleif]

That's all well and good if you your goal is for the user to track himself, but how is the server going to get an image out of the cache?

Re:Um, no

[FonzCam]

How would the server known that the image was cached as opposed to not having been downloaded? The javascript file contains the unique ID and then the browser reports this back to the server a GIF can't do that (without javascript).

Re:Um, no

[WoLpH]

Yes it can, when you download a file from the server then the server stores it in the logs, if you visit the page again then the server can check if the file was already downloaded (304 headers) so it should be possible, but it would definately be difficult.

Re:Um, no

[FonzCam]

Yes but the URL in the HTML would now point to a different unique ID because it would have refreshed from the server. If the HTML is cached then nothing is requested from the server and so it wouldn't know. Unless of course you use something like the the CSS based method christo linked to.

Re:Um, no

[_xeno_]

Doesn't have to. Just have them cache the image using a unique timestamp for Last-Modified (so that you should get a unique If-Modified-Since header) or using a unique ETag. Both should theoretically work to uniquely identify the user, and both can easily be embedded using an image. Combined with Cache-Control: private, this should even work through firewalls.

Re:Um, no

[x2A]

Doesn't help if you wanna display any sort of dynamic content based on the tracking info though, as you only know which user/session has loaded a page after the page has been loaded, when the image can be loaded.

Using the javascript method, you could do something like modify links on the page to add a session=xxx string, or even reload sections of the page. I guess it comes down to what you want your tracking to accomplish.

Re:Um, no

[mrdaveb]

But with a 'web bug' you could restore the cookie that the user so diligently deleted, and then do a meta-refresh or similar to re-load the page with them logged back in. I'm not sure what would be the most effective method but it doesn't require cookies, needn't require JS, images or CSS (the html page itself could have the cunning cache) and keeps you labelled when you return to the site.

This just shows how much more complicated the issue is than most people realise... and there's no simple fix unless you just turn off etag style caching entirely, and this would be a shame.

Re:How websites block dissident political posters

[Vexorian]

It is an advert bot, I can't understand how it wasn't modded -1 off topic yet

A possible solution

A possible solution:

• to install NoScript FireFox Add-on and grant Javascript privilege only to the sites you trust
  
• Edit | Preferences | Privacy | Settings | [X] Clear Private Data When Closing FF
  

I was downmodded for political dissent

[cryophan]

not because I am a bot, "advert" or otherwise.....

Re:I was downmodded for political dissent

[AnyoneEB]

Obviously the blocking doesn't work, then. ;)

I was reminded of the CSS history "hack"

[QuantumFTL]

I saw this article on Digg a while back, using an ingenous JavaScript that would look at the *rendering* of a link to determine if you'd been there or not (and possibly upload this information to the remote server). That's kinda scary...

Re:I was reminded of the CSS history "hack"

See https://bugzilla.mozilla.org/show_bug.cgi?id=57351 . This problem has been known about for six years.

The IE "Clear Cache" Option...

[xxxJonBoyxxx]

Thought I'd mention that the parallel IE option seems to be under the "Tools | Internet Options..." dialog, "Advanced" tab, "Security" tree: "Empty Temporary Internet Files folder when browser is closed" (unchecked by default)

The IE "Security" and "Privacy" tab also contains some options that let you handle cookies and Javascripts different ways for different sites; this is why IE exploits that get around the dividers between different classes of sites are noteworthy.

bookmarks

[FudRucker]

take a look at Firefox' or Mozilla's or Seamonkey's Bookmarks in a plain text editor, it keeps dates about visiting web sites that could be used to track users (that is) if website's servers can access it to look at it. seens like such an unnecessary feature, if i can find a way to shut off the record keeping within bookmarks i would re-write my bookmarks to keep only the name and URL...

Works for images too...

You don't need to store that unique id in a javscript variable.
Send some image (webbug), say it should be cached, but "must-revalidate" and "hijack" the Etag/IF-*-Match headers.

Re:Works for images too...

[baadger]

The those that don't know, the HTTP "Etag" response header is a unique key (most of the time a hash) that identifies (and verifies) data sent across HTTP. This means the tracking website wouldn't even need to use a 747rhf28r.png garbage filename meaning such tracking could be accomplished in something as mundane as a website's corporate logo.

However, this alone wouldn't tell the tracking website anything the couldn't find out from decent analysis of web server logs, essentially just how often you hit a page in which the said image is imbedded. To do proper visitor *tracking* you would have to leverage the "referer" header which would actually reveal the url of the website in which the image is imbedded.

The referer header of course can be blocked with a Firefox extension such as RefControl (you can choose to block 3rd part (cross-site) referrals or all referrals)

Seems to be patented!

here it seems to be a patent about a similar concept.

if you are waiting...

...for someone to say "how"?, here ya go!

How?

Re:if you are waiting...

Obviously I am not going to explain how or I would have done it right away. It is quite trivial but we don't need to give people ideas, right? If a) the browser keeps local state, b) the browser's external behaviour depends on that state and c) the webserver can modify some of that state, then the user can be tracked. That's what cookies are (local state which the server can modify and which adds a HTTP header to the browser's requests). A cache can have the same effect.

Opera's "delete private data" fixes this

[whitehatlurker]

The author just didn't use the right browser.

Re:Opera's "delete private data" fixes this

[x2A]

If you wanna track your users, then what's important is what browser they use, not what you use yourself, and very few of them use opera.

Things are not so Simple :)

[alexmipego]

This is my own site, but I've been done this for a while and this slashdot story is the ideal to post it. (I don't want to be suffering a slashdot effect on my server.) This is how you can get some sites the user has visited. Post with some details: http://www.alexandre-gomes.com/ Demo: http://www.alexandre-gomes.com/privacy2.html

simple solution

[oohshiny]

Use separate browsers, accounts, and/or machines for different purposes. I wouldn't dream of using my regular browser for on-line banking, for example.

Re:simple solution

[PodBayDoor]

I've used this technique too to maintain multiple Google identities, among others. See http://colm-smyth.blogspot.com/2006/09/web-privacy -how-to-get-it-how-it-can-be.html for a summary of the best ideas (and Firefox extensions) I've found for enhancing web privacy.

how about this?

[La+Fourmi+Nihiliste]

since i do html/actionscript/dHTML stuff, i have my browser cache size set to 0. this would technicaly prevent the id to be cached, no? ant

Blocking Cache detection

[OneArmedMan]

These two firefox extensions can help block some of those style attacks

http://www.safecache.com/
and
http://www.safehistory.com/

They do this by segmenting your cache and history so that each page only has access to each individual history.

this page has more info about the method they use,
http://crypto.stanford.edu/sameorigin/
and this is a *PDF* on the subject

http://crypto.stanford.edu/sameorigin/sameorigin.p df **PDF WARNING!**

From whom are you hiding?

[TheStonepedo]

Most people that clear history and caches are doing so to prevent snooping done using the location bar and history toolbars (or analogues) of their browser. You don't want your boss/family to see exactly which non-work-related/porn site you were viewing. While tracking a user may be good for data mining purposes, it's not necessarily a horrible thing for day to day use. I don't like the thought that just about anybody knows my browsing habits, but I don't find it invasive unless those tracking me are going to confront me about it. Let data miners collect their statistics; most folks' machines will not clear their history or cookies or cache. My irregular or perverse browsing habits are but a drop in the statistical pond.

Re:From whom are you hiding?

[baadger]

> My irregular or perverse browsing habits are but a drop in the statistical pond.

I bet that's what AOL Searcher #4417749 or #927 thought...

Re:From whom are you hiding?

[ArsenneLupin]

My irregular or perverse browsing habits are but a drop in the statistical pond.

Watch out though. If these habits get into the hands of banner ad marketing firms, you might be astonished what kind of ads will show up at the pages you visit, even during mundane browsing.

Can be pretty embarrassing when looking up some coding technique or whatever together with a colleague, and suddenly "interesting" ads pop up, due to your browsing habits the night before...

Also, better not use the same amazon account for ordering work-related books and for ordering more private stuff. Unless you enjoy suggestive "suggestions" show up while you pick that java coursebook together with your boss...

Re:From whom are you hiding?

[x2A]

You've just posted links to pages that contain information about people, collected through such means... this makes you better how exactly?

Re:From whom are you hiding?

[baadger]

"better"? What are you referring to exactly?

My only point was you're just a statistic until someone broadly analyses those statistics, singles you out (for whatever reason) and then decides to analyse your records specifically. At this point you cease to become a drop in the statistical pond.

so this is like track.myblog blah script?

can this http://www.mybloglog.com/?f=track script be abused the same way? Or is it already abused by mybloglog'sters and sold to us, as a nice service but is nothing more than tool for spammer data collection.

blog

[fengzheng]

Good evening. Working hard, in this busy time for you called. This is my friend and the Boke,just established, the time is not long. The issue here isthat everybody can see my Boke, Ha-ha, raising some visibility, which caused trouble to ask your forgiveness! We all hope to see. Please! http://my.opera.com/ruyan/blog/ http://jiyishenchuren.spaces.msn.com/ http://blog.sina.com.cn/u/1245033544 http://tianyawuhui.blog.sohu.com/ http://blog.xuite.net/yueguang/yue http://jimoruyan.blogbus.com/index.html http://sanguoyanji.yculblog.com/ http://my.donews.com/jiangnanjiyi http://blogcn.com/u2/56/25/bufenshou/index.html http://yuefu.blog.163.com/ http://blog.eastmoney.com/chamagudao http://yutianxiayu.blog.com/ http://qiuri.shineblog.com/user4/qiuri/ http://blog.xoyo.com/cangliang http://bajiuwentian.blog.tyfo.com/ http://blog.thldl.org.cn/user1/xiaoyaoke/index.htm l http://www.91blog.com/user5/7095/index.shtml http://jimoyuye.52blog.net/user5/150638/index.shtm l http://xiangxiahaizi.anyp.cn/blog http://blog.fxmultibank.com/user1/tianshangren/ind ex.html http://www.laren.cn/blog/2006/woxin/ http://bufengshou.blog.tom.com/ http://suiyuerg.tianya.cn/ http://lushan.fyfz.cn/blog/lushan http://blog.focus.cn/myblog/2843636.html http://hexun.com/wanqiudaocao/wanqiudaocao http://www.xanga.com/guyan

That information is not really new

My Firefox configuration is modified:

chmod 400 /cookies.txt

I've setup an external shellscript that deletes

history.dat
formhistory.dat
downloads.rdf

I use this regularily.

The cache setting is set to 0
Unfortunately setting the Cache directory to 400 makes Firefox behave strange.

Combined with a host file with about 80000 entries (nearly all of them are set to localhost) and the Adblock extension that configuration really works fine.

I'm still looking for a solution (a small box that is put in between router and my system) that allows to have a modifiable host blocking configuration on a separate device. This system shouldn't run Windows as since SP2 there's a built-in alternative route defined within Windows that allows turning a blind eye on a host configuration with MS's own hosts. But I'd like to control the hosts on my own...

File under "No shit sherlock"

Isn't this exactly what spam used to attempt via html with an image and traceable id string appended:

img src="http://spammer.com/has_read_email.gif?emailid =0xDEADBEEF

The same trick works with CSS files or javascript or html. Don't forget those site icons stored in your bookmarks and site feeds, I've seen single requests from IE for favicon.ico that trigger a 304. Imagine if favicon was actually a script that logged timestamps to a DB, then you could track users that returned from clicking a bookmark. The horror.

This should be obvious to anyone who ever did web development or ran a server.

I don't close it...

[nebula169]

Firefox decides the appropriate time for that...which is usually at around 15 windows and 120 tabs for me

Disable Javascript from other sites?

[jopet]

Couldn't this easily be prevented if the browser had an option to only allow Javascript from the original site? I think a similar option for cookies exists and having it for Javascript would be quite useful and prevent other unwanted things.

This would help (Firefox users)

[Wartburg]

Stealther is a Firefox extension which temporarily blocks history, cookies as well as referrer header.

non-consensual http user tracking using caches

[PHAEDRU5]

On a related note:

http://sourcefrog.net/projects/meantime/

tracking users

[dbahsee]

is it even possible to use the internet on a network and not be tracked, are there any tools or ways to not be seen by a network administrator ???

Re:tracking users

[dvmrgn]

Exactly. When you are using my machine I reserve the right to track you. There are lots of database driven sites where every page is unique and tracked. I work on one where the server logs are loaded directly to the database and there is an interface that "follows" a visitor through the site 15 to 30 seconds behind. To correlate the data longterm to identify individual users from the pool of visitors would be trivial. Not worth it in our minds, but I am sure others are doing it.

Re:tracking users

It is possible: You can use tor (and if you're really paranoid, also use a safe, non caching, non javascript browser). This is definitively anonymous if configured correctly.

Re:tracking users

[gettingbraver]

Wouldn't suprise me.

Re:Pretty clever.. (ot)

[mbodicker]

"... at the current rate of growth, it is estimated that by 2010, 'toss' will have as many as 16,000 meanings"
That's a pretty tossy guess, did you toss that?