Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tracking Users Via the Browser's Cache

Posted by ryuzaki0 on from the not-just-cookies dept.

Mukund writes to point us to an article he has written about a method of tracking using the browser cache instead of cookies. A demonstration shows that tracking can remain continuous if you clear only cookies or only the cache, but not both. (Firefox's Clear Private Data tool can be set to clear both when closing the browser.)

32 of 124 comments (clear)

  1. Pretty clever.. by CTho9305 · · Score: 5, Informative

    For those of you who aren't going to RTFA, basically you send a JS file with a unique ID and tell the browser to cache it... then any page that includes that JS script gets your unique ID... even if you disallow all cookies.

    --
    My server
    1. Re:Pretty clever.. by corychristison · · Score: 3, Interesting

      But what if the user has disabled Javascript? Then this method would be useless, no?

    2. Re:Pretty clever.. by MarkRose · · Score: 5, Funny

      Well if anyone tosses their cookies in my java, I, for one, am sure not going to drink it!

      --
      Be relentless!
    3. Re:Pretty clever.. by userlappy · · Score: 3, Funny

      Even chocolate chip?

      You're missing out!

    4. Re:Pretty clever.. by Breakfast+Pants · · Score: 4, Interesting

      Sure, but they could just put a small iframe to foo.html and mark that page as cacheable, on that page have a small image, dynamically generated, to [unique_id].gif and mark the image uncacheable on your server. Now when you visit, your cached copy of foo.html tries to download [unique_id].gif every visit.

      --

      --

      WHO ATE MY BREAKFAST PANTS?
    5. Re:Pretty clever.. by mTor · · Score: 2, Informative

      Exactly. That's why I use NoScript... and everyone else should too! Get it and you'll eliminate all kinds of attacks.

    6. Re:Pretty clever.. by TheLink · · Score: 3, Informative

      It'll be useless.

      But do a search on "Timing attacks on Web privacy".

      ALSO, I don't think you even need to use timing attacks because a browser that caches that has stuff cached will behave differently from a browser that caches but doesn't have stuff cached. Pretty obvious isn't it?

      There is no way around that except to use a browser that doesn't cache at all - which will affect browsing performance. For slightly less privacy you can use a browser that always starts in the same state for each browsing session.

      AND even if you use such a browser, if you have a distinctive browsing pattern and fingerprint, people could still identify you.

      e.g. you use a noncaching, no-js browser, with a fake User-Agent (says it's IE but behaves like Firefox), and you start browsing with a particular site first at a certain time followed by another site etc - or you load a particular bunch of sites in the morning (opened in tabs). Could get quite distinctive ;).

      But there are far more important things that people should be worried about. What their government is doing for instance.

      --
    7. Re:Pretty clever.. by fm6 · · Score: 2

      Well, I did RTFA, and I wish I been lazy for once. The dude takes 3 or 4 long paragraphs to say what you said in a single sentence. I am so tired of Slashdot stories where TFA is a half-witted rant by some blogger who flunked Freshman English.

    8. Re:Pretty clever.. by baadger · · Score: 2, Informative

      Another approach to try and prevent this might be to get the browser not to send conditional GET requests *at all* and to just reload silently from cache.

      This however would of course mean that everyone has to make sure their webpages are properly cache able with reasonable (perhaps dynamically generated) expiry dates.

      The nature of HTTP and the web make it very difficult to remain totally untrackable all you can really do is prevent the worst of it.

  2. An interesting idea by FonzCam · · Score: 3, Interesting

    But seriously most people leave cookies on and those who know to turn them off are probably the sort of people who regularly clear their cache. The percentage of users you could target with this would be very small for the effort required. If tracking user usage is that important to you then just refuse to serve the page with cookies disabled.

    1. Re:An interesting idea by shird · · Score: 2, Informative

      Except IE6+ has a default setup to block cookies from being set by sites other than the one you are on, cross domain cookies or whatever theyre called. ie. banner ads that set cookies etc.

      --
      I.O.U One Sig.
  3. Requires Javascript to work. by Elgonn · · Score: 3, Interesting

    So it still doesn't work on some of us.

    1. Re:Requires Javascript to work. by misleb · · Score: 4, Funny

      That's OK because the browsing habits of the type of people who turn off Javascript are not particularly interesting anyway. So it all works out.

      -matthew

      --
      "THERE IS NO JUSTICE, THERE IS ONLY ME." -Death
  4. Seems a bit paranoid by Anonymous Coward · · Score: 2, Informative

    Regarding Sourceforge/Google. Did he consider that Google's automated email may have gone to sourceforge alias which was then forwarded to his email address?

    1. Re:Seems a bit paranoid by chrisd · · Score: 4, Informative
      That is indeed what we do, send the confirmation email to the blah@sourceforge.net alias. We do -not- have the translated email addresses and thus the only information we are using is that which is displayed on the project home on SF.

      --
      Co-Editor, Open Sources
      Open Source Program Manager, Google, Inc.
    2. Re:Seems a bit paranoid by mukund · · Score: 4, Informative

      Hi Chris

      I did receive the email on my sourceforge.net address. My problem was not with which email address I received the mail at. I don't see why I have to be contacted for a Google service, when my subscription is with Sourceforge.net.

      Don't take this the wrong way. I have used Google services for a very long time, but I think this is a bad precedent. Picking up an email address in an automated way from a website and mailing me about your services, when I haven't asked for it is as good as what a spammer would do. And the email suggested you had a table of projects, which made me assume Sourceforge shared this with you. If Sourceforge.net didn't and you can attest that I'll edit out that part of my article (I would not want to blame Sourceforge for something that they didn't do).

      To the parent poster: This may seem paranoid.. some other poster suggested the same to the other Canonical-Debian issue too (on the other blog). When something is not right, it simply needs to be questioned. That's all.

      Kind regards,
      Mukund

      --
      Banu
    3. Re:Seems a bit paranoid by rossturk · · Score: 4, Informative

      Mukund:

      We provided Google with a list of registered project names on SourceForge.net to allow future integration between the open-source repositories with minimized namespace conflicts.

      The email you saw, if I am not mistaken, was generated when someone tried to create a project at Google with the same name as a SF.net project you belong to.

      Unless I am very mistaken about Google's intentions (and I don't think I am), your email address was not picked in an automated way. It was a direct result of an action that was relevent to you, specifically. That may or may not make it seem any better to you, but I don't find it particularly nefarious. Rather, I think it's good that Google and SourceForge are working together to protect your interests..

      Ross Turk
      SourceForge.net

      --
      -- May cause nausea, headaches, and interference with electronic devices.
  5. NoScript Extension by rdwald · · Score: 4, Informative

    Saved by NoScript again. If you're not using it, you really should; it can block exploits before anyone knows they exist! (Since they may require JavaScript, and this would block them. My statement is strictly true.)

    1. Re:NoScript Extension by ShakaZ · · Score: 3, Insightful

      I agree that NoScript is a must have and would by default block this tracking method... However let's imagine it's integrated in a website for which you have enabled javascripts, then you're f@cked... and from my personal experience it looks like everyday there are more sites which you can't use correctly whith scripts disabled

  6. Then it should read... by MacDork · · Score: 3, Insightful

    Javascript can compromise anonymity! ... Wow. ... What else is new? I mean, even if this particular story hasn't been referenced, I think this could qualify as a dupe ;-)

  7. Re:Serious question by Feyr · · Score: 4, Interesting

    a couple of days, then it usually crash/get so slow it's unuseable and i have to restart it

  8. In other news by $RANDOMLUSER · · Score: 3, Insightful

    You can have total anonymity or marginal functionality. Since HTML alone offers almost nothing in the way of functionality (beyond rendering) you need something more (JavaScript, Java, Flash, ActiveX (arguably in ascending order of dangerousness)) to provide even rudimentary functionality. If I'm really so tinfoil-hat that I'm worried about my browser cache betraying what I'm up to, I probably need some medication and/or an air-gap between me and the Internet(s).

    --
    No folly is more costly than the folly of intolerant idealism. - Winston Churchill
    1. Re:In other news by ResidntGeek · · Score: 2, Insightful

      What? How is it paranoid if a method is demonstrated to allow you to be tracked through your cache? You think people won't use this? Do you think only people with tinfoil hats think advertising companies have been tracking people on the web for over a decade? I'm honestly confused, please explain yourself. By the way, if you clear your cache and cookies often, you CAN have both anonymity and functionality.

      --
      ResidntGeek
  9. Old news by christo · · Score: 5, Informative

    Move on folks, there's nothing to see here.

    This was done last year, by these guys: Browser Recon @ Indiana University

    Defenses against this, and other attacks have been created and deployed through two firefox extensions
    put out by Stanford University: Safe History and Safe Cache

    This stuff ain't new.

    1. Re:Old news by The+MAZZTer · · Score: 4, Informative

      Wow that's even scarier than this one in the story. Yours only needs CSS.

      It stems from the whole idea of marking links "visited". CSS attributes can be applied to visited links to set them apart from unvisited ones. The page in your example uses CSS to tell the browser to request a page from the server if a link is visited. This page, when loaded, knows that the load means you visited the website in the link.

      The worst thing is that this is a perfectly legitimate use of CSS by current w3 standards. A preventive measure for browser vendors may be to not allow any external resources to be used in :visited CSS.

  10. Re:Um, no by eurleif · · Score: 4, Informative

    That's all well and good if you your goal is for the user to track himself, but how is the server going to get an image out of the cache?

  11. I was reminded of the CSS history "hack" by QuantumFTL · · Score: 2, Interesting

    I saw this article on Digg a while back, using an ingenous JavaScript that would look at the *rendering* of a link to determine if you'd been there or not (and possibly upload this information to the remote server). That's kinda scary...

  12. Re:Um, no by _xeno_ · · Score: 5, Informative

    Doesn't have to. Just have them cache the image using a unique timestamp for Last-Modified (so that you should get a unique If-Modified-Since header) or using a unique ETag. Both should theoretically work to uniquely identify the user, and both can easily be embedded using an image. Combined with Cache-Control: private, this should even work through firewalls.

    --
    You are in a maze of twisty little relative jumps, all alike.
  13. Things are not so Simple :) by alexmipego · · Score: 2, Interesting

    This is my own site, but I've been done this for a while and this slashdot story is the ideal to post it. (I don't want to be suffering a slashdot effect on my server.) This is how you can get some sites the user has visited. Post with some details: http://www.alexandre-gomes.com/ Demo: http://www.alexandre-gomes.com/privacy2.html

  14. simple solution by oohshiny · · Score: 2, Interesting

    Use separate browsers, accounts, and/or machines for different purposes. I wouldn't dream of using my regular browser for on-line banking, for example.

  15. From whom are you hiding? by TheStonepedo · · Score: 3, Insightful

    Most people that clear history and caches are doing so to prevent snooping done using the location bar and history toolbars (or analogues) of their browser. You don't want your boss/family to see exactly which non-work-related/porn site you were viewing. While tracking a user may be good for data mining purposes, it's not necessarily a horrible thing for day to day use. I don't like the thought that just about anybody knows my browsing habits, but I don't find it invasive unless those tracking me are going to confront me about it. Let data miners collect their statistics; most folks' machines will not clear their history or cookies or cache. My irregular or perverse browsing habits are but a drop in the statistical pond.

    --
    I'll be your candy shop of infinite deliciousity if you'll be my discotheque of endless rump-shaking.
  16. This would help (Firefox users) by Wartburg · · Score: 2, Informative

    Stealther is a Firefox extension which temporarily blocks history, cookies as well as referrer header.