Tracking Users Via the Browser's Cache

Mukund writes to point us to an article he has written about a method of tracking using the browser cache instead of cookies. A demonstration shows that tracking can remain continuous if you clear only cookies or only the cache, but not both. (Firefox's Clear Private Data tool can be set to clear both when closing the browser.)

Pretty clever..

[CTho9305]

For those of you who aren't going to RTFA, basically you send a JS file with a unique ID and tell the browser to cache it... then any page that includes that JS script gets your unique ID... even if you disallow all cookies.

Re:

[corychristison]

But what if the user has disabled Javascript? Then this method would be useless, no?

Re:

[icepick72]

Actually, yes.

Re:Pretty clever..

[Breakfast Pants]

Sure, but they could just put a small iframe to foo.html and mark that page as cacheable, on that page have a small image, dynamically generated, to [unique_id].gif and mark the image uncacheable on your server. Now when you visit, your cached copy of foo.html tries to download [unique_id].gif every visit.

Re:

[mTor]

Exactly. That's why I use NoScript [noscript.net]... and everyone else should too! Get it and you'll eliminate all kinds of attacks.

Re:

[RAMMS+EIN]

Unless you use a browser that doesn't need an extension for that, e.g. Konqueror.

Re:

[jesuscyborg]

NoScript eh? That is a very angry looking "S"

Re:Pretty clever..

[TheLink]

It'll be useless.

But do a search on "Timing attacks on Web privacy".

ALSO, I don't think you even need to use timing attacks because a browser that caches that has stuff cached will behave differently from a browser that caches but doesn't have stuff cached. Pretty obvious isn't it?

There is no way around that except to use a browser that doesn't cache at all - which will affect browsing performance. For slightly less privacy you can use a browser that always starts in the same state for each browsing session.

AND even if you use such a browser, if you have a distinctive browsing pattern and fingerprint, people could still identify you.

e.g. you use a noncaching, no-js browser, with a fake User-Agent (says it's IE but behaves like Firefox), and you start browsing with a particular site first at a certain time followed by another site etc - or you load a particular bunch of sites in the morning (opened in tabs). Could get quite distinctive ;).

But there are far more important things that people should be worried about. What their government is doing for instance.

Re:

[baadger]

Another approach to try and prevent this might be to get the browser not to send conditional GET requests *at all* and to just reload silently from cache.

This however would of course mean that everyone has to make sure their webpages are properly cache [web-caching.com] able [ircache.net] with reasonable (perhaps dynamically generated) expiry dates.

The nature of HTTP and the web make it very difficult to remain totally untrackable all you can really do is prevent the worst of it.

Re:

[x2A]

But why bother even visiting a website where you distrust its creators so much as to need to employ such methods against them?

Re:

[Ed Avis]

Another approach to try and prevent this might be to get the browser not to send conditional GET requests *at all* and to just reload silently from cache.

Back when I used a modem I had the wwwoffle [demon.co.uk] proxy server set to always used cached pages whenever possible - the only way to get an updated version from the site was to hit Reload. It was nice and fast, and sometimes useful to be able to still browse a site that had disappeared in the real world, although on hitting Reload your precious page would disappe

Re:

[TheLink]

Not sending "conditional gets" won't prevent my proposed method from working since that method involves an item/url that is marked as cacheable that causes the loading of another item/url that is marked as noncacheable.

When the browser first loads the cacheable item, it will get a unique cacheable item which points to a unique noncacheable item.
Thereafter if it is "properly behaved" it will keep loading the same unique noncacheable item everytime it is pointed to the cacheable item.

The trick of course is t

Re:

[Feyr]

proxies are going to wreak havoc on this scheme :)
still a nice trick though

Then it should read...

[MacDork]

Javascript can compromise anonymity! ... Wow. ... What else is new? I mean, even if this particular story hasn't been referenced, I think this could qualify as a dupe ;-)

Re:Pretty clever..

[MarkRose]

Well if anyone tosses their cookies in my java, I, for one, am sure not going to drink it!

Re:

[userlappy]

Even chocolate chip?

You're missing out!

Re:

[Zonnald]

Whoosh! I for one love Chocolate Chip, have for over 40years, but I never could stomach regurged chocolate chip.

Re:

[dotgain]

"... at the current rate of growth, it is estimated that by 2010, 'toss' will have as many as 16,000 meanings"

Re:Pretty clever.. (ot)

[mbodicker]

"... at the current rate of growth, it is estimated that by 2010, 'toss' will have as many as 16,000 meanings"
That's a pretty tossy guess, did you toss that?

Re:

[OldManAndTheC++]

Well if anyone tosses their cookies in my java, I, for one, am sure not going to drink it!

Not even for cache?

Works for images too...

[Anonymous Coward]

You don't need to store that unique id in a javscript variable.
Send some image (webbug), say it should be cached, but "must-revalidate" and "hijack" the Etag/IF-*-Match headers.

Re:

[baadger]

The those that don't know, the HTTP "Etag" response header is a unique key (most of the time a hash) that identifies (and verifies) data sent across HTTP. This means the tracking website wouldn't even need to use a 747rhf28r.png garbage filename meaning such tracking could be accomplished in something as mundane as a website's corporate logo.

However, this alone wouldn't tell the tracking website anything the couldn't find out from decent analysis of web server logs, essentially just how often you hit a page

Re:

[fm6]

Well, I did RTFA, and I wish I been lazy for once. The dude takes 3 or 4 long paragraphs to say what you said in a single sentence. I am so tired of Slashdot stories where TFA is a half-witted rant by some blogger who flunked Freshman English.

Re:

[McGiraf]

"This is how various forums/websites block dissident political posters (sites such as slashdot, metafilter, DU, FR, Fark, etc., all block dissident political posters, otherwise they would not get as much mention in the corporate media, causing those sites to be less valuable)."

uh? err, I think you forgot to take one of your pills.

Re:

[Vexorian]

It is an advert bot, I can't understand how it wasn't modded -1 off topic yet

I was downmodded for political dissent

[cryophan]

not because I am a bot, "advert" or otherwise.....

Re:

[AnyoneEB]

Obviously the blocking doesn't work, then. ;)

An interesting idea

[FonzCam]

But seriously most people leave cookies on and those who know to turn them off are probably the sort of people who regularly clear their cache. The percentage of users you could target with this would be very small for the effort required. If tracking user usage is that important to you then just refuse to serve the page with cookies disabled.

Re:

[shird]

Except IE6+ has a default setup to block cookies from being set by sites other than the one you are on, cross domain cookies or whatever theyre called. ie. banner ads that set cookies etc.

Re:

[jp10558]

Wouldn't someone figure out how this works and write a proxomitron filter, userJS and or Greasemonky script to kill it, forget about those who care and run with JS off and turn it on in site specific prefs, use NoScript or something similar in proxomitron?

Requires Javascript to work.

[Elgonn]

So it still doesn't work on some of us.

Re:Um, no

[eurleif]

That's all well and good if you your goal is for the user to track himself, but how is the server going to get an image out of the cache?

Re:Um, no

[_xeno_]

Doesn't have to. Just have them cache the image using a unique timestamp for Last-Modified (so that you should get a unique If-Modified-Since header) or using a unique ETag. Both should theoretically work to uniquely identify the user, and both can easily be embedded using an image. Combined with Cache-Control: private, this should even work through firewalls.

Re:

[x2A]

Doesn't help if you wanna display any sort of dynamic content based on the tracking info though, as you only know which user/session has loaded a page after the page has been loaded, when the image can be loaded.

Using the javascript method, you could do something like modify links on the page to add a session=xxx string, or even reload sections of the page. I guess it comes down to what you want your tracking to accomplish.

Re:

[mrdaveb]

But with a 'web bug' you could restore the cookie that the user so diligently deleted, and then do a meta-refresh or similar to re-load the page with them logged back in. I'm not sure what would be the most effective method but it doesn't require cookies, needn't require JS, images or CSS (the html page itself could have the cunning cache) and keeps you labelled when you return to the site.

This just shows how much more complicated the issue is than most people realise... and there's no simple fix unless you

Re:

[FonzCam]

How would the server known that the image was cached as opposed to not having been downloaded? The javascript file contains the unique ID and then the browser reports this back to the server a GIF can't do that (without javascript).

Re:

[WoLpH]

Yes it can, when you download a file from the server then the server stores it in the logs, if you visit the page again then the server can check if the file was already downloaded (304 headers) so it should be possible, but it would definately be difficult.

Re:

[FonzCam]

Yes but the URL in the HTML would now point to a different unique ID because it would have refreshed from the server. If the HTML is cached then nothing is requested from the server and so it wouldn't know. Unless of course you use something like the the CSS based method christo linked to.

Re:Requires Javascript to work.

[misleb]

That's OK because the browsing habits of the type of people who turn off Javascript are not particularly interesting anyway. So it all works out.

-matthew

Re:

[jZnat]

I'm sure you'd find just as many porn sites in their history as users who blindly enable JS for everything.

Re:

[misleb]

Keep in mind that we're not talking about raw, unfiltered browsing history or a compete dump of the cache. We're talking about a single thread of tracking. Like you visit one site which puts the said javascript in your cache and later visit another site which references the same item and they knew you were at the first site. They can't read your whole history.

 

Re:

[ArsenneLupin]

I'm sure you'd find just as many porn sites in their history as users who blindly enable JS for everything.

... but it would be the other kind of porn ;-) Think about why they disabled javascript and cookies in the first place!

Funny thing: my captcha for this post was backside. I kid you not!

Seems a bit paranoid

[Anonymous Coward]

Regarding Sourceforge/Google. Did he consider that Google's automated email may have gone to sourceforge alias which was then forwarded to his email address?

Re:Seems a bit paranoid

[chrisd]

That is indeed what we do, send the confirmation email to the blah@sourceforge.net alias. We do -not- have the translated email addresses and thus the only information we are using is that which is displayed on the project home on SF.

Re:Seems a bit paranoid

[mukund]

Hi Chris

I did receive the email on my sourceforge.net address. My problem was not with which email address I received the mail at. I don't see why I have to be contacted for a Google service, when my subscription is with Sourceforge.net.

Don't take this the wrong way. I have used Google services for a very long time, but I think this is a bad precedent. Picking up an email address in an automated way from a website and mailing me about your services, when I haven't asked for it is as good as what a spammer would do. And the email suggested you had a table of projects, which made me assume Sourceforge shared this with you. If Sourceforge.net didn't and you can attest that I'll edit out that part of my article (I would not want to blame Sourceforge for something that they didn't do).

To the parent poster: This may seem paranoid.. some other poster suggested the same to the other Canonical-Debian issue too (on the other blog). When something is not right, it simply needs to be questioned. That's all.

Kind regards,
Mukund

Re:Seems a bit paranoid

[rossturk]

Mukund:

We provided Google with a list of registered project names on SourceForge.net to allow future integration between the open-source repositories with minimized namespace conflicts.

The email you saw, if I am not mistaken, was generated when someone tried to create a project at Google with the same name as a SF.net project you belong to.

Unless I am very mistaken about Google's intentions (and I don't think I am), your email address was not picked in an automated way. It was a direct result of an action that was relevent to you, specifically. That may or may not make it seem any better to you, but I don't find it particularly nefarious. Rather, I think it's good that Google and SourceForge are working together to protect your interests..

Ross Turk
SourceForge.net

Re:

[rossturk]

There are projects on SourceForge.net that are in a holding, pending, or otherwise non-public state. We wanted to make sure that the namespace was also protected for projects that are not viewable.

Besides, this way we get greater data integrity. There's no great way to screen-scrape the entire project list. The Software Map only gets projects that have categorized themselves, and there's no "show all projects" feature since it would surely cause a PHP timeout. ;)

Ross

Re:

[Bob Uhl]

I'm pretty certain that sf.net email addresses/project associations are public.

NoScript Extension

[rdwald]

Saved by NoScript [noscript.net] again. If you're not using it, you really should; it can block exploits before anyone knows they exist! (Since they may require JavaScript, and this would block them. My statement is strictly true.)

Re:

[ShakaZ]

I agree that NoScript is a must have and would by default block this tracking method... However let's imagine it's integrated in a website for which you have enabled javascripts, then you're f@cked... and from my personal experience it looks like everyday there are more sites which you can't use correctly whith scripts disabled

Re:

[rdwald]

A whitelist is strictly better than a blacklist in this context. Out of the box, NoScript will block Yahoo, MySpace, and any number of other sites which shouldn't get JavaScript. In fact, it'll only allow JS on sites you explicitly allow. How is that worse than a blacklist? The only problem with a whitelist is that you need to change settings to make stuff work (for your bank, or whatever), but I feel more comfortable only needing to change settings when I know there's a problem, rather than when I don't.

Re:

[zippthorne]

erm.. but with a blacklist, you'd have to disallow just about every site you visit as opposed to the current whitelist version which allows for the very few sites that need it. Further, there's the UI issue: how do you impliment a blacklist that blocks javascript from malicious or just sloppy sites before you've visited the site and told it to block it?

Re:

[x2A]

"However let's imagine it's integrated in a website for which you have enabled javascripts, then you're f@cked"

Only if you frequent websites that are trying to f@ck you. If you are, perhaps you should look at your own browsing habits.

Re:

[rapidweather]

I am trying it now using Mozilla Firefox version 2.0b2 running in my knoppix remaster (see screenshots, below).

Here is my brief description for those who have not tried it:
The extension shows a bar at the bottom of the browser when one goes to a website, showing the status of the blocker. Then, if it is something like etrade.com, and you want to work with it, you can easily allow it. One can close the bar when on a page, and the NoScript icon remains at the bottom right of the browser window. If you click o

Re:

[Fulkkari]

Well, uh. Blocking JavaScript will only block this particular implementation of tracking, but it won't fix the problem. And please stop sending this Firefox propaganda here. It is not informative, as pretty much everyone here are already aware of the extension mentioned. Why are these comments are modded up?

Serious question

[Tibor the Hun]

How often does an average Slash reader close his Firefox window?

(I ask because I leave my Deer Park and Safari windows opened for months.)

Re:

[WilliamSChips]

Very rarely. Usually when installing an extension.

Re:Serious question

[Feyr]

a couple of days, then it usually crash/get so slow it's unuseable and i have to restart it

Re:

[mini me]

I close all of the windows often, but leave the application running all the time.

Re:

[cheater512]

Whenever the power fails. Thats very rarely.

Re:

[mackyrae]

Not usually more than a few hours--overnight at the most. I'm always turning it off when going to classes or at least disconnecting the internet and "sleep"ing it.

Re:

[Fred_A]

Almost never, Firefox closes when I log out which mostly only happens when I decide to play a game and have to reboot. I rarely had memory/performance issues with it.

I don't close it...

[nebula169]

Firefox decides the appropriate time for that...which is usually at around 15 windows and 120 tabs for me

Re:

[treeves]

Don't know about average but I close ff every night, before unplugging from the network.
More often if too many tabs locks it up and forces me to.

In other news

[$RANDOMLUSER]

You can have total anonymity or marginal functionality. Since HTML alone offers almost nothing in the way of functionality (beyond rendering) you need something more (JavaScript, Java, Flash, ActiveX (arguably in ascending order of dangerousness)) to provide even rudimentary functionality. If I'm really so tinfoil-hat that I'm worried about my browser cache betraying what I'm up to, I probably need some medication and/or an air-gap between me and the Internet(s).

Re:

[ResidntGeek]

What? How is it paranoid if a method is demonstrated to allow you to be tracked through your cache? You think people won't use this? Do you think only people with tinfoil hats think advertising companies have been tracking people on the web for over a decade? I'm honestly confused, please explain yourself. By the way, if you clear your cache and cookies often, you CAN have both anonymity and functionality.

Re:

[$RANDOMLUSER]

I didn't say you were paranoid, you must have imagined that.

Re:

[ResidntGeek]

If I'm really so tinfoil-hat that I'm worried about my browser cache betraying what I'm up to, I probably need some medication and/or an air-gap between me and the Internet(s).

You're right, you didn't say paranoid, you said tinfoil-hat. And my imagination has been systematically sterilized by the American school system, so there's no danger of me imagining things.

Re:

[$RANDOMLUSER]

OK, I tease, and you come up with a cute ("systematically sterilized"/"no danger of imagining") answer.
Seriously. I live in a state (Illinois) where you have those radio transponder thingies for the toll roads. I can use them, and ponder that the owners (the state) of the system are tracking which (and when) gates I go through, or I can wait longer in the cash-only lines (ignoring the fact that they've got cameras on my license plates anyways), or I can imagine that "they" have "satellites" tracking my ev

Re:

[ResidntGeek]

Wait... I'm really tired, and I can't tell if I'm missing another joke, so forgive me if I am.

I used to live in Florida, and used the radio transponder thingie for toll roads. I know the owners were tracking me, because I could view all the gates I'd gone through in the past month. I think you're drawing the line between knowledgeable and paranoid a bit off the mark.

Re:

[x2A]

"Do you think only people with tinfoil hats think advertising companies have been tracking people on the web for over a decade?"

No, just that only people with tinfoil hats /care/ that advertising companies are tracking people. Not everyone has the level of self-shame where they feel the need to hide what they're doing.

Old news

[christo]

Move on folks, there's nothing to see here.

This was done last year, by these guys: Browser Recon @ Indiana University [indiana.edu]

Defenses against this, and other attacks have been created and deployed through two firefox extensions
put out by Stanford University: Safe History [safehistory.com] and Safe Cache [safecache.com]

This stuff ain't new.

Re:

[ExcalHM]

Yeah... it's pretty old news... although I know very few who this actually works for.

Re:Old news

[The MAZZTer]

Wow that's even scarier than this one in the story. Yours only needs CSS.

It stems from the whole idea of marking links "visited". CSS attributes can be applied to visited links to set them apart from unvisited ones. The page in your example uses CSS to tell the browser to request a page from the server if a link is visited. This page, when loaded, knows that the load means you visited the website in the link.

The worst thing is that this is a perfectly legitimate use of CSS by current w3 standards. A preventive measure for browser vendors may be to not allow any external resources to be used in :visited CSS.

Re:

[jZnat]

Oh my, I never thought of tracking like that. Ouch...

Re:

[TheLink]

There was an even older published idea that involved caching of images and timing stuff - I can't find the link at the moment - but it did get mention on a fairly mainstream tech site I think.

But anyway, I'm not sure why this is such a big deal - this is pretty old and obvious stuff. In general terms if the browser has stuff cached it will behave differently from a browser that doesn't have stuff cached.

Just a bit of thinking and you can come up with many ways to distinguish between the different browsers t

I was reminded of the CSS history "hack"

[QuantumFTL]

I saw this article [asp.net] on Digg a while back, using an ingenous JavaScript that would look at the *rendering* of a link to determine if you'd been there or not (and possibly upload this information to the remote server). That's kinda scary...

The IE "Clear Cache" Option...

[xxxJonBoyxxx]

Thought I'd mention that the parallel IE option seems to be under the "Tools | Internet Options..." dialog, "Advanced" tab, "Security" tree: "Empty Temporary Internet Files folder when browser is closed" (unchecked by default)

The IE "Security" and "Privacy" tab also contains some options that let you handle cookies and Javascripts different ways for different sites; this is why IE exploits that get around the dividers between different classes of sites are noteworthy.

bookmarks

[FudRucker]

take a look at Firefox' or Mozilla's or Seamonkey's Bookmarks in a plain text editor, it keeps dates about visiting web sites that could be used to track users (that is) if website's servers can access it to look at it. seens like such an unnecessary feature, if i can find a way to shut off the record keeping within bookmarks i would re-write my bookmarks to keep only the name and URL...

Things are not so Simple :)

[alexmipego]

This is my own site, but I've been done this for a while and this slashdot story is the ideal to post it. (I don't want to be suffering a slashdot effect on my server.) This is how you can get some sites the user has visited. Post with some details: http://www.alexandre-gomes.com/ [alexandre-gomes.com] Demo: http://www.alexandre-gomes.com/privacy2.html [alexandre-gomes.com]

Opera's "delete private data" fixes this

[whitehatlurker]

The author just didn't use the right browser.

Re:

[x2A]

If you wanna track your users, then what's important is what browser they use, not what you use yourself, and very few of them use opera.

simple solution

[oohshiny]

Use separate browsers, accounts, and/or machines for different purposes. I wouldn't dream of using my regular browser for on-line banking, for example.

Re:

[PodBayDoor]

I've used this technique too to maintain multiple Google identities, among others. See http://colm-smyth.blogspot.com/2006/09/web-privacy -how-to-get-it-how-it-can-be.html [blogspot.com] for a summary of the best ideas (and Firefox extensions) I've found for enhancing web privacy.

how about this?

[La Fourmi Nihiliste]

since i do html/actionscript/dHTML stuff, i have my browser cache size set to 0. this would technicaly prevent the id to be cached, no? ant

Blocking Cache detection

[OneArmedMan]

These two firefox extensions can help block some of those style attacks

http://www.safecache.com/ [safecache.com]
and
http://www.safehistory.com/ [safehistory.com]

They do this by segmenting your cache and history so that each page only has access to each individual history.

this page has more info about the method they use,
http://crypto.stanford.edu/sameorigin/ [stanford.edu]
and this is a *PDF* on the subject

http://crypto.stanford.edu/sameorigin/sameorigin.p df [stanford.edu] **PDF WARNING!**

From whom are you hiding?

[TheStonepedo]

Most people that clear history and caches are doing so to prevent snooping done using the location bar and history toolbars (or analogues) of their browser. You don't want your boss/family to see exactly which non-work-related/porn site you were viewing. While tracking a user may be good for data mining purposes, it's not necessarily a horrible thing for day to day use. I don't like the thought that just about anybody knows my browsing habits, but I don't find it invasive unless those tracking me are going to confront me about it. Let data miners collect their statistics; most folks' machines will not clear their history or cookies or cache. My irregular or perverse browsing habits are but a drop in the statistical pond.

Re:

[baadger]

> My irregular or perverse browsing habits are but a drop in the statistical pond.

I bet that's what AOL Searcher #4417749 [nytimes.com] or #927 [consumerist.com] thought...

Re:

[x2A]

You've just posted links to pages that contain information about people, collected through such means... this makes you better how exactly?

Re:

[baadger]

"better"? What are you referring to exactly?

My only point was you're just a statistic until someone broadly analyses those statistics, singles you out (for whatever reason) and then decides to analyse your records specifically. At this point you cease to become a drop in the statistical pond.

Re:

[ArsenneLupin]

My irregular or perverse browsing habits are but a drop in the statistical pond.

Watch out though. If these habits get into the hands of banner ad marketing firms, you might be astonished what kind of ads will show up at the pages you visit, even during mundane browsing.

Can be pretty embarrassing when looking up some coding technique or whatever together with a colleague, and suddenly "interesting" ads pop up, due to your browsing habits the night before...

Also, better not use the same amazon account for

Disable Javascript from other sites?

[jopet]

Couldn't this easily be prevented if the browser had an option to only allow Javascript from the original site? I think a similar option for cookies exists and having it for Javascript would be quite useful and prevent other unwanted things.

This would help (Firefox users)

[Wartburg]

Stealther [mozilla.org] is a Firefox extension which temporarily blocks history, cookies as well as referrer header.

non-consensual http user tracking using caches

[PHAEDRU5]

On a related note:

http://sourcefrog.net/projects/meantime/ [sourcefrog.net]

tracking users

[dbahsee]

is it even possible to use the internet on a network and not be tracked, are there any tools or ways to not be seen by a network administrator ???

Re:

[dvmrgn]

Exactly. When you are using my machine I reserve the right to track you. There are lots of database driven sites where every page is unique and tracked. I work on one where the server logs are loaded directly to the database and there is an interface that "follows" a visitor through the site 15 to 30 seconds behind. To correlate the data longterm to identify individual users from the pool of visitors would be trivial. Not worth it in our minds, but I am sure others are doing it.

Re:

[gettingbraver]

Wouldn't suprise me.