http://lucb1e.com/rp/cookielesscookies/
Cookieless cookies
There is another obscure way of tracking users without using cookies or even Javascript. It has already been used by numerous websites but few people know of it. This page explains how it works and how to protect yourself.This tracking method works without needing to use:
- Cookies
- Javascript
- LocalStorage/SessionStorage/GlobalStorage
- Flash, Java or other plugins
- Your IP address or user agent string
- Any methods employed by Panopticlick
Even when you disabled cookies entirely, have Javascript turned off and use a VPN service, this technique will still be able to track you.
Demonstration
As you read this, you have already been tagged. Sorry. The good news is that I don't link your session id to any personally identifiable information. Here is everything I store about you right now:Go ahead, type something and store it. Then close your browser and open this page again. Is it still there?
Check your cookies, is anything there? Nope, it's all in a fake image checksum that almost noone is aware of. Saw that eye on the right top of the page? That's our tracker.
So how does this work?
This is a general overview:
The ETag shown in the image is a sort of checksum. When the image changes, the checksum changes. So when the browser has the image and knows the checksum, it can send it to the webserver for verification. The webserver then checks whether the image has changed. If it hasn't, the image does not need to be retransmitted and lots of data is saved.
Attentive readers might have noticed already how you can use this to track people: the browser sends the information back to the server that it previously received (the ETag). That sounds an awful lot like cookies, doesn't it? The server can simply give each browser an unique ETag, and when they connect again it can look it up in its database.
Technical stuff (and bugs) specifically about this demo
To demonstrate how this works without having to use Javascript, I had to find a piece of information that's relatively unique to you besides this ETag. The image is loaded after the page is loaded, but only the image contains the ETag. How can I display up to date info on the page? Turns out I can't really do that without dynamically updating the page, which requires javascript, which I wanted to avoid to show that it can be done without.
This chicken and egg problem introduces a few bugs:
- All information you see was from your previous pageload. Press F5 to see updated data.
- When you visit a page where you don't have an ETag (like incognito mode), your session will be emptied. Again, this is only visible when you reload the page.
I did not see a simple solution to these issues. Sure some things can be done, but nothing that other websites would use, and I wanted to keep the code as simple and as close to reality as possible.
Note that these bugs normally don't exist when you really want to track someone because then you don't intend to show users that they are being tracked.
Source code
What's a project without source code? Oh right, Microsoft Windows.
https://github.com/lucb1e/cookielesscookies
What can we do to stop it?
One thing I would strongly recommend you to do anytime you visit a page where you want a little more security, is opening a private navigation window and using https exclusively. Doing this single-handedly eliminates attacks like BREACH (the latest https hack), disables any and all tracking cookies that you might have, and also eliminates cache tracking issues like I'm demonstrating on this page. I use this private navigation mode when I do online banking. In Firefox (and I think MSIE too) it's Ctrl+Shift+P, in Chrome it's Ctrl+Shift+N.Besides that, it depends on your level of paranoia.
I currently have no straightforward answer since cache tracking is virtually undetectable, but also because caching itself is useful and saves people (including you) time and money. Website admins will consume less bandwidth (and if you think about it, in the end users are the ones that will have to pay the bill), your pages will load faster, and especially on mobile devices it makes a big difference if you don't have an unlimited 4G plan. It's even worse when you have a high-latency or low-bandwidth connection because you live in a rural area.
If you're very paranoid, it's best to just disable caching altogether. This will stop any such tracking from happening, but I personally don't believe it's worth the downsides.
The Firefox add-on Self-Destructing Cookies has the ability to empty your cache when you're not using your browser for a while. This might be an okay alternative to disabling caching; you can only be tracked during your visit, and they can already do that anyway by following which pages were visited by which IP address, so that's no big deal. Any later visits will appear as from a different user, assuming all other tracking methods have already been prevented.
I'm not aware of any add-on that periodically removes your cache (e.g. once per 72 hours), but there might be. This would be another good alternative for 99% of the users because it has a relatively low performance impact while still limiting the tracking capabilities.
Update: I've heard the Firefox add-on SecretAgent also does ETag overwriting to prevent this kind of tracking method. You can whitelist websites to re-enable caching there while blocking tracking by other domains. It has been confirmed that this add-on stops the tracking. SecretAgent's website.
http://blog.jobbole.com/46266/
有另外一种比较隐蔽的用户追踪技术,不使用cookie或者Javascript。很多网站已经在用了,但知道的人不多。本文就来介绍一下这种技术是如何追踪用户,用户又该如何避免追踪。
这种技术不依赖于:
- Cookies
- Javascript
- LocalStorage/SessionStorage/GlobalStorage
- Flash, Java或插件
- 你的IP地址或者User Agent头
- Panopticlick
相反,它使用另外一种存储方式,而这种存储即使浏览器关闭仍然能够存在,那就是浏览器缓存。 即使你完全禁用了cookie和Javascript,甚至使用VPN服务,这种技术仍然能够跟踪到你。
示例
到这个链接(http://lucb1e.com/rp/cookielesscookies/ )上提交一些数据,然后关闭浏览器,然后再打开,看看数据是不是仍然在那里?
看一下你的Cookie里面的有没有东西?没有的吧,这些都在我们几乎没有察觉到的一个假的图片校验。看一下上面那个眼睛,哈哈,那是我们的追踪者。
它如何工作?
下图是一个大致描述
图像中的ETag是一种图像校验方式,当图像发生变化的时候,ETag也会随之发生变化。因此,浏览器会拿着图片和ETag去服务器进行校验,让服务器来应答这张图片是否发生改变,如果没有的话,这张图片就直接从浏览器缓存中命中返回,无需再去服务器重新拉取图片了。
细心的读者可能已经大概知道这个是如何可以实现追踪的:浏览器把之前的ETag发回到服务器就OK了。不过,通过这个ETag貌似能产生好多好多Cookie,不是吗?于是,服务器可以给每个浏览器一个唯一的ETag,再次收到这个ETag的时候,就能知道是你了。
Demo中的一些技术细节和缺陷
Demo为了能够不借助于Javascript,我不得不找出一些信息对你来说是唯一的,除了那个ETag。图片是在页面加载后加载的,不过只有图片里面有ETag。我是如何将时间信息显示出来呢? 我确实做不用Javascript动态更新数据,而这Demo就是要证明不用依赖Javascript。
一些小bug:
- 所有你看到的信息都是上一次的。需要按F5才能刷出最新的。
- 当你访问页面的时候不携带ETag (比如隐身模式),会话就会被清空。 或者说,你刷新页面的时候,数据就会消失。
我没有看到这种技术的比较简单的解决方案。当然有些东西可以做一下,可能其他网站不会用,不过我就是想让代码简单实用就行。
请注意,当你确实想去追踪某个人,你又不打算告诉用户他们正在被追踪,你这些bug是不存在的!
源代码
哪个程序没有源代码? 噢,好像是微软的Windows。
https://github.com/lucb1e/cookielesscookies
如何避免追踪?
如果你想更安全一些, 我强烈建议你开启隐身模式,使用HTTPS。只要这样开一下,就能防止BREACH (最新的https攻击),禁止了cookie跟踪,也消除本文讲到的缓存跟踪的问题。用网银的时候,我会使用隐身模式。在Firefox(IE应该也是)按Ctrl + Shift + P,在Chrome中按Ctrl + Shift + N。
除此之外,要看你对于隐私安全的洁癖程度了。
目前,我没有简单完美的办法,因为缓存跟踪几乎是无法察觉的,但同时缓存本身很有用,能够节省时间和金钱。网站将消耗更少的带宽(你仔细想想,到底是谁会为这些流量买单),你的网页加载速度更快,尤其是在移动设备上,将会有很大的区别,如果你没有一个无限流量的套餐的话,如果你在网速很慢的地方,缓存的效果就更加明显了。
听了这些,如果你还是不放心,那么完全禁用缓存吧。没有了存储性状态或者信息,任何追踪都不会发生,就是每次都要重新加载,速度会慢一些,并且我个人并不认为值得这样做。
Firefox的插件Self-Destructing Cookies有这样的功能:当你一段时间不使用浏览器,它就会清空你的缓存。这个插件的定期清空缓存可能是一个不错的选择,只有在访问会话期间会被追踪,不过反正他们也能够记录下哪个IP访问了哪个页面,所以这是没有什么大不了的。不过之后的访问由于缓存被清空(假设跟踪是基于缓存),看起来都是一个新的用户,追踪将无法继续。
我不知道任何其他能够定期清除缓存的插件(例如,每72小时一次),但应该是有的。这将是一个很好的方法,这对于99%的用户都是有用的,因为这个并不会使性能下降太大,同时还限制了追踪。
更新:我听说Firefox的插件SecretAgent也有ETag的覆盖,以防止这种类型的追踪。你可以对于有些站点设置白名单重置缓存,以达到防止追踪的目的。这个已经确认能够防止追踪。SecretAgent 的网站。
892
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
