
Tor NoScript visit tracker - Syrup-tan
https://bitbucket.org/ElijahKaytor/noscript-tracker/src/master
======
jakobegger
What else, besides using Tor, and turning off Javascript, does a user have to
do that a website operator finally gets they don't want to be tracked?

~~~
korm
But this can't track individual users, it just provides general usage
statistics, like visitor retention.

I'd be interested in a viable example of this being used to identify users.

~~~
Leon
That can help with fingerprinting. Any entropy escaping from a users session
is useful.

~~~
korm
This can be used to make a user's fingerprint stand out based on their
browsing patterns. However, it is very fragile in practice. The tracker would
need both a rare fingerprint, as well as a rare browsing pattern in order to
identify a user.

This is pretty hard, considering the Tor Browser does a good job at having a
common fingerprint at it's highest security setting (Javascript disabled,
which is what this tracker is for).

------
hackuser
> NoScript Tracker is a basic tracker that makes use of iframes and the
> Refresh HTTP header to measure how long users spend on web pages.

> It is ideal for getting basic usage statistics on the Tor network, where
> JavaScript is not an option for most users.

NoScript can block iframes; will that disable this tracker?

Also, does the Tor Browser, which includes NoScript, default to blocking
iframes?

~~~
alphapapa
NoScript->Options->Embeddings->Additional restrictions for untrusted
sites->Forbid <IFRAME>

Just turned that option on, myself. I might have had it on years ago--can't
remember for sure--but now that I know it's being abused, I'll definitely
leave it on. IFRAMEs are generally poor practice, anyway.

~~~
jakobdabo
Also, pay attention to these settings in about:config page:

accessibility.blockautorefresh

noscript.forbidBGRefresh

noscript.forbidMetaRefresh

Additionally, you can cherry-pick options (or just use it all) from this
repository at
[https://github.com/pyllyukko/user.js](https://github.com/pyllyukko/user.js)
for more privacy.

~~~
alphapapa
Thanks! I'll look into those.

------
achairapart
I will not be surprised at all if something like this will be soon used to
circumvent adblockers replacing classic javascript based analytics on the
"bright" side of the web.

~~~
kaugesaar
AdBlockers will still block iframes and already does. Those I've seen blocks
the full request based on a list of known domains. Many 3rd-party tracking
cookies is often placed with help of iframes or a img-pixel.

With Google Analytics you have the option to actually do all the tracking
server-side so AdBlockers shouldn't be an issue tracking-wise.

------
buro9
Before Microsoft gave us the XMLHttpRequest, and before IFRAMEs were
everywhere, this is exactly how, and with FRAMESETs and target="" one could
track session length, reload other parts of a page after some given time,
allow forms to interact with complex flows and various other things.

The "virtually invisible frame loading in the background" trick is going to be
around for a long-term and seems destined to be re-learned many times over.

------
somebody1
Why wouldn't you open a web socket

~~~
korm
Because you can't use WebSockets in the browser without Javascript.

