
Massive new study lifts the lid on top websites’ tracking secrets - aethertap
https://nakedsecurity.sophos.com/2016/08/03/massive-new-study-lifts-the-lid-on-top-websites-tracking-secrets/
======
gregw134
I worked on designing tracking scripts for six months (fortunately they aren't
in production). Flash cookies aren't a very useful tracking mechanism anymore,
mainly because Google and other browsers now clear Flash cookies when you
clear your regular cookies. Fingerprinting was very difficult to pull off in
practice: even with canvas fingerprinting, font enumeration, plugin
enumeration, etc. etc. most mobile phones are indistinguishable, and even when
you find devices with unique fingerprints (usually because of the unique set
of plugins installed) it's difficult to be certain the new device you've seen
is the same as the old device unless they are coming from the same ip address.

Now, the one mechanism that was very effective was ETag tracking. When you
request a picture or other asset from a website, the website can send you an
etag id which is supposed to signify the picture's version. When the client
revisits the page, the client sends back the etag to confirm the version
cached is the same as the version on the server. The security leak is that the
etag protocol allows arbitrary text to be set as an etag, so to set an etag
cookie all you have to do is place a 1x1 pixel on each page with a random
GUID, and when the user revisits the page the browser will resend the tracking
etag in its request for the 1x1 tracking pixel. This works for browsers with
cookies disabled, and will remain when cookies are cleared. The only way to
clear it is to clear all browsing history entirely, including cached images.

~~~
whamlastxmas
Is there any hope for this getting fixed in major browsers? Seems like if you
want privacy now you also have to disable any caching, which sucks.

~~~
gregw134
It looks like Chrome now defaults to clearing your cache when you clear
history, which is good news.

------
keeringplastik
REI knows how to close the deal:

I was shopping a while back for a new tent. Wondered if I should wait for a
20% off single item coupon event like they do a couple times a year. Googled
"when is the next rei 20% coupon?". I got the expected results: probably
around labor day.

Lo and behold, a couple days after this I received an email from REI with a
25% off single item offer code.

I don't know of I should be frightened or not, but I got a new tent!

~~~
awjr
Standard procedure I try and do on most sites if I can wait a week or two. 1)
Add items to basket 2) Checkout until they have at least my email saved. 3)
Wait up to a week. 4) Purchase applying discount code that was emailed to me
usually with a "Hey you didn't finalise your purchase".

I was working for a sex toy company in the UK and remember one of the
developers running a mail shot process with a bug that accidentally resent the
"abandoned baskets" email for all abandoned baskets for the last 4 years or so
with a 20% off voucher. Busiest unexpected sales spike in the history of the
company :)

~~~
elorant
Sounds like a SaaS waiting to happen.

~~~
teej
Search "abandoned cart promotion" and you'll find plenty of them.

------
drdaeman
Is there any tool that tries to prevent fingerprinting by unifying browsers'
behavior into one single promoted "common" one? Well, completely preventing is
probably impossible, but at least lower the number of unique properties.

E.g. a software-only... err... shim (or how should I call it?) for canvas and
audio APIs, and only allow fast native one to a trusted whitelisted parties.
And an uniform list of fonts and plugins, despite of what's actually
installed.

Of course, I know about NoScript. It can't be mass-used as a "just install
this and you're good" strategy, thus doesn't help much - the fingerprints
would still remain quite unique. Yet, if something is less obtrusive - just
slow at times (and then it asks "hey, this site does something fancy with
canvas, maybe allow it to speed up at the cost of your privacy?") may work.

~~~
tunap
Blender, firefox plug-in, sends generic user-agent characteristics to mitigate
some fingerprinting techniques. "Blend into the crowd":

[https://addons.mozilla.org/en-
US/firefox/addon/blender-1/](https://addons.mozilla.org/en-
US/firefox/addon/blender-1/)

~~~
ljk
one of the reviews

    
    
      Out of date 2/5 stars
    
      Language spoofing no longer works (assuming it ever worked). Chosen user-agent, etc is pretty out of date. Should choose the same ones as the Tor Browser Bundle or something
    

how accurate is this? is this extension still worth it?

~~~
tunap
Perhaps, somewhat...? It does claim to additionally spoof fonts, OS and
browser metrics. It has _not_ been updated since April and that came after a
long maintenance drought preceding it. In the past it did well on the various
browser fingerprint detection sites. Today, I am _unique_ with the only
difference between Blender enabled and disabled on Panopticlick[1] is the OS &
Browser are indeed spoofed in the results and too many fonts to audit... w/
AB+ disabled, NS disabled(all/globally).

[1] [https://panopticlick.eff.org/](https://panopticlick.eff.org/)

------
dang
I seem to recall that this study had a major discussion on HN not too long
ago. Anybody have a link?

~~~
teh_klev
This one perhaps?

[https://news.ycombinator.com/item?id=11729438](https://news.ycombinator.com/item?id=11729438)

~~~
dang
That's the one. Thanks!

(I suppose it doesn't make sense to swap the above URL out at this point.)

