Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Massive new study lifts the lid on top websites’ tracking secrets (sophos.com)
73 points by aethertap on Aug 3, 2016 | hide | past | favorite | 25 comments


I worked on designing tracking scripts for six months (fortunately they aren't in production). Flash cookies aren't a very useful tracking mechanism anymore, mainly because Google and other browsers now clear Flash cookies when you clear your regular cookies. Fingerprinting was very difficult to pull off in practice: even with canvas fingerprinting, font enumeration, plugin enumeration, etc. etc. most mobile phones are indistinguishable, and even when you find devices with unique fingerprints (usually because of the unique set of plugins installed) it's difficult to be certain the new device you've seen is the same as the old device unless they are coming from the same ip address.

Now, the one mechanism that was very effective was ETag tracking. When you request a picture or other asset from a website, the website can send you an etag id which is supposed to signify the picture's version. When the client revisits the page, the client sends back the etag to confirm the version cached is the same as the version on the server. The security leak is that the etag protocol allows arbitrary text to be set as an etag, so to set an etag cookie all you have to do is place a 1x1 pixel on each page with a random GUID, and when the user revisits the page the browser will resend the tracking etag in its request for the 1x1 tracking pixel. This works for browsers with cookies disabled, and will remain when cookies are cleared. The only way to clear it is to clear all browsing history entirely, including cached images.


Is there any hope for this getting fixed in major browsers? Seems like if you want privacy now you also have to disable any caching, which sucks.


It looks like Chrome now defaults to clearing your cache when you clear history, which is good news.


REI knows how to close the deal:

I was shopping a while back for a new tent. Wondered if I should wait for a 20% off single item coupon event like they do a couple times a year. Googled "when is the next rei 20% coupon?". I got the expected results: probably around labor day.

Lo and behold, a couple days after this I received an email from REI with a 25% off single item offer code.

I don't know of I should be frightened or not, but I got a new tent!


Standard procedure I try and do on most sites if I can wait a week or two. 1) Add items to basket 2) Checkout until they have at least my email saved. 3) Wait up to a week. 4) Purchase applying discount code that was emailed to me usually with a "Hey you didn't finalise your purchase".

I was working for a sex toy company in the UK and remember one of the developers running a mail shot process with a bug that accidentally resent the "abandoned baskets" email for all abandoned baskets for the last 4 years or so with a 20% off voucher. Busiest unexpected sales spike in the history of the company :)


Sounds like a SaaS waiting to happen.


Search "abandoned cart promotion" and you'll find plenty of them.


If we were back in 2012. Today is more like a day for a SaaS company like that to close.


fascinating--i would have bet that sex toys have a fairly high price inelasticity (> 20% anyway) and are purchased impulsively.


The company, Lovehoney, have a 1 year return policy, no questions asked. So people are encouraged to find the one toy that "fits" them perfectly. They do get high return rates but they get very loyal customers.

Pretty awesome company tbh.


This is a standard eCommerce tactic.

We watch how much time you spend on a page, if you mess with options, etc.

If you seem to have any interest in a product we want to unload, we send you a coupon.

We have literally hundreds of SKUs we do this for at any given time to clear warehouse space for newer stuff.


Amusingly, the tactic resembles in-person haggling in China (and many other places). Salesman offers price, you walk away, they run after you offering a lower price.


Where do you think we got the idea? ;)


That makes sense. I was indeed doing some hovering and dithering over tents.

What I found curious however, is the fact that I have never ordered anything from REI on my phone, nor logged on to any REI website (no cart, no account). All REI purchases go through my wife's account for the dividend.

How does casual browsing connect with an email address, excepting the Google search?

Sometimes I wonder if the Web has already passed some basic level of sentience.

You guys will let me know when that happens, right?


If there wasn't any chance of there being a code would you have bought the tent anyway?


Is there any tool that tries to prevent fingerprinting by unifying browsers' behavior into one single promoted "common" one? Well, completely preventing is probably impossible, but at least lower the number of unique properties.

E.g. a software-only... err... shim (or how should I call it?) for canvas and audio APIs, and only allow fast native one to a trusted whitelisted parties. And an uniform list of fonts and plugins, despite of what's actually installed.

Of course, I know about NoScript. It can't be mass-used as a "just install this and you're good" strategy, thus doesn't help much - the fingerprints would still remain quite unique. Yet, if something is less obtrusive - just slow at times (and then it asks "hey, this site does something fancy with canvas, maybe allow it to speed up at the cost of your privacy?") may work.


Actually, most of the newer techniques depend on server-provided code executed in the client, and those results posted back to the server. Therefore, disabling Javascript and plugins prevents most of them, as it prevents automatic postback, but also the access to APIs that allows that information be collected in the first place.

There are ones that'll keep working without Javascript or plugins, like anything coming across in HTTP headers (user-agent, accept, Etag) or on the lower layers (IP address, ciphersuites). Chromium maintains a good Wiki of tracking techniques and possible mitigations [1], Firefox also [2].

Predictably, ones in the lower layers are more difficult and/or impossible to mitigate from a browser; the ones relating to the precise use of HTTP can be mitigated at the cost of breaking automatic HTTP content-negotiation (including mimetypes and language), and caching/state-control semantics.

[1] http://www.chromium.org/Home/chromium-security/client-identi...

[2] https://wiki.mozilla.org/Fingerprinting


Blender, firefox plug-in, sends generic user-agent characteristics to mitigate some fingerprinting techniques. "Blend into the crowd":

https://addons.mozilla.org/en-US/firefox/addon/blender-1/


one of the reviews

  Out of date 2/5 stars

  Language spoofing no longer works (assuming it ever worked). Chosen user-agent, etc is pretty out of date. Should choose the same ones as the Tor Browser Bundle or something
how accurate is this? is this extension still worth it?


Perhaps, somewhat...? It does claim to additionally spoof fonts, OS and browser metrics. It has not been updated since April and that came after a long maintenance drought preceding it. In the past it did well on the various browser fingerprint detection sites. Today, I am unique with the only difference between Blender enabled and disabled on Panopticlick[1] is the OS & Browser are indeed spoofed in the results and too many fonts to audit... w/ AB+ disabled, NS disabled(all/globally).

[1] https://panopticlick.eff.org/


Why not a browser that turns off all that crap? Don't send a list of fonts, if I don't have the one you try to use, it should default back to one of the standard ones. Don't report anything about canvas setup, audio, etc. Let them translate silence.


Tor Browser does a lot of that.


I seem to recall that this study had a major discussion on HN not too long ago. Anybody have a link?



That's the one. Thanks!

(I suppose it doesn't make sense to swap the above URL out at this point.)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: