evercookie
evercookie copied to clipboard
samyk
Evercookie doesn't work with Private Browsing mode
Hi everybody,
I've realized that last browser versions of the main browsers (IE, Firefox, Chrome, Safari) avoid evercookie.
Is there any way to make evercookie work even if user uses private mode?
Thanks,
FMN
@fidelmartin: By design, Private Browsing Mode is intended to defeat things like evercookie. If evercookie circumvents private browsing mode, browser developers treat it as a bug and adjust accordingly.
In fact, that's by design too. Evercookie wasn't the first thing to do what it does, but it was the first one that was announced publicly so browser manufacturers would improve their privacy controls.
@ssokolow: I agree with your comment and I think is important to keep web privacy safe. However undesirable people uses web privacy to attack others. We have been using evercookie to protect against click fraud attacks (our competence click our Adwords campaings) but evercookie doesn't work nowadays to protect from those attacks.
We are thinking to implement something like Panopticlick. I know it is not 100% accurate but I think it's better than nothing. If you have any other recommendation I will appreciate it so much.
@fidelmartin: Sorry. I understand your point of view, but all my experience is more in using things like NoScript and careful tuning of my browser headers to limit Panopticlick's utility as much as possible. (Also, as I remember, the Firefox guys adjusted their user agent strings about a year ago so their Gecko build dates would be less variable, providing less uniqueness for Panopticlick to latch onto)
As for Adwords and clickfraud, that's one reason I consider pay-per-click fundamentally flawed and prefer pay-per-day offerings like Project Wonderful. It's more resistant to that problem.
A possible fix I found is to user browser fingerprint in conjunction with evercookie.
1) You open Chrome and you get a evercookie saved (let's say with value AAA). 2) And then open Chrome in Incognito mode and get a new value for the evercookie (let's say BBB). And you have the problem.
But... The browser fingerprint is the same for both Incognito and non-Incognito... So my fix is to store server-side the pair "evercookie value"+"browser fingerprint".
3) In the Incognito mode, if a pair with the same browser fingerprint is found on the serve, the evercookie value is replaced with whatever is stored there on the server.
Looks like more incentive for browser manufacturers to simplify their headers further.
Firefox is already making decent progress on that:
- They've simplified their User-Agent string in recent versions, as has Internet Explorer.
- The most reliable way to fingerprint a machine is to use plugins like Flash, Java, and Silverlight to grab things like the Ethernet MAC address or the list of installed fonts... and the Firefox guys are already in the process of integrating plugin "click to play" into Firefox itself as a way to protect against 0-day exploits and limit memory consumption.
I actually fine-tuned my headers using Panopticlick as my test platform so that they're as generic as a Linux user's headers can get. (Though I bet a Windows user would get even more generalism)
I use a flash to get list of installed fonts. However doesn't work in iPads/ipods/MAC.
I agree that the best is to get MAC address but with Flash and Silverlight is not possible. With Java applets I think is possible but I think the browser advice user that an applet want to access system. If you know a way to get MAC address without advicing user I would appreciate it.
@fidelmartin As far as I know, it's not possible. (If it were, I'd be conflicted about telling people before Firefox gains its built-in plugin whitelisting to help protect against it)
@zxqfox I don't think the browser exposes any kind of indication that it's in Private Browsing mode, but I could be wrong.
I think I remember hearing that it tells the Flash plugin when it's in private mode, but I don't know if the plugin exposes that information to running applets.
What would the point of detecting private browsing mode be anyway? A browser can behave roughly the same way without it enabled.
For example, my Firefox is set to flush cache and cookies and so on whether or not it's in private mode unless the site is on a whitelist. (I carefully went through evercookie technique-by-technique, hardening my browser's non-private mode against it)
No reason to store anything. And no reason to count that user in Vote rating data, for example.
@zxqfox Bad idea. There are a lot of people who (like one of my friends) run with Private Browsing on permanently or (like me) use it as a simple, intuitive way to visit a site they don't trust (eg. one that integrates with Google or Facebook for login) and then flush all data that could be used to track them.
In other words, there are a lot of people who use Private Browsing and/or Incognito as a way sandbox and forcefully-expire cookies from certain sites.
I hear it's becoming more common as more people become aware of how not all cookie managers clear Flash cookies but current Flash plugins respect private/incognito settings.
There is no anonymous really. Google knows who you are even in private mode. https://panopticlick.eff.org/ Even in private or any mode.
@zxqfox
- There are many people who don't know that. Hence, telling me won't make a difference in how bad an idea it is to make the site behave differently based on the presence or absence of private browsing mode. (Users will find it confusing if they don't recognize what's going on and creepy if they do.)
- I'm aware of Panopticlick. I've also installed NoScript and tuned my
User-AgentandAcceptheaders so Panopticlick gets very little unique info. (Most of the info it gets requires JS to collect, User-Agent is set to the current Windows Firefox default via an extension, and Accept is adjusted by editing my list of preferred languages to match the default for the American English release of Firefox.)
I have implemented Panopticlick idea but just considering only the information that almost not change, system fonts and browser plugins. I think the results are good enoug.
I have read something about other tracking cookies implemented by Facebook and Google, however I didn't get enough information to know how they implement them. Does anybody read/know about those cookies?
@zxqfox just a thought... you can detect private browsing for browsers that support LocalStorage. At least this works for Safari. Because localStorage has a capacity of 0 in private mode.
First, determine if the browser supports localStorage. Then try to store something.
if('localStorage' in window) { try { localStorage.test = 1; } catch (e) { // most likely private mode } }
That's pretty cool @taylorcode! Would be nice to have a routine that confidently detected private/incognito modes, may play with that
See https://gist.github.com/cou929/7973956 and https://jsfiddle.net/Lgpzvqta/
@fidelmartin You can look at my fingerprinting project for some more ideas: https://github.com/gulkily/browserfp
this page is a demo. http://lucb1e.com/rp/cookielesscookies/ it tracks users by ETag. I have tested this on lastest chrome, it works through private and non-private browsing modes
Just clear the cache of browser then ETag will "pass way"
On 10/20/2017 2:11 AM, Zihan Zheng wrote:
this page is a demo. http://lucb1e.com/rp/cookielesscookies/ it tracks users by ETag. I have tested this on lastest chrome, it works through private and non-private browsing modes
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/samyk/evercookie/issues/19#issuecomment-338007930, or mute the thread https://github.com/notifications/unsubscribe-auth/AARckAL1UHyy55t92phSn5NHQnIyZ5dWks5st57ogaJpZM4AEhqu.
@thaiwhere I know that i can clear the cache. What I want to say is evercookie cannot track user between private and non-private modes, but cookielesscookie can do that.