This Time Self-Hosted
dark mode light mode Search

More on browser fingerprinting, and Analytics

A few days ago I pointed out how it’s possible to use some of the Chrome extensions (and likely just as many of the Firefox ones) to gather extra entropy in addition to the one that Panopticlick already knows about. But this is not the only source of identification that Panopticlick is not considering, and that can be used to track users.

I originally intended to write a full proof of concept for it, but since I’m currently in Mountain View, my time is pretty limited, so I’ll limit myself to a description of it. Panopticlick factors in the Accept header for the page that the browser sends with the page’s request, but there is one thing that it does not check for, as it’s a bit more complex to do: the Accept header for images. Indeed, different browsers support different image formats, as I’ve found before and even browsers that support, for instance, WebP such as Opera and Chrome will have widely different Accept headers.

What does it mean? Well, if you were trying to replace, let’s say, your Chrome user agent with a Firefox one, you’d now have a very unique combination of a Firefox user agent accepting WebP images. Your hope of hiding by muddling the waters just made you stand up much more easily. The same goes if you were trying to disable WebP requests to make your images’ Accept more alike Firefox’s: now you’ll have a given version of Chrome that does not support WebP — the likeliness of being unique is even bigger.

So why am I talking this much about browser fingerprinting later? Well, you may or may not have noticed but both my blog and Autotools Mythbuster are now using Google Analytics. The reason for that is that, after my doubts on whether to keep running the blog or not, I want to know exactly how useful my blog is to people, and how many people end up reading it at given time. I was originally a bit unsure on whether this was going to be a problem for my readers, but seeing how easily it is to track people stealthily, tracking people explicitly shouldn’t be considered a problem — thus why I’m going to laugh at your expense if you’ll start complaining about this being a “web bug”.

Comments 1
  1. Hi, I just read about another tracking technique using the browser cache here: http://www.heise.de/securit…Unfortunately it’s in German, but I’ll try to summarise it:Cacheable Objects carry an Etag to identify them on later visits. If the webserver sends every client, who doesn’t send an Etag together with an request for an image, an unique Etag, the the webserver can identify a returning client, because when the client returns he includes his own etag in the request.Just wanted to point you to that, because you seem quite interested in such stuff.Greetings Christian

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.