Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


First practical in-the-wild implementation of browser fingerprinting for marketing purposes
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

First practical in-the-wild implementation of browser fingerprinting for marketing purposes

joepie91joepie91 Member, Patron Provider
edited December 2012 in General

http://42floors.com/blog/youre-not-anonymous-i-know-your-name-email-and-company/

Sumit Suman recently visited a site, did not sign up for anything, did not connect via social media, but got a personal email from the site the next day.

Here’s how they did it.

I’ve learned that there is a “website intelligence” network that tracks form submissions across their customer network. So, if a visitors fills out a form on Site A with their name and email, Site B knows their name and email too as soon as they land on the site.

For example, if [a visitor] went to XYZ.com and filled out a web form and then [the visitor] later visited 42floors.com, [42Floors] would be able to identify [the visitor] by name/email as well as company details even though [the visitor] never filled out a web form on [42Floors.com].

Remember, that thing that everyone always thought would never happen? There you go.

And no, this has nothing to do with cookies or IP tracking. This has to do with browser fingerprinting.

Comments

  • And than there will arouse plugins who will change text size or resolution just a little bit to defeat these techniques and make u anonymous

  • joepie91joepie91 Member, Patron Provider

    @darknessends said: And than there will arouse plugins who will change text size or resolution just a little bit to defeat these techniques and make u anonymous

    The problem is that that can interfere with proper functioning of many sites that rely on this information.

  • @joepie91 said: Remember, that thing that everyone always thought would never happen? There you go.

    Quis custodiet ipsos custodes?

    Time to get off the internetz:

    image

  • @joepie91 said: Remember, that thing that everyone always thought would never happen? There you go.

    Reminded me of GLaDOS

  • This has long been used. Just not know out in the wild.

    There was a proof of concept with the stats and odds of your browser fingerprint matching others.

    Remember looking at both Opera and Firefox under linux and it was like a 1 in 20 million chance that two people shared the same setup. These weren't very aged/used installs either.

    Wondering how much putting Squid in the middle can help. Know it's a semi decent shield for lots of stuff, plus can fake the browser type in there with one line of config.

  • joepie91joepie91 Member, Patron Provider

    @pubcrawler said: There was a proof of concept with the stats and odds of your browser fingerprint matching others.

    Yes, that's Panopticlick from the EFF.

    @pubcrawler said: Wondering how much putting Squid in the middle can help. Know it's a semi decent shield for lots of stuff, plus can fake the browser type in there with one line of config.

    It can fake the user-agent; it can't fake the rest of the information about your browser that can be gathered via for example Javascript.

  • Yep, good info @joepie91!

    I don't see why a browser should ever be giving up any info. Folks designed the browsers to be insecure like this, not by accident.

    Solution is to completely block all this info and disallow sites from accessing any of it. How to accomplish that, well, ummm yeah, anyone?

  • joepie91joepie91 Member, Patron Provider

    @pubcrawler said: I don't see why a browser should ever be giving up any info.

    The info that is provided is actually necessary for proper functioning of a lot of things. The list of fonts will be critical for a web-based document editor. The list of plugins will be important for something that has multiple fallbacks (for for example file uploads). The screen resolution is absolutely critical for a lot of web applications that have to resize things based on this, or even switch to an entirely different layout entirely. And so on, and so on... as a web developer myself, I can't really see anything in the list of information for which no legitimate purpose exists.

    @pubcrawler said: Solution is to completely block all this info and disallow sites from accessing any of it.

    This will break half the web.

  • A quick experiment with the Panopticlick tool is scary, go try it folks if you haven't:
    https://panopticlick.eff.org

    Now the big way to cut down on this is to:
    1. Disable Javascript and plugins. Gets rid of two big piles of data that are most identifiable.

    1. Fake the browser UserAgent info. This is the most common user agent at this point supposedly:
      Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.95 Safari/537.11

    Running Opera on Linux has this as a useragent:
    Opera/9.80 (X11; Linux i686) Presto/2.12.388 Version/12.11

    The tool there says 1 in 29376 browsers have that user agent.

    Changing the Opera user agent to the Mozilla one above gets us:
    1 in 920 browsers have that user agent

    Quite a big difference.

    Remaining highly identifiable pieces left are:
    HTTP_ACCEPT Headers
    Screen Size and Color Depth

    Now even with this approach we get this scary reality:
    Your browser fingerprint appears to be unique among the 2,585,132 tested so far.

    What we all need are browser plugins to muck this data and publish to the remote websites the same unified BS response to these peeks and pokes of browser :)

  • @joepie91,

    I thought CSS was supposed to deal with the screen scale size :) ?

    The upload example thing for plugin and fallback, I say screw it. Keep things universal and basic and asking for that failure I think.

    BTW: I routinely turn Javascript off. The web works so much faster that way and security issues go to probably nearly ZERO :)

  • joepie91joepie91 Member, Patron Provider

    @pubcrawler said: I thought CSS was supposed to deal with the screen scale size :) ?

    No, not exclusively. CSS can do layout, but not much else. If you have to, for example, write some kind of animation in Javascript, you will sometimes have to take into account screen resolution as well. And that's just one possible example. The more complex a web application becomes, the bigger the chance that this kind of thing is necessary.

    @pubcrawler said: The upload example thing for plugin and fallback, I say screw it. Keep things universal and basic and asking for that failure I think.

    That doesn't work for the people that expect more from their browser than just serving plaintext webpages.

    @pubcrawler said: BTW: I routinely turn Javascript off. The web works so much faster that way and security issues go to probably nearly ZERO :)

    Yes, but it breaks half the web.

    The problem here isn't that the technology exists, it's that the technology can be used for these purposes.

  • Problem with javascript and plugins are they are idiotic.

    I have to murder Flash when I let it run on a multiple times a day basis. It's total crapware. CPU burning up with it doing nothing.

    All the javascript stuff is mostly kind of useless to me.

    I wonder how sites are "handicap" accessible with all this bloatware development? I suspect most aren't compliant or redirect to another site they maintain otherwise.

    I use the web for data, text. All the fluff, it's just insane. If I wanted that crap, including video, I'd go use my television.

    Hate to say it, but aside from the brighter folks who do read text, the rest are getting away from browsers and computers. It's all specialized devices like phones, TVs, etc. So all the javascript and plugin stuff is bound to get smashed even more and less important.

    Just glad book makers don't use the same development logic to make books that unfold on you, won't let you close them, give you intestinal distress, have text that changes at their will, etc. :)

  • I find it quite disturbing. And I don't really think I'd want to buy something from a company that emails me out of the blue.

Sign In or Register to comment.