[Switch] "cookie" technology without Cookie

There is another concealed User tracking technology that does not use cookies or JavaScript. Many websites are already in use, but few people know it. This article describes how this technology tracks users and how users can avoid tracing.

This technology is independent:

• Cookies
• Javascript
• Localstorage/sessionstorage/globalstorage
• Flash, Java, or plug-in
• Your IP address or user agent Header
• Panopticlick

On the contrary, it uses another storage method, which can still exist even if the browser is closed, that is, browser cache. Even if you completely disable cookies and JavaScript, or even use VPN services, this technology can still trace you.

Example

Submit some data to this link (http://lucb1e.com/rp/cookielesscookies/), close the browser, and open again to see if the data is still there?

Check whether there is anything in your cookie? None. These are all in a fake image verification that we barely notice. Look at the above eyes. Haha, that's our tracker.

How does it work?

Is a rough description

 

The etag in the image is an image verification method. When the image changes, the etag also changes. Therefore, the browser will take the image and etag to the server for verification, so that the server can answer whether the image has changed. If not, the image will be hit and returned directly from the browser cache, you do not need to pull images again on the server.

Careful readers may already know how this can be traced: the browser can send the etag back to the server. However, this etag seems to produce many cookies, isn't it? Therefore, the server can give each browser a unique etag. When you receive the etag again, you will be able to know it is you.

Some technical details and defects in the demo

Demo in order to be able to use JavaScript, I have to find some information that is unique to you, except the etag. Images are loaded after the page is loaded, but only etag is contained in the image. How do I display the time information? I do not need JavaScript to dynamically update data, and this demo is to prove that JavaScript is not required.

Some minor bugs:

All the information you see is the last one. You need to press F5 to refresh the latest one.
When you access the page without carrying etag (such as the stealth mode), the session will be cleared. Or, when you refresh the page, the data disappears.
I didn't see a simple solution for this technology. Of course, some things can be done, and other websites may not be used, but I just want to make the code simple and practical.

Please note that when you really want to track a person, you don't want to tell the user that they are being tracked. Your bugs do not exist!

Source code

Which program has no source code? Oh, it seems to be Microsoft's Windows.

Https://github.com/lucb1e/cookielesscookies

How to avoid tracing?

If you want to be safer, I strongly recommend that you enable the stealth mode and Use https. If this option is enabled, breach (the latest HTTPS attack) is prevented, Cookie tracking is disabled, and cache tracking mentioned in this article is also eliminated. I will use the stealth mode when using online banking. In Firefox (ie should also be), press Ctrl + Shift + P, and press Ctrl + Shift + N in chrome.

In addition, it depends on your cleanliness of privacy and security.

At present, I don't have a simple and perfect solution, because cache tracking is almost imperceptible, but cache itself is useful at the same time, saving time and money. Websites will consume less bandwidth (you think about who will pay for the traffic), and your webpage loading speed is faster, especially on mobile devices, there will be a big difference. If you do not have an unlimited traffic package, if you are slow in the network, the effect of slow storage will become more obvious.

After hearing this, if you are not at ease, disable the cache completely. Without the storage status or information, any tracing will not happen, that is, it will be reloaded every time, the speed will be slower, and I personally do not think it is worthwhile to do so.

Firefox plug-in self-destructing cookies have the following features: When you do not use a browser for a while, it will clear your cache. Regularly clearing the cache of this plug-in may be a good choice, and it will only be traced during the Access session, but they can also record which IP Address has accessed which page, so this is no big deal. However, since the cache is cleared (assuming that the trail is based on the cache), it seems that the trail is a new user and the trail cannot continue.

I don't know any other plug-ins that can regularly clear the cache (for example, once every 72 hours), but they should be there. This will be a good method, which is useful for 99% of users, because this will not cause performance degradation too much, but also limit tracking.

Update:I have heard that the Firefox plug-in secretagent also has the etag overwrite to prevent this type of tracing. You can set a whitelist to reset the cache for some sites to prevent tracking. This has been confirmed to prevent tracking. Secretagent website.

Address: http://lucb1e.com/rp/cookielesscookies/