Mass Surveillance by Eavesdropping on Web Cookies

Interesting research:

Abstract: We investigate the ability of a passive network observer to leverage third-party HTTP tracking cookies for mass surveillance. If two web pages embed the same tracker which emits a unique pseudonymous identifier, then the adversary can link visits to those pages from the same user (browser instance) even if the user’s IP address varies. Using simulated browsing profiles, we cluster network traffic by transitively linking shared unique cookies and estimate that for typical users over 90% of web sites with embedded trackers are located in a single connected component. Furthermore, almost half of the most popular web pages will leak a logged-in user’s real-world identity to an eavesdropper in unencrypted traffic. Together, these provide a novel method to link an identified individual to a large fraction of her entire web history. We discuss the privacy consequences of this attack and suggest mitigation strategies.

Blog post.

Posted on April 4, 2014 at 8:25 AM • 29 Comments

Comments

Steven PlemonsApril 4, 2014 9:22 AM

@Bruce
If two web pages embed the same tracker which emits a unique pseudonymous identifier,

Makes me think of the Google Global User ID and their advertizement network.

wiredogApril 4, 2014 9:51 AM

Isn't this how web advertising works? By tracking an individual and aggregating their web history?

Steven PlemonsApril 4, 2014 10:07 AM

This is also why companies like Google need such huge server farms. Instead of taking the relevant advert from the contents of the page that the user happens to be viewing, they collect profiles on individuals and store that information until kingom come.

AnuraApril 4, 2014 11:23 AM

I always disable third party cookies, and rarely find a need to make an exception. Of course, my home IP address is practically static, so when I'm not using Tor, I don't really gain much.

WebcitizenApril 4, 2014 1:10 PM

That's were a mighty firefox addon comes really handy.

Self-Destructing-Cookies

The best thing of all, cookies aren't completely off, they just get 'destroyed', when they're not needed anymore. Enjoy!

name.withheld.for.obviousApril 4, 2014 1:23 PM

It's not about cookies. GUID like etags are embedded in XML and some image tags are embedded inline (your browser has to process the stream). The use of server-side etagging techniques are also a great way to get around client side privacy and protection filters. The aggregator strategy is to find a way to tag you, period. This behavior is dishonest and unethical. The legal redress required to remove the Internet toilet paper from your shoes must be brought to the attention of legal bodies world wide.

got.SSN.salt?April 4, 2014 2:07 PM

I'm just sittin here, waiting for Bruce's take on Experian. Anybody have a good website to lay bets on which massive institution/megacorp gets knocked over next?

CarpeApril 4, 2014 2:17 PM

This is why too many little widgets and javascript drive me nuts and are so insidious. how many blog pages do you see that use the facebook/twitter/other social media widgets (as opposed to just a link to the profile or other more reasonable alternative)?

I'm increasingly convinced the Stallman method of browsing the web is the way to go.

"For personal reasons, I do not browse the web from my computer. (I also have not net connection much of the time.) To look at page I send mail to a demon which runs wget and mails the page back to me. It is very efficient use of my time, but it is slow in real time." -RMS

VladApril 4, 2014 5:24 PM

This is hardly novel. Here in Russia we have a company buying DPI data from ISPs, analyzing it, and selling to the advertisers. They use - guess what - various widespead cookies (Google Analytics, for instance) to identify users.

yesmeApril 4, 2014 5:40 PM

@Carpe

The problem with "the web", and I don't say the internet, but http, html, js, css, flash, silverlight, xml, webdav, all the "secure" things, webgl, and probably a dozen more things, is that these things all require libraries.

Just look at OpenSSL or GnuTLS. You can't secure "the web". And a web browser has all these libraries, and more.

I think the approach of RMS is right. With wget you get exactly what you need, altough probably not as efficient.

That's why I sometime ago suggested to transform "the web" as a filesystem. Altough I know this is never gonna happen, it makes sense. You can use your ordinary command line tools and some editors. I trust these way more than whatever browser, or whatever web server. It is plain impossible to secure Apache or IIS, or Ngnix. It's just too much.

Impossibly StupidApril 4, 2014 5:50 PM

@Anura

You might be surprised how different your definition of what a 3rd party is compared to what a browser's definition might be. Safari, for example, always shows a ton of sites I never visited in its cookie list any time I check.

AnuraApril 4, 2014 7:17 PM

@Impossibly Stupid

It still blocks the majority of websites. I also set cookies to session only by default, so the cookies only last as long as my browser is open. One of the main things you will notice is that a lot of links will be redirected through a third party so that they can track you.

ZebedeeApril 4, 2014 8:20 PM

I use the OpenDNS Umbrella service. It tracks all outgoing connections, and I periodically go through the log and add most of them to the blacklist. Works for iDevices too, so all the apps that have advertizing no longer show ads. All those Like buttons - gone. Ads - gone. It takes some effort to get the commonly encountered tracking sites in the blacklist, but once it's populated for the sites and apps you commonly use it's something you can mostly ignore. I've been using it for a year and am very happy. Just wish they'd support Android (long promised, not delivered yet).

AnuraApril 4, 2014 8:23 PM

Just checked, and the current cookies stored are for memory-alpha.com, Amazon, a couple of song lyrics sites, and google. Haven't done much since I last opened my browser, apparently. So yeah, the block third party cookies + allow for session only does a significantly better job than the default (accept ALL the cookies!)

Bob S.April 4, 2014 8:41 PM

Just as ubiquitous encryption is needed I think a sytem of sprinkling salt throughout all of our internet communication is needed also.

If I search for running shoes, maybe in the background my browser would search for swim flippers and trips to the Caribbean. Etc. The various cookies, beacons and trackers could busily collect, track and collate it all.

In short, we need to create a lot more garbage to feed the beast.Tons of it.

(Soon enough a year will have passed since the first revelations and our government has done absolutely nothing constructive to repair any of it. Indeed it seems a classic betrayal is in the works via congressional white wash.)

Mr SmithApril 5, 2014 9:08 AM

@Bob S.

There is the Firefox addon "TrackMeNot", or you could write your own script (using something like iMacro, or a terminal-based browser like Lynx). In practice, it is very difficult to fool Google into thinking that your bot-generated traffic is genuine human browsing (that is, after all, how they make their money). You are better off accessing a range of alternative search engines through an anonymization layer.

My favorite idea for feeding the beast was a cookie exchange system (I've forgotten its name). People from different parts of the world made their cookies available to each other, thus messing up the servers' ability to tag individuals. Unsurprisingly, the site was closed down and the infrastructure quietly removed within weeks. Someone should bring it back.

You think tracking cookies is bad? Wait til project Loon is up and running.

JacobApril 5, 2014 10:20 AM

@Mr Smith
cookie exchange system is a very bad idea. Cookies, in addition to being trackers, also contain login credentials and forums / web mail / commercial sites user names. You don't want these to be shared.

Mr SmithApril 5, 2014 11:52 AM

@ Jacob
That depends on which cookies, of course. I would not send you my online bank cookies, but I would gladly share my doubleclick and 2o7 cookies with you.

YammaApril 5, 2014 12:11 PM

Can't cookies be designed in a way that there are ephemeral cookies? Such that the sending and receiving ends know the underlying unique identifier but the string of text transferred across the internet frequently changes?

Alv.April 5, 2014 12:30 PM

We're probably flogging a dead horse. Google claims they plan to ditch cookies in favor of AdID. In my view, this probably means they have developed a more efficient way of tagging individual users (if I had to guess, this could well be a solution involving browser fingerprinting and html5 local storage).

Impossibly StupidApril 5, 2014 3:19 PM

@Yamma

Technically, sure, there are all sorts of things that could be done to make your browsing more pleasant, secure, and respectful of your privacy. All you have to do is find a company and/or government that respects your rights with more interest than they lust after power or profits. It seems to be only begrudgingly that you're allowed to use extensions like AdBlock or things like self-signed certificates at all. In a better world, browsers would have built-in, highly-promoted support for things that improve the user's web experience.

RoyApril 5, 2014 5:08 PM

Macromedia Flash stores its 'stealth cookies', which are shared local objects (identified by the extension '.sol'), on my machine at their base directory:

~/Library/Preferences/Macromedia/Flash Player/#SharedObjects/

When I need Flash to run, I open the permissions to that directory.

Their (nearly) unique identifier will be a directory name in 8 alphanumeric characters, being the uppercase alphabet, except 'I' and 'O', and the decimal numerals, except '1' and '0'. This gives 2^40 possible names.

When I'm done with a Flash run, I empty their base directory and close the permissions.

AnuraApril 5, 2014 5:25 PM

Both NoScript and AdBlock with Firefox will prevent flash from running unless you want them to. I run both of them.

Nick PApril 5, 2014 6:01 PM

@ Roy

The BetterPrivacy add-on can get rid of LSO's automatically.

@ All

People interested in enumerating (or defeating) the various types of cookies should look at Evercookie. The list of techniques it uses is quite educational.

XxxriteApril 7, 2014 6:46 PM

Fundamentally everyone needs cookies. How else would a stateless connection work in tandem with a state machine that is any authentication regime? Sharing,cross domain, cookies is going to open up a world of hurt, and really wget? That bars every commercial site.

BOMay 15, 2014 2:12 PM

Bob S. actually there was an adblocker from Australia that would throw out fake searches. And it would, on the fastest setting, throw off something like 60 a minute or you could do one an hour. It is called Admuncher but I tried it recently and it doesn't have the feature, or it is buried somewhere in the app now.

I used it for a while a few years ago and I don't know if it did anything useful, the fake searches were just random ones grabbed from the web, but I do know at least one profile site has me related to dozens of people I never heard of with my last name. And I'm the last in my line of male descendents from JP going all the way back to the late 1700s. I'm certain of the last name because my cousin just did a genealogy book that you can purchase on the web and he was a researcher for an AG's office out West and is retired and is one meticulous researcher. I had to suffer the indignity of reading about one of my ancestors who owned a slave mother and two children and left each to one of three different children of his , and the children were of tender years. He didn't miss a damn thing no matter how embarrassing.

But hey, I did get one cool thing from him, but no out of his book. I have a black relative. And I'm from the South and live up North and never go down there without rubbing it into one redneck's sorry ass racist belief system. Since I practiced law down there, that makes it doubly powerful when I hear somebody use the N word and can grind down there ass for calling one of my relatives a bad name.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.