New Ways to Track Internet Browsing

Interesting research on web tracking: "Who Left Open the Cookie Jar? A Comprehensive Evaluation of Third-Party Cookie Policies:

Abstract: Nowadays, cookies are the most prominent mechanism to identify and authenticate users on the Internet. Although protected by the Same Origin Policy, popular browsers include cookies in all requests, even when these are cross-site. Unfortunately, these third-party cookies enable both cross-site attacks and third-party tracking. As a response to these nefarious consequences, various countermeasures have been developed in the form of browser extensions or even protection mechanisms that are built directly into the browser.

In this paper, we evaluate the effectiveness of these defense mechanisms by leveraging a framework that automatically evaluates the enforcement of the policies imposed to third-party requests. By applying our framework, which generates a comprehensive set of test cases covering various web mechanisms, we identify several flaws in the policy implementations of the 7 browsers and 46 browser extensions that were evaluated. We find that even built-in protection mechanisms can be circumvented by multiple novel techniques we discover. Based on these results, we argue that our proposed framework is a much-needed tool to detect bypasses and evaluate solutions to the exposed leaks. Finally, we analyze the origin of the identified bypass techniques, and find that these are due to a variety of implementation, configuration and design flaws.

The researchers discovered many new tracking techniques that work despite all existing anonymous browsing tools. These have not yet been seen in the wild, but that will change soon.

Three news articles. BoingBoing post.

Posted on August 17, 2018 at 5:26 AM • 16 Comments

Comments

K.S.August 17, 2018 8:50 AM

I am shocked, shocked that browser industry that is either directly controlled or funded by data aggregators are lousy at preventing pervasive tracking. This is like expecting locks given away for free by a representative of Den of Thieves to be effective at resisting its membership.

BrandonAugust 17, 2018 8:58 AM

In response to K.S. I might actually trust the den of thieves more since they don't want competition. They'll give themselves access but intentionally try to keep others out. And once they take your goods, the damage is done.

In contrast Google wants your information precisely so they can sell it to other people to your continued detriment.

justinacolmenaAugust 17, 2018 10:48 AM

@@ K.S.

browser industry that is either directly controlled or funded by data aggregators are lousy at preventing pervasive tracking

Not at all surprising.

@@ RealFakeNews

When are the browser devs going to be held accountable??

It's their bosses, to whom they are beholden for that five-figure paycheck which is reported as six figures on Monster.com and reduced to four figures by the time they pay their taxes and bills in the high-rent district and their kids need braces for their teeth.

Sed Contra August 17, 2018 12:07 PM

And notice also how they use the term “cookie”, ordinarily signifying something of pleasant interest, to designate their nefarious token. A tech age parody of the wicked hags in all fairytales. Perhaps more general awareness and action to constrain these toxic purveyors would result if a new designation, truer to type, such as “burning poisoned chain “, were to be adopted in lieu of “cookie”.

Jes’ sayin’

echoAugust 17, 2018 12:40 PM

It's interesting how something so on the surface simple is loaded with so many agendas and overreach and greed. You can tell by the hole in the doughnut shape of things. Not what is said or claimed but what is missing or glossed over. It gives lying a certain topology.

POLARAugust 17, 2018 1:41 PM

@Sed Cookies, Ice Cream Sandwich, Jelly Bean, Nougat, Oreo...

https://en.wikipedia.org/wiki/Android_version_history

Android Inc. was founded in Palo Alto, California, in October 2003 by Andy Rubin, Rich Miner, Nick Sears, and Chris White.[14][15] Rubin described the Android project as "tremendous potential in developing smarter mobile devices that are more aware of its owner's location and preferences"

It's harmless, right..?

zobmieAugust 17, 2018 4:34 PM

Given passive TCP stack fingerprinting + a bunch of other data such as the originating IP address / packet arrival time jitter and all sorts of strange stuff you'd observe if you started doing that I'd expect you could quite easily track browsers without cookies. I'd expect that big companies that have links embedded in almost all pages would have the capability and by now it would be likely that several of them would have realised. Think panopticlick on steroids. Just sayin.

PeaceHeadAugust 18, 2018 1:22 PM

As an implied caveat, I think multiple, nearly redundant security techniques may ultimately come closer to blocking the problems.
Although they tested 40some browser extensions, it implies that they did not test compound configurations (which of course would be very labor-intensive and could take a very long time).

Probably, by combining the best techniques of software choices/configurations/other data management techniques, an attackable surface can be reduced further than what was tested for.

However, for the so-called "average user", possibly many of them don't have the time nor education nor resources to implement a more thorough setup--thus the article still has utility.

Note: It is also worth remembering that a few accute special vulnerabilities and social circumstances undermine almost every security technique imaginable for digital media.

65535August 18, 2018 11:56 PM

I noticed that tomsguide indicated that:

“The best performer overall was the Firefox-based Tor browser.”-tomsguide

https://www.tomsguide.com/us/ad-tracking-block-fail,news-27819.html

So I showed this to a friend of mine who disagreeded. He downloaded the latest version of the Tor browser bundle and scan it with virustotal. One engine said it was spy ware - Antiy AV. Yet, when scanned a day later the tor browser came up clean by Antiy which is odd or was a false positive. I am assuming the Tor bundle can be used as a regular firefox browser when needed or have both firefox 61 and Tor on the same box.

Is Tor browser better than say firefox quantum? Is Tor safe to use over the firefox 61. with say s combination of Adblock and UMatrix or some other combination? How about privacy badger?

What combination of ad blockers is recommended for firefox? Browser experts care to take a guess?

HmmAugust 19, 2018 5:10 PM

Tor browser performed best "as a default bundle" as tested out of the installer, if you just take each a la carte. Most people probably do that - Firefox installed, "most" probably don't even look at the config page or fiddle with 3rd party cookie settings, let's be real. But that's not necessarily the optimal config that can be achieved on any of these browsers with various configs/addons. So it's potentially misleading to do a la carte comparisons as if representative of all real world environments.

No single product by itself does the job, I think we can say that pseudo-definitively.

Exactly which combination is best is unknown until tested for, every update, add-on combo, each config.
Then you would need to constantly be testing all these environments with real attacks.
New attacks all the time... do the tests you use get updated sufficiently? Maybe.

HmmAugust 19, 2018 5:33 PM

It begs the question, what's the security/usability threshold you're aiming for?

I have 7~ security add-ons overlapping at any one time in 3 browsers. They take an extra 1 second to open give or take - a dealbreaker by itself? Everyone has different value criteria.

Are you willing to break beacons and deal with ungraceful tracked-content pages? Is a few seconds to minutes of trial/error to get down to the minimum footprint functionality for each individual site you want to access content on while avoiding trackers, is that too much work to even do ongoing? Are you just going to log in and leave FB open 24/7 anyway? What is "best" is defined per use case really.

65535August 21, 2018 12:35 AM

@ Hmm and others

“I have 7~ security add-ons overlapping at any one time in 3 browsers. They take an extra 1 second to open give or take - a dealbreaker by itself? Everyone has different value criteria. Are you willing to break beacons and deal with ungraceful tracked-content pages? Is a few seconds to minutes of trial/error to get down to the minimum footprint functionality for each individual site you want to access content on while avoiding trackers…”-Hmm

I hear what you are saying.

In this case it would be for business clients who are already fairly locked down with at most two browsers [say the unused IE or Edge and Firefox/Tor]. No social sites are allowed in most of the clients I service. Only business sites or government sites with secure portals, email via Proton or gmail and gmail is discouraged. What little searches are allowed are usually over Startpage, and very infrequently over google [Although I thought startpage was a masked google search].

Because of the few sites visited compaired to say a home user these workstation and station operators are trained for fairly strict usage already.

Yes, the exact combination of uBlockOrigin or Umatrix, noscript, HTTPS everywhere, privacy badger and other addons with their various combinations would be tricky but not impossible.

I will say that Firefox is fairly good with aboutConfig options but it does have a lot of Chrome components and server side communications that could leak quite a bit. Thus, I asked about the Tor bundle which is supposedly hardened. As for latency I really don’t think that is much of a problem in the long run.


HmmAugust 21, 2018 3:37 PM

"Yes, the exact combination of uBlockOrigin or Umatrix, noscript, HTTPS everywhere, privacy badger and other addons with their various combinations would be tricky but not impossible."

I'd be interested in such a comprehensive, recursive, well-run testing regime like that.
I think there's a big public interest in that - who is actually doing this? Anyone?
Cross-browser/platform, cross-extension, cross-config comprehensive regression testing?

Since wishing for unicorns can we make it free to the public, not proprietary/subscription?

-begins holding breath-
-end-

If there was a constant source of such information people could make better platform choices.
Those seeming few of us who care anyway, no doubt the extreme minority of web users.
We need to change that. More information, more informed users -> better solutions mainstreamed.

FoxyAugust 24, 2018 8:10 PM

Firefox has an excellent built-in feature surprisingly missing from the discussion: Containers. Give it a shot. It works well at isolating and - most importantly - is extremely user friendly and easy to use.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.