Monday, October 8, 2012

Browser cookies

Nowadays, many people have heard about browser cookies, but experience shows that many people do not understand what they can be used. Worse, concentration on cookies means that most people do not realize that there are many other ways to be tracked.

Basic webbrowsing

The basic setup to get a web page is that a browser talks to a webserver, requesting a specific address, and gets back the document. For typical web pages the document returned is a HTML document.

A HTML document consists of text with markup elements, called tags, these are delimited with < >.

Now the same game with cookies:
The point here is that http without cookies contains no concept of a session, each and every page is delivered separately and the webserver cannot be sure if it's coming from the same user.

Now HTML usually does not contain media objects, say images, these are linked and the browser retrieves them in a separate http requests. Javascript code can also be loaded from a seperate URL.
That the usual way that adnetworks (or tracking services, basically all the bad guys disliking your privacy) operate:

Notice that I've added the Cookie that previous visit to has created. Combine this with the fact normally browsers tell the webserver from which page the http request originated from (goes by the name of Referer tag), and, if it only has enough partner sites can easily enough track your behaviour in the webbrowser.

But cookies is not really the whole story

Cookies are basically meant for tracking users, kind of linking together separate http requests, which as such can be also very useful, actually tracking an user session is critical to most websites that go beyond simple static ones.

But there is more to this, because beside cookies that by design give your browser an unique id, there are a number of ways to "brand" you with an unique id:
  1. Flash and other plugins contain code that allows to store local data.
  2. HTML5 introduced localstorage.
  3. The browser cache can be used to store a little bit of unique javascript.
  4. Some more current research suggests that browser capabilities plus your PC's address can create a fingerprint like value that is highly unique.
This list btw is by no means complete, it's just what a 15 seconds brainstorming session has produced.

So how can one avoid be tracked?

Well, for Desktop browsing, I'd recommend the following addons: Ghostery, Adblock+, NoScript (sorted by usage pain).

These addons btw (or ones with similar functionality) are available for Firefox/Chrome.

Ghostery (despite being itself sponsored by a tracking company) is a simple way to disable most if not all tracking constructs in use nowadays. It should be usable even by the most computer averse users, and requires no user interaction after being installed and configured.

Adblock+ blocks ads/tracking urls, and provides a way more relaxed web experience. As ads are often used as vectors for malware, consider it security software. It needs almost no interaction with the user, and any average user should be able to handle it.

NoScript protects from a number of issues, and allows a way of browsing where dynamic (Javascript, Flash, ...) elements are disabled by default, and one has to manually enable these for a given site. (It's not as bad, because it remembers your preferences) This involves a certain level of user interaction, because on visiting a site for the first time the user has to tell the browser which sites he considers safe.

Last but not least, if you want to separate accesses, so that they get not tracked together with your main identity, consider using a different browser and/or a different local user (which gives a clean slate when it comes to tracking state) on your PC.

What about mobiles?

Well, the situation is way worse for mobiles, because most of the browsers do not support addons/protective measures. Plus you've got apps that can get all kind of data about your device and you (serials, contacts, location, ...). All of these are listed during installation, but just because the app has a valid reason for some permissions does not mean that it does "less valid" stuff with them.

If you've rooted your phone, you can use AdAway to block a good part of tracking/ad networks from being accessible from your device. You can use DroidWall to enable/disable Wifi/mobile data access for any given app. You can use special apps to remove permissions for installed apps. All of these suggestions require a rooted device, and can interfere with the correct operation of Apps.

One thing mentioned above, using separate browsers for different use cases works on mobiles too. (Probably does not apply to iDevices, as Apple allows only it's own browser engine, so "different" browsers are more like skins there. Basic test: login to a site, say with a browser and access it with the second browser. If you are still logged in, you are probably very trackable. If not, it might work.)


Post a Comment

Subscribe to Post Comments [Atom]

<< Home