Can Tracking Cookies break Anonymity?

Discussion in 'privacy problems' started by Cutting_Edgetech, May 8, 2012.

Thread Status:
Not open for further replies.
  1. Cutting_Edgetech
    Offline

    Cutting_Edgetech Registered Member

    Can a tracking cookie be engineered to record all IP addresses used by a particular user when visiting a website, and then pass that information back to that website each time a user visits the website again? If this is possible then ones anonymity could be broken if a user had visited the website before while using their ISP's connection without their VPN connected. I would think it is, and maybe already in use by bad tracking cookies.
  2. Rmus
    Offline

    Rmus Exploit Analyst

    Don't modern browsers provide for disabling tracking cookies? (Opera does)

    Wouldn't using a dynamic IP address negate any tracking?


    ----
    rich
  3. Cutting_Edgetech
    Offline

    Cutting_Edgetech Registered Member

    Yes, not allowing tracking cookies would work, but many sites will not work if you disable tracking cookies.I don't believe using a dynamic IP address would negate this type of attack since it would have a record of all IP addresses used by a particular user. The only way to prevent breaking anonymity would be to never visit the website employing this type of surveillance with your regular ISP connection or always delete all tracking cookies when completing your browser session.
  4. Rmus
    Offline

    Rmus Exploit Analyst

    Can you list a few?

    Yes, but an IP address could be assigned to different people at different times. How could a site correlate a particular IP address visit with user A or user B?


    ----
    rich
  5. Cutting_Edgetech
    Offline

    Cutting_Edgetech Registered Member

    I had tried setting my browser settings to do not allow cookies several years ago, and I came across many sites that would not allow me to use their site without tracking cookies enabled. I will have to set my browser settings back to do not allow tracking cookies, and get back with you on this question.

    Yes, I agree, but IP addresses for users that have Broadband internet do not often change. My broadband IP address from my Cable provider was the same for 2 years before it ever changed, and I was not paying for a static IP address.
  6. Rmus
    Offline

    Rmus Exploit Analyst

    I've often been required to set a session cookie, but never have been asked for a tracking cookie.

    Very interesting!


    ----
    rich
  7. vasa1
    Offline

    vasa1 Registered Member

    I'm not sure that that generalization holds.
  8. Nebulus
    Offline

    Nebulus Registered Member

    I don't think this is really needed, because if the site stores a unique ID inside a cookie and you connect from different IPs to the site, they will have a list of IP-ID pairs in their logs. This way they can make a list of the IPs you connected from without the need of storing the IP inside the cookie.
  9. phkhgh
    Offline

    phkhgh Registered Member

    1st, the meaning of "tracking cookie" may be a bit off, in this case. Basic difference in cookies - "normal" ones that ID you on THEIR site & possibly record activity on their site - not across domains. Sure, if you store & use the same (login) cookie repeatedly, they know it's "you" logging in. What they know depends on what you gave them (if you registered).

    It's true that IP address MAY not change for long periods, even w/ dynamic IP service, if your router stays powered up & you never manually force it to get a new address. In that sense, a site where you keep the same unique cookie & login from the same or different IP address, knows it's the same cookie / same (or diff) IP from n time period ago. I'm sure they could correlate the IP addresses used by the same unique cookie (like if you travel, but keep the same cookie).

    True TRACKING cookies are able to follow you across domains. Depending on the type cookie, it can report your IP address, all URLs you visited & other useful info to help them deliver targeted ads.
  10. inka
    Offline

    inka Registered Member

    The "type" of cookie?
    A cookie object is just a container.
    How about let's say "depending on the details stored in the cookie"...
    and consider whether the cookie is set by a 3rd party
    and/or the details of its contents are surreptitiously shared across domains
  11. Cutting_Edgetech
    Offline

    Cutting_Edgetech Registered Member

    I'm not sure i'm following you. The engineered tracking cookie would be the means for them to obtain the log. Could you specify what you mean?
  12. Cutting_Edgetech
    Offline

    Cutting_Edgetech Registered Member

    phkhgh, this is what I have been saying. Tracking cookies can be engineered to break ones anonymity. The way around this of course would be to delete all tracking cookies at the end of ones browser session.
  13. Cutting_Edgetech
    Offline

    Cutting_Edgetech Registered Member

    I may have been confused between the difference of a session cookie, and a tracking cookie at the time. Its been several years ago since I tried surfing with cookies disabled. I just tried disabling cookies within Firefox Browser, but I could not even use Wilders Website. I guess I need to find a plugin that Identifies malicious tracking cookies, and allows harmless session cookies in order to find out which sites exhibit malicious behavior. I also have disabled 3rd party tracking cookies. I have no use for them.
  14. Rmus
    Offline

    Rmus Exploit Analyst

    OK, that makes sense. Some examples:

    I store a permanent session cookie at Amazon.com because it's useful when checking out, for example. And, upon connecting to the site, I'm presented with lists of music and books based on what I've purchased before. I've often found useful items this way. This is no different, by the way, than a library card at the local library, where your reading history is stored in its data base.

    On the other hand, I do not store a session cookie at some other regularly visited sites, so that upon connecting and wanting to purchase, the site does not know me and I'm required to set a session cookie. Following the transaction, Opera is configured to auto-delete the cookie for that site, and it's back to a clean slate at that site.

    opera_cookies.jpg


    Neither do I!


    ----
    rich
  15. Warlockz
    Offline

    Warlockz Registered Member

    My advice is never use the same Browser for Anon and Non-anon regardless!
  16. phkhgh
    Offline

    phkhgh Registered Member

    - Inca - "type of cookie" - a matter of semantics.
    "Normal" cookies - 1st or 3rd party, that users have some control over allowing them or not & easy method of deleting them (permanently). Stored in known locations.

    In many cases, 3rd party cookies (as allowed by a browser's settings) are tracking cookies because the data is being sent to a, well, 3rd party - say google (or any # of such companies), that then use the data to present ads, do research. The data isn't just used by the site currently being visited.

    Evercookies (the worst tracking cookies, so far) - that are secretly set, regardless of browser cookie settings;
    hidden in many places - up to 12 - 15;
    can't be easily deleted;
    If one location is missed, can regenerate itself to all original stored locations;
    Data for cookie can even be stored in RGB format;
    Can track users over entire web; transmit IP addresses, URLs & other data. Violate all browser cookie & privacy rules.

    - Cutting_Edgetech - if one waits till end of session to del "tracking" cookies, they've already gotten a good bit of data, possibly including sites & pages / ads / images you've visited. My preference is not allow 3rd party cookies in 1st place. I can't remember breaking a site because of not allowing 3rd party cookies.

    - Rmus - I'm wondering about "permanent session cookie."
    Session cookies are deleted at end of session (browser shutdown). "Allowed" or permanent cookies are saved between sessions. At least in Firefox.

    One reason I've never saved cookies between sessions is for the reason of what happened a while back w/ websites being able to access users' entire browsing history. If something goes wrong (& it always does) & a site / tracker / hacker figures out how to read cookies that store "more personal type" info, I don't want it there.

    What's that? That could never happen? Why do all browsers constantly issue patches to fix new "holes" that hackers have or potentially could have, used which were previously NEVER dreamed of being a security risk? If one is sure of the data stored in cookies & wouldn't mind if it got stolen, then don't worry about deleting (1st party) cookies.
  17. Rmus
    Offline

    Rmus Exploit Analyst

    An old terminology. "Allowed" or "Permanent" is more exact.


    Thanks for the clarification.

    Opera no longer uses such terminology. Either

    --> you accept no cookies

    --> you accept (store) all cookies made by the site

    --> you accept (store) cookies only for a particular site (normal, permanent, not 3rd party across domains)

    And, there is the provision to delete all new cookies.


    ----
    rich
  18. Cutting_Edgetech
    Offline

    Cutting_Edgetech Registered Member

    This is a family members PC, but I have configured their Firefox browser the same as mine. Here is a screen shot of the privacy configurations I use. I try to keep their PC infection free. As a matter of fact I just rolled their PC back to factory image, installed all security patch updates, and made them a backup image. I also installed some good Security Software on their machine. I would not have even used their machine to log into my Wilders account without doing so.

    Attached Files:

  19. inka
    Offline

    inka Registered Member

    To me, dancing with cookie settings seems like a "win the battle, but lose the war" strategy.

    How is a "set-cookie" directive initiated?
    (as a result of your browser contacting the unwanted 3rd party site)

    So, what do you accomplish by simply blocking the "set-cookie" request?
    Not much. With every page click, your browser STILL requests the 3rd party web resource object(s) urls for which are embedded into 1st party webpage -- thereby telegraphing your location (referring url) to the 3rd parties!

    Here's your pixel image. Can I set a cookie?
    No.
    Here's your pixel image again
    (because I place a no-cache directive in the response header so that your browser will re-request it each time you move to a different page).
    Can I set a cookie?
    No.

    Dance, dance...
  20. tlu
    Offline

    tlu Registered Member

    Exactly. That's the recommended settings: Make session cookies your default and block 3rd party cookies. BTW: That takes also care of DOM Storage (unless you've disabled it completely which can break some sites, though) as the permissions for DOM Storage are tied to the ones for cookies (at least in Firefox).
  21. mirimir
    Offline

    mirimir Registered Member

    Indeed. Better yet, never use the same computer for anonymous and non-anonymous activities. If it matters, never share storage devices or LAN subnet. There are too many unknowns, and maybe even more unknown unknowns ;) You may have no clue what you're dancing with.
  22. Tong
    Offline

    Tong Registered Member

    Just untick this box in your browser settings:

    Attached Files:

  23. tuatara
    Offline

    tuatara Registered Member

    Just for the record, if you switch the browser but use the same ip
    you have got the same kind of problem.
    If you visit 2 websites with a same ip which are both using Google Analytics,
    Google can relate these visits with your Google profile.
  24. tlu
    Offline

    tlu Registered Member

    I think, nobody said that blocking (tracking) cookies is enough to guarantee your privacy. There are a lot of other things to consider which have been discussed in other threads here.
  25. Cutting_Edgetech
    Offline

    Cutting_Edgetech Registered Member

    This thread was discussing the danger of tracking cookies when using an anonymous VPN provider. My theory was that tracking cookies could possibly reveal identifiable information about someone revealing their ISP IP address if they had surfed the same site using their ISP connection without their VPN service. The tracking cookie could record all IP's used from a particular machine or IP address when visiting a site. The site would have a record then of all particular IP's used by a user. It doesn't really make much since to visit sites using an Anonymous VPN service if you are going to revisit them later with your ISP IP address. It defeats the purpose with anonymity.
Thread Status:
Not open for further replies.