Web tracking based on non-conventional cookies:
Topic: Web security and privacy.
Analisi dei maggiori metodi di tracciamento web basati su cookies. Principalmente Evercookies ed Etag. Analisi dei relativi comportamenti dei principali web browser e possibili contromisure concrete per prevenire il tracciamento.
2. Web Tracking is the activity of gathering information on
web site’s users, like browsing history, s.t. behavioural
record are stored
There are a lot of different reasons behind this: Web
analytics, enhance service, tailor advertising campaigns,
spy individuals etc.
2Alberto Ragonese
3. Cookies are small piece of data originally introduced for
making HTTP stateful. Today they are used for both
session handling and for tracking purpose
A cookie is composed by the two mandatory fields name
and value and a set of non-mandatory attributes storing
information such as cookie’s domain, expiration date, path
and other flags
3Alberto Ragonese
4. Evercookie is a special kind of cookie created by Samy
Kamkar[1]
It is able to create several Zombie cookies, storing them in
different storage mechanism including:
Standard HTTP cookies
Local Shared Objects (Flash Cookies)
Silverlight Isolated Storage
Storing cookies in Web History
Storing cookies in HTTP ETags
Storing cookies in Web cache
HTML 5 Storages
4Alberto Ragonese
5. The idea is that upon data deletion, an evercookie can
discover Zombie cookies left and regenerate all the others
This kind of cookies is designed for achieving persistence.
How it can be implemented?
1) First check all available and supported storage mechanism
2) If this is the first run, initialize each storage with a Zombie cookie
3) If this is not the first execution, each cookies need to be refreshed.
The best candidate need to be figured out.
4) Reset cookie everywhere
5Alberto Ragonese
6. Used for tracking TOR’s users when they were not using
TOR. This is due to the observation that some cookies
survive Tor use[2].
RUAG case: were very useful for marking the different
fingerprinted devices.[3]
Tracking visitors on merchandising web site
6Alberto Ragonese
7. Is a form of persistent state stored in browser that a server
can access in order to perform a cache like behavior
Practically, It Is an optional field of the HTTP header,
mainly used for guarantying web caching behavior
Common method for Etag generation use collision-
resistant hash function
7Alberto Ragonese
8. Server sends the resource along with the corresponding
Etag value
Client side this value is stored and upon an identical
successive request on the same url, it will send the value of
the previous Etag in the “If-None-Match” field
Server compares the received and the effective values:
Match will means that resource has not changed, response with
HTTP 304 not modified (cache used client-side)
Match failed a full response is sent, including the up to date version
of Etag
8Alberto Ragonese
9. Etag value is a unique string, this value can be used for
tracking user’s browsing activity
Everytime a request for a specific resource is issued, the
Etag value is compared by the server that will return an
HTTP 304 message in any case.
The user visits different pages and forward each time the
request, in this way the server can easly track it.
9Alberto Ragonese
10. A merchandising site that wants to track users in order to
know their interests, or may try to augment the good’s
price
The user load the tracking pixel on the affiliate page
The banner redirect to merchant land page, where again
the same pixel is asked
‘‘Buy Now’’ button will redirect into confimation page
10Alberto Ragonese
11. Browser War
The main actors are Google Chrome and Mozilla Firefox
11Alberto Ragonese
12. Most used Web Browser
Is supplied of Incognito mode and default tool for Cookies
managment
‘‘Clear Browsing data’’ Works very well against
Evercookies. Tested in Samy Kamkar's site [1]
12Alberto Ragonese
13. The same ‘‘Clear Browsing data’’ works well also against Etag
tracking
13Alberto Ragonese
14. Open, multiplatform web browser, Mozilla Foundation
property
Like Chrome come with several default tools e.g. LighBeam
for graphical representation of contacted site.
Cookie panel at Preferences > privacy > under history tab
there is “remove single cookie”
Firefox function “Clear Recent History” seems work well
against Etag and Evercookies, like chrome does.
14Alberto Ragonese
15. General deletion procedure:
1) Delete Silverlight Isolated Storage at http://www.silverlight.net/
2) Delete Flash Local Shared Objects in the "Website Storage Settings
panel
3) Clear Recent History by Select 'Everything’
4) Additional minor prevention can also be taken
General prevention:
1) Define policies for web storages (LSO, Silverlight)
2) Do not store data from web sites
3) Disable JS and use proper addons
15Alberto Ragonese
16. Several addons can be adopted for being more secure
against tracking mechanism:
BetterPrivacy
NoScript
Ghostery
LightBeam
Disconnect
Blur
16Alberto Ragonese
17. Nowadays, a big number of tracking systems are adopted
by the majority of the sites. It’s enough to analyse the
source code of Repubblica.it.
More stricking example is a well known American
subscription video on demand.
Hulu.com stores a lot of Cookies data in multiple storage,
including Flash LSO , Local Storage and Web Cache.
17Alberto Ragonese
18. Hulu web site in the past years was accused of tracking
user by means of Etag tracking technique and used it also
for HTTP and HTML5 cookies respawning
Strange behavior are still present, like a GET request for a
1x1 pixel image that is never changed by 8 years.
Moreover, very often a GET request relative to a js file,
namely load_player_h2o_v4.js is issued.
This request is sent with an Etag value, and the response is
always the same. HTTP 304 Not Modified
18Alberto Ragonese
19. Each time a request is sent to the server and the resource
is never updated, there is no apparent reason for sending
the request, would be better take it from cache directly.
This scenario is very compatible with an Etag tracking
attempt.
19Alberto Ragonese
20. Acquiring certainty about the use of these particular
tracking mechanism is very difficult.
The reported cases seems respect the posed requirments
Many countermeasures can be adopted for example
Incognito mode, dont save cookies, addons, often clear
Browsing data, etc.
Being aware of this techiniques will make the tracker’s life
harder
20Alberto Ragonese
21. [1] Samy Kamkar url:http://samy.pl/evercookie/
[2] Cookie leakage url:
https://en.wikipedia.org/w/index.php?title=File:Tor_Stinks.pdf&page=7
[3] APT Case RUAG url:
https://www.melani.admin.ch/dam/melani/it/dokumente/2016/technical%20repor
t%20ruag.pdf.download.pdf/Report_Ruag-Espionage-Case.pdf
[4] Cookieless cookies url: https://lucb1e.com/rp/cookielesscookies/
[5] Tracking Users on the World Wide Web url:
http://kiosk.nada.kth.se/utbildning/grukth/exjobb/rapportlistor/2011/rapporter11
/wramner_henrik_11041.pdf
[6] Web Tracking url: http://www.snet.tu-
berlin.de/fileadmin/fg220/courses/SS11/snet-project/web-tracking_schmuecker.pdf
21Alberto Ragonese
22. [7] Cleaning up after cookies version 1.0 url:
https://www.nccgroup.trust/globalassets/our-
research/us/whitepapers/isec_cleaning_up_after_cookies.pdf
[8] Snowden at SXSW url: We need better encryption to save us from the surveillance
state: http://www.computerworld.com/article/2475978/encryption/snowden-at-
sxsw--we-need-better-encryption-to-save-us-from-the-surveillance-state.html
[9] Third-Party Web Tracking: Policy and Technology url:
https://jonathanmayer.org/papers_data/trackingsurvey12.pdf
[10]Flash Cookies and privacy II: Now with HTML5 and Etag respawning url:
https://iapp.org/media/pdf/knowledge_center/Flash_Cookies_and_Privacy_II.pdf
22Alberto Ragonese