The document discusses various methods used for tracking user privacy violations, including cookies, cookieless cookies, IP tracking, WebRTC, and fingerprinting. It highlights the tools and techniques used by developers to exploit these tracking methods and offers suggestions on how they can be defeated, such as using incognito mode or a VPN. The author emphasizes the implications of these tracking methods and the need for users to protect their privacy.

1. How to violate
user’s privacy

2. Ran Bar-Zik
Developer at Verizon
Media
Journalist at Haaertz
Contact me at:
Twitter: @barzik
internet-israel.com
2

3. Legal information
▪ The Israeli Law
▪ GDPR
3

4. Why we learn it
▪ We are evil
▪ We want to protect ourselves and others
▪ We want cheap prices
4

5. Setting the stage
We track on website only, assuming that domain is
under my control.
5

6. For example
Facebook, your friendly social network
6

7. 7

8. This is how we are being
tracked on global scale
8

9. Track method 1:
Cookies
LAAAMMMMEEEE
1.

10. 1. Sent in every request.
2. Persistent.
3. Easy to detect :(
4. Easy to delete :(
10

11. Enters the forever
cookie
ALSO LAAAMMMEEEE
11

12. 12

13. RESPAWNThe HOLY GRAIL
13

14. 14

15. 15
Remember: No good deed goes unpunished

16. Track method 2:
Cookieless
cookies
No cookie no cry
2.

17. Etag cookie

18. 18

19. LET’S EXPLOIT
IT
19

20. How it works
1. Server sends the session value with etag.
2. User from now on send along If-None-Match.
3. No cookie and still `If-None-Match` header? Tsk tsk tsk
respawn commenced!
20

21. How it can be defeated?
1. Disable all cache by dev tools.
2. Use incognito.
21

22. HSTS cookie

26. How it can be defeated?
1. Use incognito.
26

27. DNS cookies

29. See which request is being sent to DNS server and
then measure it. http://dnscookie.com/

30. How it can be defeated?
1. VPNTOR
2. Clear DNS cache
30

31. Track method 3:
IP
LAAAMMMMEEEE
3.

32. How it can be defeated?
1. VPNTOR
32

33. Track method 4:
WebRTC
4.

34. ifconfig | grep "inet " | grep -v 127.0.0.1
WebRTC exposes
Internal IP
1. ifconfig | grep "inet " | grep -v 127.0.0.1
2. https://ip.voidsec.com/
34

35. How it can be defeated?
1. VPNTOR + Disable WebRTC
35

36. Track method 5:
Fingerprinting
5.
https://amiunique.org/fp

40. How it is being
used
Gather the info Create hash Implement it
40

41. How it can be defeated?
1. No current way
41

42. Track method 6:
Social Fingerprinting
6.
https://robinlinus.github.io/socialmedia-leak/

44. How it can be defeated?
1. Use incognito
44

45. Track method 7:
Password tracking
7.
https://senglehardt.com/demo/no_boundaries/loginmanager/index.html

50. How it can be defeated?
1. No actual way, sorry guys.
50

51. Remember
Only one breach is needed
51

52. Ran Bar-Zik : @barzik
▪ Follow me on Twitter, FB, Telegram
▪ My website: internet-israel.com
▪ Also at Haaretz
52