Weird New Tricks Allow User Tracking in Firefox and Chrome
When you visit a website chances are that you are being tracked. Most of this tracking is related to online advertising, as advertising networks attempt to assign their respective users a unique identifier and display targeted advertisements based on their browsing history. In theory, targeted advertising based on the websites that a user has previously visited has a greater chance of converting them into customers.
Technology which tracks user behavior online is lucrative for marketers and in-demand by law enforcement. This finds companies like Microsoft, Apple, and Google as well as the makers of popular web browsers in a tug of war between protecting user privacy and accommodating advertisers and government officials. Browser extensions which block ads and circumvent current methods for tracking such as Ghostery, AdBlock, HTTPS Everywhere and Privacy Badger are gaining widespread popularity and browsers such as Tor have been successful at providing a high degree of anonymity online. This has created a race for the next discovery or workaround that will enable or enhance current user tracking methods.
Security researcher Yan Zhu has found two new ways for tracking website visitors outside of the current standard methodology. In her talk at the ToorCon Information Security conference this week, entitled Weird New Tricks for Browser Fingerprinting she demonstrated how websites can utilize HSTS protections, a standard online protocol, to extract a list of a user's previously visited websites. In her own words it is an attack “that abuses HTTP Strict Transport Security and Content Security Policy to allow arbitrary websites to sniff a user's browsing history.” She’s developed a proof-of-concept site that demonstrates her findings for Chrome and Firefox users.
Zhu also described a way that websites could 'fingerprint' Google Chrome users with a unique identifier even after they’ve deleted their cookies. Exploiting HTTP public key pinning, another security protocol, may be used to issue a security certificate to a user’s browser with unique text, which may then be utilized by the site on subsequent visits as a tracking identifier – the security pin would not be deleted alongside cookies and other standard browser history, remaining attached to the user’s browser.
In addition to targeted advertising, websites and marketers also track users to collect and study analytics information, attempting to leverage their knowledge of online behavior into informed decision-making. As more websites institute paywalls, tracking is also becoming relevant to control access to gated content and since the revelations by Edward Snowden, the topic is a focal point in debates regarding government surveillance. Zhu’s methods have exposed two potential methods for tracking users and serve as a reminder of the conflict between the right to privacy and the demand for tracking users.