11

How are websites able to uniquely track my computer?

I'm aware of: Cookies/Tracking, Super Cookies(HTML5 Cache), IP, Referrer, UA etc

I have been experimenting with Private Proxies and VPNs, but I heard (from an un-credible source) even with a VPN that some websites Trace your router's Mac Address and therefore identify your computer.

Now if I wipe my computer and install a new OS, browser etc and even get a new IP are websites still able to identify my machine? Like a unique Hardware ID or something?

I have also heard Javascript is able to get your MAC address. and therefore be able to figure out if you're running a Virtual Machine or an actual Physical machine.

And I figured that using Chrome will make it even easier for Google to identify that I'm using the same computer right?

Why am I asking all this:

  1. I'm interested in how big sites like Google and Facebook do it and if they do it
  2. I feel like Google is tracking people's every move - but I guess I'm just paranoid.
schroeder
  • 123,438
  • 55
  • 284
  • 319
Alpaca Guy
  • 111
  • 1
  • 3
  • There are a LOT of questions here, and many have already been answered on this site. Can you do some searching here, then come back and narrow down your question? – schroeder Dec 04 '15 at 01:08
  • Searching for `browser fingerprint` will produce helpful questions such as [Browser fingerprints, theory or reality?](https://security.stackexchange.com/questions/96098/browser-fingerprints-theory-or-reality). – Neil Smithline Dec 04 '15 at 01:12
  • Lets cut my question down to - Will wiping my computer be effective against websites knowing who I am if I get a new IP and leave no traces other than using the same physical machine – Alpaca Guy Dec 04 '15 at 02:16

1 Answers1

12

Will hiding behind proxies protect you?

Using a browser-based VPN plugin can betray you if you have Flash, Java, or even other plugins installed. Anything that can get read/write access to your file system will betray your presence.

There has also been a recently-discovered exploit that affected users of private internet access, a VPN provider.

It's also not that difficult to track you online, even if you're behind a bunch of proxies. Why?

  1. Browser-fingerprinting
    • This essentially allows anyone with access to a browser-fingerprint database to track your surfing habits, if you have Javascript, Java, and/or Flash enabled, or aren't using a plugin to randomize your values on page load. Even with a plugin that randomizes these values, Flash and Java will betray you, and Javascript can do so as well, but not to the extent of what Java and Flash can do.
  2. Surfing with Javascript Enabled
    • Javascript is notoriously exploited, and there are always new vulnerabilities popping up. Anything that can execute remote code on your system is dangerous. D
  3. Surfing with Flash Enabled
  4. Become a victim of Java exploits, or even legitimate Java programs.
    • There are multiple tricks to reveal your network interface / computer hardware information. Unique serial numbers on devices are a thing, and this is one of the ways Microsoft attempted to thwart piracy, only to affect legitimate users the most.
  5. Signing into services/accounts that you normally use, while surfing anonymously.
    • For example, keeping iCloud, Steam, Skype, or something else running, or even having Windows check for updates! These leave a huge crumb-trail.
  6. Using browser plugins with read/write access.
  7. Analyzing connection logs for recent activity. Metadata owns you.
    • User A connected to Proxy A at X time.
    • Proxy A connected to Proxy B close to X time at Y time.
    • Proxy B connected to Proxy C close to Y time at Z time.
  8. Your VPN disconnected you at an inopportune time, and you reestablished connection to normal services under your real IP.
  9. You are the only person in your neighborhood connected to TOR at that time.
  10. SSH Fingerprinting. It appears that if you're using a mac and your SSH connection reveals your serial number, you can be tracked this way. My theory on Device ID correlation can be better explained here, but I believe this is a perfect example of it in action.

Browser plugins in general will only re-route traffic to and from the browser's requests. That's it. If you're playing a browser-based game, then sure, I don't see why not.

Desktop games will not be redirected unless the browser plugin does some weird tomfoolery that manages to install an application on your desktop which does this.


Your concerns

some websites Trace your router's Mac Address and therefore identify your computer.

You can spoof your MAC address quite easily. If websites are getting your mac address, it's because you have either Java or Flash enabled. Javascript cannot do this without using an exploit.

Now if I wipe my computer and install a new OS, browser etc and even get a new IP are websites still able to identify my machine? Like a unique Hardware ID or something?

Yes, Flash can enumerate your device information, and easily help track you this way.

I have also heard Javascript is able to get your MAC address. and therefore be able to figure out if you're running a Virtual Machine or an actual Physical machine.

Not unless there's a drive-by download exploit. Javascript can't get this information on it's own.

Finding out whether or not you're using a Virtual Machine is also something Javascript cannot do, unless you're using a non-standard resolution. Then it will likely detect it as a potential Virtual Machine. Let's say for example you resize your VM. It will most likely show up in your browser as a really funky resolution that isn't used normally - at all.

And I figured that using Chrome will make it even easier for Google to identify that I'm using the same computer right?

Of course. Google Chrome Incognito used to phone home. I am unsure if it still does, but I don't trust Chrome.


So how can I avoid being tracked?

You can't 100% avoid it (exploits come and go) without going to absolutely extreme lengths, but you can make it a lot more difficult.

  1. VPN that kills the Host OS connection if disconnected.
  2. Virtual Machine (Guest OS that is not Windows) with a web browser (tor is good, but slow) which doesn't have Java or Flash installed, nor Javascript enabled.
  3. No plugins, except essential privacy plugins.
    • You'd probably have to disable images for good measure. From time to time, image libraries are exploited.
    • For better results, use a VPN inside the VM, which is already VPN'd through your main system.

And this may not help much at all. Why? Because when you connect to Windows Update with a legitimate copy of windows, they know about your unique key / account, and Microsoft logs every single IP address for that particular key / account. This means you'll be associated with the first VPN connection, even if you're hiding behind multiple proxies and VMs.

But how does that help track? Every little breadcrumb counts, and anything that associates you with anything online can easily help the right people find you.

But what about Linux? Most distros phone home as part of an update process. Qubes is one of the few operating systems that I know of which won't do this.

There are so many different and creative ways to be tracked. Bottom line is, if someone really, really wants to find out what you're doing, there are so many different tools to do so.


So is there no way to remain anonymous online?

Take off your tinfoil hat. Reliably blocking yourself from advertisers is one thing, and not too difficult. 100% Blocking yourself from everyone and everything is only possible if the computer is powered off and unplugged.

If you're online, then eventually an exploit will get you. And if you're going to such lengths to protect your privacy, you'll attract the attention of those infinitely your greater.

Assuming direct control

Mark Buffalo
  • 22,498
  • 8
  • 74
  • 91
  • Wow thanks a lot for that, I will take some time to read into it in detail - there's some stuff that I haven't heard of before. Again thanks a lot!! – Alpaca Guy Dec 04 '15 at 05:45
  • I wish I could upvote this answer twice. Thanks for such elaborate answer! –  Aug 19 '18 at 09:14