5

Suppose I use a proxy and a different virtual machine each time I visit a particular website, will a website still be able to detect my MAC address and/or uniquely identify me? Assume that the website owner does privacy violations like inserting cookies etc.

Adi
  • 43,808
  • 16
  • 135
  • 167
srikanth chandrasekaran
  • 67
  • 1
  • 1
  • 2
  • 10
    Unless the website is running some application on your machine (Java applet, Flash, plugin, addon..) it cannot find out your MAC address anyway. Proxied or not, TORed or not, Virtual Machine or not. There are tons of other ways to get close to uniquely identifying you (IP, User Agent, Browser fingerprint, sticky coockies, ..) – Adi May 28 '13 at 19:11
  • @Adnan why did you edit back the MAC address thing? – heinrich5991 May 28 '13 at 21:46
  • @heinrich5991 Check my comment under Xander's answer. – Adi May 28 '13 at 21:47

4 Answers4

15

The question in the original title of your post ("Can a website still detect my real MAC address even if I use different virtual machine each time I visit the website?") is different than the question in the body of your post.

To the question in the original title: No, a website should never be able to "detect" your MAC address, under any circumstances. The MAC address only identifies your NIC on the local network segment, it isn't passed upstream to a website that you're accessing via intermediate routers.

To the question in the post body: The website many be able to uniquely identify you, and it may not. There are certainly ways to try and fingerprint a repeat user (cookies, flash cookies, browser profiling, IP address logging, etc.) that allow for various levels of confidence. As Rory mentioned, using the same base VM potentially leaves you vulnerable to browser fingerprinting, but eliminates the threat from cookies.

However, To be relatively confident in your privacy, I don't know that I'd bother with the "new VM every visit" and focus on more traditional privacy-protecting measures such as turning off your browser plugins, using your chosen browser's private browsing mode, and most importantly, using Tor.

Xander
  • 35,525
  • 27
  • 113
  • 141
  • I edited the title, which will require an edit of your post. – schroeder May 28 '13 at 19:27
  • 6
    @schroeder If it were possible to downvote an edit, I'd have downvoted yours. Instead of removing the OP's misconception form the title, you should have reflected it in the body of the question. This way the OP or any other person having the same misconception would learn from answers like this one. – Adi May 28 '13 at 21:42
  • @Adnan I was working under the impression that the MAC address was not the main thrust of the question, but rather the ability to uniquely identify. All responses were pouncing on the MAC, and not a deeper discussion of anonymity options. I wasn't removing a misconception, I was clarifying the question to the community. – schroeder May 29 '13 at 14:26
7

MAC addresses are not usually available outside of your local network so that won't be an issue.

If you use a different VM it could be possible to fingerprint you if you're just cloning the same base machine repeatedly (e.g. panopticlick), however if you use different base machines, then the only likely way to identify you (assuming you don't authenticate as the same user of course!) would be source IP addrress, which is an unreliable mechanism as many users may come through the same proxy server.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
2

Using a different VM means you're using a different computer, so theoretically you're a different person. If they DO identify you as the same individual, they are potentially doing so incorrectly -- or at least would be incorrectly assuming OTHER unique users are actually the same person.

The way they would almost certainly be doing such grouping is by IP address. Multiple VMs probably share the same public IP address, much the same as multiple independent computers on your same private network share the same publicly visible IP address.

Site owners may assume that all visitors from a single IP are actually the same user; they'd do so incorrectly, but in your case they would correctly coalesce your multiple identities into a single user.

And while users sharing a single IP may be unique, they are also typically related in some way, which is why many site owners will link such users anyway. For example, if you get banned from posting new questions on Stack Overflow, that ban applies to all users who share your same IP.

Note that while you said you are using a proxy, if you're using the same proxy every time, you're still the same person. Also, proxies can be detected.

Community
  • 1
tylerl
  • 82,225
  • 25
  • 148
  • 226
1

I believe that a website could identify your mac address by using STUN/TURN protocol via webRTC, see: "Christian Frichot - Hooked Browser Meshed-Networks with WebRTC and BeEF - DEF CON 23 Conference." The video is available on the defcon website or youtube, and eludes to some scary security implications in webRTC

Reed Jones
  • 113
  • 1
  • 6