222
76
The website dropmail.me is able to successfully reidentify me (and offer my last used temp mail addresses via. "Restore access") despite doing the following:
- Delete all my browsers history which includes cache, cookies, website settings, download history, search history, browser history and active logins. Basically everything that can be deleted through the Firefox menu. I'm using Firefox 52 ESR.
- Use a VPN (that according to their claims is safe against IPv6 and DNS leaking) that I have not used when I previously visited this website.
- Using uBlock Origin and uMatrix
Additional information:
- My "identity" must somehow be bound to my current browser profile. When I use a different browser or a new browser profile, the website doesn't reidentify me as the same person. Actually, it is sufficient to use the Firefox addon Priv8 and create a new sandbox to be identified as a different person. This might indicate that there is some kind of storage for websites that can't be accessed or deleted though Firefox. (It's not Flash cookies, the website doesn't use Flash!)
- (Update) Other browsers are not affected. Microsoft Edge, after deleting browser history, doesn't allow reidentification. This is a Firefox-only issue!
My questions are:
- How on earth are they able to reidentify me? Since their only motivation to reidentify me is to offer access to previously used mail addresses, I don't think they use any "dark" techniques like fingerprinting, but of course it can't be ruled out.
- How can I protect from this kind of "super-tracking" used by this website?
6Use incognito mode when you visit. Chrome and IE has it, I'm sure Firefox does too. – Appleoddity – 2017-09-16T15:44:06.840
1Do you login at any point? – LPChip – 2017-09-16T15:47:36.763
5@Appleoddity: Yes, incognito mode helps, but as far as I understand this just prevents websites from storing or reading browser history etc. So when I delete everything this should have the same effect but it doesn't. Maybe a bug in Firefox? – manuel – 2017-09-16T15:49:03.530
1@LPChip: No. I don't – manuel – 2017-09-16T15:49:30.810
22
I strongly suspect the evil that is evercookie
– Prime – 2017-09-16T20:40:35.8532@Prime, in this very case it's not. Manuel is right: "Since their only motivation to reidentify me is to offer access to previously used mail addresses, I don't think they use any "dark" techniques" and peeking in the code you'll see they're simply using standard web technology. Firefox is to blame here, in this specific case. – Arjan – 2017-09-17T08:15:09.767
With permanent ever-cookies!
– Chloe – 2017-09-18T03:02:27.6171If you use a whitelist-only cookie policy (i.e. blocking them by default) then sites can't use indexedb, also preventing such tracking – the8472 – 2017-09-18T21:29:10.613
9
Even clearing everything still won't protect against fingerprinting
– o11c – 2017-09-19T05:35:06.963@o11c True, but you cannot use fingerprinting to uniquely identify "new" users, only to re-identify returning users – cat – 2017-09-20T00:24:10.647
1
Even if you reinstall your entire browser, you may still be identifiable by your installed fonts, plugins, even your connected monitor! There's really very little you can do to avoid that sort of profiling.
– KlaymenDK – 2017-09-20T20:00:54.9901
@cat: If they see a fingerprint they haven't seen before, its likely to be a new one. btw https://amiunique.org is one of the many sites to figure out a bit on how unique you are yourself...
– PlasmaHH – 2017-09-21T08:25:46.633I would try deleting cookies: based on what you are saying about incognito mode helping that would be the most likely culprit. Incognito mode stops the persisting of cookies, amongst other things:) – GMasucci – 2017-09-22T08:04:37.643
1@GMasucci: Did you also read the question and have you noticed that there is already an accepted answer? – manuel – 2017-09-23T10:36:02.370