222
76
The website dropmail.me is able to successfully reidentify me (and offer my last used temp mail addresses via. "Restore access") despite doing the following:
- Delete all my browsers history which includes cache, cookies, website settings, download history, search history, browser history and active logins. Basically everything that can be deleted through the Firefox menu. I'm using Firefox 52 ESR.
- Use a VPN (that according to their claims is safe against IPv6 and DNS leaking) that I have not used when I previously visited this website.
- Using uBlock Origin and uMatrix
Additional information:
- My "identity" must somehow be bound to my current browser profile. When I use a different browser or a new browser profile, the website doesn't reidentify me as the same person. Actually, it is sufficient to use the Firefox addon Priv8 and create a new sandbox to be identified as a different person. This might indicate that there is some kind of storage for websites that can't be accessed or deleted though Firefox. (It's not Flash cookies, the website doesn't use Flash!)
- (Update) Other browsers are not affected. Microsoft Edge, after deleting browser history, doesn't allow reidentification. This is a Firefox-only issue!
My questions are:
- How on earth are they able to reidentify me? Since their only motivation to reidentify me is to offer access to previously used mail addresses, I don't think they use any "dark" techniques like fingerprinting, but of course it can't be ruled out.
- How can I protect from this kind of "super-tracking" used by this website?
6Use incognito mode when you visit. Chrome and IE has it, I'm sure Firefox does too. – Appleoddity – 7 years ago
1Do you login at any point? – LPChip – 7 years ago
5@Appleoddity: Yes, incognito mode helps, but as far as I understand this just prevents websites from storing or reading browser history etc. So when I delete everything this should have the same effect but it doesn't. Maybe a bug in Firefox? – manuel – 7 years ago
1@LPChip: No. I don't – manuel – 7 years ago
22
I strongly suspect the evil that is evercookie
– Prime – 7 years ago2@Prime, in this very case it's not. Manuel is right: "Since their only motivation to reidentify me is to offer access to previously used mail addresses, I don't think they use any "dark" techniques" and peeking in the code you'll see they're simply using standard web technology. Firefox is to blame here, in this specific case. – Arjan – 7 years ago
With permanent ever-cookies!
– Chloe – 7 years ago1If you use a whitelist-only cookie policy (i.e. blocking them by default) then sites can't use indexedb, also preventing such tracking – the8472 – 7 years ago
9
Even clearing everything still won't protect against fingerprinting
– o11c – 7 years ago@o11c True, but you cannot use fingerprinting to uniquely identify "new" users, only to re-identify returning users – cat – 7 years ago
1
Even if you reinstall your entire browser, you may still be identifiable by your installed fonts, plugins, even your connected monitor! There's really very little you can do to avoid that sort of profiling.
– KlaymenDK – 7 years ago1
@cat: If they see a fingerprint they haven't seen before, its likely to be a new one. btw https://amiunique.org is one of the many sites to figure out a bit on how unique you are yourself...
– PlasmaHH – 7 years agoI would try deleting cookies: based on what you are saying about incognito mode helping that would be the most likely culprit. Incognito mode stops the persisting of cookies, amongst other things:) – GMasucci – 7 years ago
1@GMasucci: Did you also read the question and have you noticed that there is already an accepted answer? – manuel – 7 years ago