Can a website see/know my MAC address even if I use a VPN?

I have searched other results and read many of them but I could not get an enough information.

My question is that can a website see my MAC address or can they have an information about that I'm the same person under these conditions:

I am using a VPN and I use two IPs: first one is normal one, the second one is the VPN's IP.
I use two browsers to hide behind browser fingerprinting. I use both browsers with Incognito Mode. I always use one for normal IP, one for the VPN IP.
I do not know that if the website uses cookies or not. But can they collect an enough information to prove that these two identities belong to same person?

Is there any other way for them to see that I am the same person? I use different IPs, different browsers and I use both browsers in incognito mode. I even changed one of browsers language to only English. So even if they collect my info from browser, they will see two browsers using different languages.

(Addition after edit): So I have changed my IP and browser information and the website can not reach this information anymore to prove that I am the same person using two accounts. Then let's come to the title: Can they see my MAC address? Because I think that it is the last way that they can identify me and my main question is that. I wrote the information above to mention that I changed IPs and I have some precautions to avoid browser fingerprinting (btw my VPN provider already has a service about blocking it). I wrote them because I read similar advices in some related questions but my question is that can they see my MAC address (or anything else that can make me detected) despite all these precautions.

And lastly,

Is there an extra way to be anonymized that I can do? For example, can my system clock or anything else give an information?

Thanks in advance.

ilhan

Posted 2014-08-24T20:06:40.910

Reputation: 101

I guess you just confused things when you say MAC address every now and then, as you mainly talk about IP addresses. I’ve taken the liberty to edit the post accordingly. – Daniel B – 2014-08-24T20:12:18.310

No Daniel, my question is about MAC address actually. The things I mentioned in my question details are because of that I already changed the IP and then there will not be a problem about using same IP. This title is wrong now because my question is about MAC address. I already said that my IPs are different in two different browsers. The thing I wanna know is that if they can see my MAC address or not despite all these things I do. So I will be glad if the title is changed back to MAC address because my main question is that. – ilhan – 2014-08-24T21:33:50.023

@ilhan: It really doesn't matter much if they can see your MAC address because you MAC address is meaningless outside of your local network. It gets stripped out of the network packet by your router (replaced by your router's MAC address so that your ISP's router know which router to send the packet to). – slebetman – 2014-08-25T04:17:22.287

@ilhan: What you should be worried about is your public IP address (not the IP address of your local machine but your router's external IP address, not the 127.0.0.1 address). That address is assigned by your ISP and you can't set it to something else without breaking your internet connection. The real worry is that for billing purposes your ISP keep track of what address is assigned to who at what time. This is what people who use VPN want to circimvent. – slebetman – 2014-08-25T04:20:18.463

@FYI - the worry is mostly about preventing the government from looking at what you do but there have also been cases where criminals (and 4chan) have hacked ISP's databases so they can use that information to unmask your home address from your public IP address. – slebetman – 2014-08-25T04:22:02.177

Answers

The only web sites that can access MAC addresses, are sites that have you download a software component to interface with them, which allow the site to circumvent the usual rules. So you technically have to give permission first by doing that. ActiveX & WMI (Windows Interface via Windows Management Instrumentation) for Internet Explorer and Java are methods used that could pass on a MAC address. ActiveX requires WMI is installed for this to work.

Here is a script using WMI that reads MAC addresses: http://www.qualitycodes.com/tutorial.php?articleid=19&title=MAC-Address-Using-WMI-on-Internet-Explorer [NOTE: this link is now dead, but the script previously hosted at that location did the job for WMI enabled Windows-based computers so still needed as information for this question.]

Here is a question with code to do this in Java on StackOverflow: https://stackoverflow.com/questions/10962072/get-mac-address-in-java-using-gethardwareaddress-non-deterministic

As mentioned in the comment below by Hennes, MAC addresses are internal only. Web servers do not generally pass on that information... just the IP addresses, and even then- users often only show the IP address of their location. If you are going to a web site for example, in a coffee shop, the IP shown is that of the coffee shop, not a user on the network.

Regarding IP addresses-- JavaScript can use WebRTC (these examples for newer versions of Chrome and Firefox) now to show internal IP addresses as explained in this article: https://hacking.ventures/local-ip-discovery-with-html5-webrtc-security-and-privacy-risk/ See live working examples here: http://net.ipcalf.com/ and one that attepts to detect all ip addresses in your local range here: https://dl.dropboxusercontent.com/u/1878671/enumhosts.html This is not to be confused with MAC address data. If your JavaScript is turned off this will not work of course.

Since it was mentioned in the question, JavaScript reads the time from the clock on your system. When you post from one page to another in a form, it could post the time from javascript, giving away the time zone you are in. Applications that use real-time like online bid applications do that. If that is different than the time the server sees that would be a 'flag' so to speak. The solution is to kill JavaScript or change your clock time. By itself it doesn't give much out though. Not everyone has their clock set properly but most have them auto-sync with real timeservers especially mobiles.

In the comments below, specializt mentioned that WMI can be disabled. So can ActiveX, JavaScript, and Java which can simply be uninstalled.

The cookies by themselves get server time, not the time from the web browser. If you want client-side time, the JavaScript method I mentioned above is a way to do it.

If you are looking at a site, and two web browsers come up from the same ip (which yours would if you did not use proxies)-- it would not be necessary to check a cookie to know they came from the same location. The IP log tells them that. They cannot know it was from the same computer in the 'lab', but it may be guessed because they are in the same time slot in the web log. That may not help - one person or a person with an accomplice... it could be seen in that light.

Proxies would resolve the server log IP problem of course. Both browsers using a different proxy location like you mentioned is great.

Jeff Clayton

Posted 2014-08-24T20:06:40.910

Reputation: 918

Firstly, thanks for your answers Jeff and Hennes. They are the bests I saw so far.

@Hennes, I heard that the MAC of computer cant go out of router, but still the router's MAC address information is going to the ISP and then to the website etc. sure? I mean, they can not see my computer's MAC but still they can identify me by seeing the same MAC of the same router I think, am I wrong?

In addition to all, what ways can a website reach to prove that two accounts belong to the same person else than IP, browser information (language, screen res etc.) and MAC? Am I anonymized and safe? – ilhan – 2014-08-24T21:57:40.890

Most welcome, I have installed wi-fi routers at more than one coffee shop, hence the example ;) – Jeff Clayton – 2014-08-24T21:58:46.540

Web sites can't see your MAC without you installing more software as I mentioned. The machine directly behind the router generally has its MAC address cloned by the router, but still not readable by the web server showing you a web site. – Jeff Clayton – 2014-08-24T22:03:31.280

You are technically safe in a crowd so to speak. If you go to a public wi-fi, with a large number of people using that location's shared ip, then someone would have to be actively looking for you, while you are there, in order to find you. If you have a dedicated ip, then you are registered with your ISP. Someone would have to contact your ISP and ask them for your credentials based on the ip that visited their web site. – Jeff Clayton – 2014-08-24T22:11:05.753

True, unless one is using IPv6 and has not configured privacy addressing. See (my) How to avoid exposing my MAC address when using IPv6?

– Arjan – 2015-10-18T12:26:08.377

Websites can't see your MAC address at all, so you don't need to use a VPN.

Alex Dumitru

Posted 2014-08-24T20:06:40.910

Reputation: 203

I know services that can ban by MAC, so I wouldn't be so sure – Tetsujin – 2014-08-24T20:35:16.197

Thanks for answer Alex. But I know some websites that can detect multi accounts with different IPs. That's why I asked that if there are another ways for them to detect me. – ilhan – 2014-08-24T21:30:56.213

If so, they're using some method other than your MAC address. – duskwuff -inactive- – 2014-08-24T23:06:55.847

@Tetsujin: You're probably thinking of your home router. The router gets your MAC address from its network card because that is its job. On (almost) any OS you can run command line tools to then match the MAC address to an IP address. That is what you router displays to you on its web page. The MAC address never leaves your local network. Your router's job is to translate between "public" IP address and your local IP address then your MAC address to figure out where to send the packet to. – slebetman – 2014-08-25T04:14:55.943

@ilhan: What do you mean detect multi accounts? You mean two different PCs in your home gets detected as the same user? – slebetman – 2014-08-25T04:24:19.247

He is probably talking about online games like World of Warcraft and such. These games have access to hardware information and may therefore report back statistics to the servers. For example, if it is against the rules to have multiple accounts, the server could raise a flag based on the MAC address of your computer, since this number is (probably) universally unique. The MAC address check is more reliable than an IP check, since proxies are easily accessible. – sleblanc – 2014-08-25T06:07:11.433

@sebleblanc - that's the kind of thing I meant, yes – Tetsujin – 2014-08-25T06:22:30.140

3@Tetsujin: That's not a website, though, it's a game running directly on your computer. Web servers can't see your MAC address, but software installed and running on your computer definitely can. – Ben Voigt – 2014-08-25T06:23:15.537

True, unless one is using IPv6 and has not configured privacy addressing. See (my) How to avoid exposing my MAC address when using IPv6?

– Arjan – 2015-10-18T12:23:55.057

Very true, IPv6 is a different animal altogether. – Jeff Clayton – 2015-10-19T03:33:03.623

The others have already answered you main technical questions and my comment to some of them answer your doubts about MAC address. So I'll just concentrate on this:

And lastly,

Is there an extra way to be anonymized that I can do? For example, can my system clock or anything else give an information?

Yes, there is one more thing that can trip you up: your personality. What you're trying to do is called sockpuppeting. You may have noticed that some sites like Stackoverflow and Reddit have moderators. They're the last-line defence against sock puppets. And in my personal experience is that they base their detection primarily on "hunch".

Once they have a hunch that something is fishy they'll usually dig your posting history and find phrases or political views or mispellings or any pattern that's consistent. That is how sock puppet detection is done once you get past auto-detectors like referrer detection or IP address detection or username similarity detection (it's amazing how some people insist on using discoverable patterns when choosing usernames) etc.

Against another human it's quite hard to avoid detection unless your second account does not do anything at all that's related to your first account. Then again, that generally defeats the purpose of sock puppets.

slebetman

Posted 2014-08-24T20:06:40.910

Reputation: 547

Excellent description. Years ago a person I knew on the net found a web site of mine with a different name because it SEEMED like my regular site. It was rather impressive that he could do this. – Jeff Clayton – 2014-08-25T19:45:41.037

A client's MAC address is used by the layer 2 protocol, eg ethernet, to uniquely identify each node on the local network. It is most likely that the web site that you are reaching is NOT on your local area network and hence will not see your MAC address.

For sake of illustration lets say you have a PC on a LAN and you want to access a web site, eg google.com. First thing you need to do is find the best route to google.com. This will be via a router. most likely some sort of broadband router. If you are on ethernet, your networking systems places an ethernet frame round chunks of data in your request. In each frame there will be a to MAC address and a from MAC address. The to MAC address is the MAC address of your router and the from MAC address is your PC MAC.

The router, when it receives the frame will strip off the frame and reframe it for the next leg of the journey. I don't know much about ADSL framing but there will still be a frame used - some sort of dsl type frame. This time the to MAC address will be the MAC of the next node on the route to google.com. The from MAC will be the MAC of the broadband side of your router.

So you see, google.com will never see your PC's MAC address. It sees your IP address, sure, but not your MAC.

user619818

Posted 2014-08-24T20:06:40.910

Reputation: 306

I think it's fairly obvious that software running within your computer can provide virtually any information needed to break your annonymity. So, it may be software accidentally installed. If it has access to the network later and the software layer, it can probably talk to itself to establish a connection through both networks and give your identity up. I believe that running two virtual machines is a slightly stronger method, although not perfect. There's very little chance of software within a virtual machine speaking to another virtual machine if you set it up right, however, of course software within the virtual machine may broadcast the MAC address to something that can be matched up. At the end of the day they may still match similar usernames, or other patterns, and there is little you can do about that.

Gavin

Posted 2014-08-24T20:06:40.910

Reputation: 21

It depends on the web site you are accessing and what special scripts run on their servers.

For example:

When you connect to a wifi hotspot, you will first be directed to a login web page where you have to enter your credentials to be given farther access to the Internet. If you check the address bar of that login page, you will discover your MAC address in there and most likely the MAC address of the router you are connecting to. You don't need to have installed any special software on your computer. A script, which is downloaded by the browser from the server where the login web page is located, does that. That is, the script reads the information about your network adapter and creates the complex string placed in the browser address bar.

After you login, the information about your MAC address sent by your computer and your credentials (user id and password) are placed in a database by the wifi hotspot provider. From that moment, on every time you connect to that wifi network (regardless of the physical hotpsot), your MAC address will be checked against the database. If the credentials are still current and valid you will be given access to the Internet, without the need of another login.

Your MAC address and/or your credentials can be farther used by the wifi hotspot provider to monitor and limit your access to the network based on length of access, time of access, amount of data transferred, type of data accessed, etc.

To answer the original question, a web site can read your MAC address, but they need to have special scripts on their servers and force your browser to download them.

user20001

Posted 2014-08-24T20:06:40.910

Reputation: 1