There’s not really much you can do about web tracking, so you might as well figure out how you can take advantage of it.

This was the theme of Web Tracking for You, a session at the tenth Black Hat security conference in Las Vegas presented by Gregory Fleischer.

Tracker Jackers

Web tracking, in the context of keeping track of user behavior on websites, has come under a great deal of scrutiny in recent months, with laws attempting to regulate the process being enacted in several locations around the world, including the U.S. and the U.K. But the technologies associated with the practice can also be used by web developers to help them track down unscrupulous web visitors, said Fleischer, a Senior Security Consultant in the Application Security practice at Overland Park, Kan.-based FishNet Security who spoke at the conference.

Fleischer’s web-tracking techniques included:

  • passive and active fingerprinting
  • persistence of tracking identifiers
  • unmasking techniques

Fingerprinting

The goal of fingerprinting is to calculate a unique fingerprint for a user based on characteristics such as those of the browser and operating system in use, as well as what plugins are being used. This can be passive (just collecting information) or active, where information is actively gathered from the browser using technologies such as JavaScript or CSS. Active technologies offer the ability of being more difficult for the user to fake or hide, because it uses feature set detection, rather than just being based on what is reported by the browser user agent, he said.

In addition, user-identifying information can be gathered from a variety of other Internet and web technologies, including html5, the browser cache, plugin dependent storage, Adobe Flash, Microsoft Silverlight, Oracle Sun Java and Adobe Acrobat, Fleischer said.

Fleischer went on to describe ways of defeating techniques that users might employ in an attempt to obscure their true location, such as network proxies and virtual private network (VPN) tunnels. These primarily work through forcing a direct connection using any available mechanism, and then, perhaps, correlating it with additional geographic IP information, he said. For example, some plugins can be made to “leak” information, or might support a direct method of communication that bypasses the proxy, he said.

Most aggressive are methods of injectable content that could be seen as violating user privacy, such as software that captures text changes or monitors clicks, Fleischer said. These should be used sparingly because they can appear overly malicious, he cautioned.

Tracking Via Web Browsers

While some more advanced web browsers offer additional opportunities for tracking, the effectiveness of this range of techniques is limited by the variety of implementations and lack of consistently supported feature sets, Fleischer said.

Fleischer went on to describe several more recent privacy protection techniques implanted by browser vendors that are intended to improve user privacy, as well as comply with the various laws being implemented nationwide to help improve user privacy through legislation. However, many of the implementations are flawed in ways that may be challenging to address without breaking users’ expectations of how the web works, he said.

In particular, Fleischer went on to make fun of the recently implemented “Do Not Track” feature in some browsers, due to its lack of teeth. “It’s the biggest practical joke laid on anyone,” he said. Do Not Track (DNT), an optional browser HTTP request header, is an “Opt‐in” signal to third parties not to track user information, which he derisively referred to as “Don’t Track Me, Bro.” Defeating it is as simple as doing nothing -- or pointing and laughing -- or, at most, using protocols that aren’t based on HTTP, such as FTP or binary sockets. That is, if the technical restrictions in the Do Not Track specification are ever implemented, he said.

Moreover, Fleischer demonstrated that a variety of techniques actually still collect tracking information about a user, even after privacy protections are turned on. Safari was a particularly egregious offender in terms of the amount of information it continued to collect even when it was ostensibly turned off. “I don’t want to say it’s fake, but it doesn’t seem real,” he said.

Tracking Server

Fleischer went on to release the alpha version of an open source tool, Tracking Server, his first pass at a tool that is intended to perform a number of these tests, including injecting web tracking code using a transparent network proxy to embed HTML code onto a website. He noted, though, that many features are currently missing, hinting that he intended to update the tool as time went on or, since it was written in Python, that others could update it as well.

One could point out that the tool could also be used by unscrupulous website developers as a means of capturing data from their web visitors, and indeed Fleischer made reference to that, saying he was likely to have people asking him, “Why do you hate privacy? Why do you hate freedom?” afterwards. On the other hand, he noted, while he does get that sort of question now, it tends to be balanced out by requests of him to help them identify people visiting their website.