Tor NoScript visit tracker
bitbucket.orgWhat else, besides using Tor, and turning off Javascript, does a user have to do that a website operator finally gets they don't want to be tracked?
You could use the Stallman method and download pages with wget to read.
stop using repeat offending website
Very few users can detect that they are being tracked, so they can't avoid it. The tracking methods are designed to be undetectable; web beacons are invisible pixels; sites don't tell users: we track this info and share it with these people; even privacy policies usually are ambiguous, and they are too long and complex to read for every site someone visits.
because sites can be hacked or changed at any time, the ability of users to avoid offenders is basically zero.
Also use this EFF Privacy Badger: https://www.eff.org/de/node/73969
But this can't track individual users, it just provides general usage statistics, like visitor retention.
I'd be interested in a viable example of this being used to identify users.
That can help with fingerprinting. Any entropy escaping from a users session is useful.
This can be used to make a user's fingerprint stand out based on their browsing patterns. However, it is very fragile in practice. The tracker would need both a rare fingerprint, as well as a rare browsing pattern in order to identify a user.
This is pretty hard, considering the Tor Browser does a good job at having a common fingerprint at it's highest security setting (Javascript disabled, which is what this tracker is for).
I'm unsure why this is downvoted.
I think he is saying that users can't be tracked between page-loads using this method, or your risk sending multiple users the same token. (which is true, at least with this implementation)
The time they spend on the website, latency, etc can all be used to add to a fingerprint, but there isn't something magic that makes this accurate, especially without JavaScript.
Edit: please don't mind me ghostposting kthx
I may be missing something, but it seems to me that this technique(if not this particular implementation) could be used to easily track individual users.
> NoScript Tracker is a basic tracker that makes use of iframes and the Refresh HTTP header to measure how long users spend on web pages.
> It is ideal for getting basic usage statistics on the Tor network, where JavaScript is not an option for most users.
NoScript can block iframes; will that disable this tracker?
Also, does the Tor Browser, which includes NoScript, default to blocking iframes?
> Also, does the Tor Browser, which includes NoScript, default to blocking iframes?
No. Tor Browser defaults to the lowest security level, allowing all scripts, media, iframes, etc.
NoScript->Options->Embeddings->Additional restrictions for untrusted sites->Forbid <IFRAME>
Just turned that option on, myself. I might have had it on years ago--can't remember for sure--but now that I know it's being abused, I'll definitely leave it on. IFRAMEs are generally poor practice, anyway.
Also, pay attention to these settings in about:config page:
accessibility.blockautorefresh
noscript.forbidBGRefresh
noscript.forbidMetaRefresh
Additionally, you can cherry-pick options (or just use it all) from this repository at https://github.com/pyllyukko/user.js for more privacy.
Thanks! I'll look into those.
I will not be surprised at all if something like this will be soon used to circumvent adblockers replacing classic javascript based analytics on the "bright" side of the web.
AdBlockers will still block iframes and already does. Those I've seen blocks the full request based on a list of known domains. Many 3rd-party tracking cookies is often placed with help of iframes or a img-pixel.
With Google Analytics you have the option to actually do all the tracking server-side so AdBlockers shouldn't be an issue tracking-wise.
Before Microsoft gave us the XMLHttpRequest, and before IFRAMEs were everywhere, this is exactly how, and with FRAMESETs and target="" one could track session length, reload other parts of a page after some given time, allow forms to interact with complex flows and various other things.
The "virtually invisible frame loading in the background" trick is going to be around for a long-term and seems destined to be re-learned many times over.
Why wouldn't you open a web socket
Because you can't use WebSockets in the browser without Javascript.