Notice: Undefined offset: 1 in /usr/local/src/wordpress/wp-content/themes/montezuma/includes/parse_php.php on line 79

HowTo: Prevent Tracking via the Browser Cache     

Practically speaking, all of today’s browsers use an internal cache, which stores web objects temporarily so that if they are called for repeatedly, they are brought from local cache much faster than if there were a full web access.   Well, there are some tricks to use your cache to track your movements around The Internets, even if you disable or clear cookies and LSO-cookies.

This form of tracking has dozens of different undetectable methodologies.   For example:

  • Storing random data in the Last-Modified header – Send an HTTP Response header to the user’s browser:
    Last-Modified: {UNIQUE_ID}
    The users’ browser will send back the {UNIQUE_ID} when they make the same request later:
    If-Modified-Since: {UNIQUE_ID}
  • Using entity tags – Send this HTTP Response header to the user’s browser:
    ETag: “{UNIQUE_ID}
    And when the browser calls for the same resource later, it will send the unique ID along with the request:
    If-None-Match: “{UNIQUE_ID}
  • Embed codes in images and decode using JavaScript Canvas – Encode a {UNIQUE_ID} in an image format, like GIF or JPG.   Then send that bugged image to the users’ browser, with cache headers far in the future, like this:
    Cache-Control: public, max-age=316320000
    Expires: Mon, 30 Nov 2020 00:00:00 GMT

    Subsequently read the image using javascript+canvas in the browser, and decode the UNIQUE_ID from it.
  • Long cached CSS referring to a unique no-cache resource – Send the user’s browser some dynamically generated CSS with a long cache time, as such:
    #element { background-image:url(‘/webbug.php?{UNIQUE_ID}‘) }
    So when the CSS subsequently requests /webbug.php?{UNIQUE_ID}, make sure that it returns HTTP Response headers which specify not to cache.
  • ~~   Remedies   ~~

    You can prevent this sort of tracking through browser restarts by configuring your browser to clear the disk cache on exit.   Firefox and TorBrowser don’t have such a setting, but you can prevent websites from storing data on your system:
    hamburger|Preferences|AdvancedOptions|Network and check “Tell me when a website asks to store data.”

    But preventing cross-site tracking within a browser session is important as well.   Without doing this your various online accounts can all be linked together, with no warning signs.   You could go so far as to completely disable your browser cache, and you probably wouldn’t notice a reduction in speed or usability, even with content-heavy sites like Facebook.   Completely disabling the browser cache may sound scary, but give it a go.   In Firefox, go to about:config and search for:
    browser.cache.disk.enable and
    browser.cache.memory.enable
    … and double-click each to set them to ‘false’.

    Of course this isn’t a total solution to the problem;   people on slow networks need caching, and web servers and networks would experience a drastic increase in load if everyone made these settings at once.   But as you’re reading this, it may be a solution for you.

    You may also like to prevent any proxies from caching data on your behalf, so you can install the Modify Headers Firefox addon, and configure it to send the following two headers with every request:

    Pragma: no-cache, no-store
    Cache-Control: no-cache, no-store

    Hopefully your proxies will obey…

    I run the Tor Browser almost exclusively, which has updates every couple of weeks.   So each month when I do an apt-get dist-upgrade, I also upgrade my Tor Browser Bundle.   And on each client machine in my LAN I export my Tor Browser bookmarks, erase the ~/.mozilla-tor directory, put in place the new one from the TBB (tor-browser_en-US/Data/Browser) to ~/.mozilla-tor, and then import my bookmarks.   So I start fresh each month.   (My excuse is I was well-indoctrinated in security early-on, from my job in the Air Force)

    ,'after' => '

    ') )