Identifying users when they have JS and cookies disabled

Some web users disable cookies and JS because of things like tracking or deanonymization. But how about this:

Tracking by performance of cross-site requests.
1x1 transparent PNGs. But they are big files, with a lot of padding. You can easily make an image file bigger by opening it in a text editor and adding random meaningless text after the official EOF. Then save it.

So you can make a pretty big image even when it's a 1x1 transparent/invisible image, not noticeable by the person browsing the site.

Now let's say you had 100+ of these different padding image files, each hosted on a different server in a different location, but with the same domain name (because some people use browser add-ons to track or block cross-site requests). These images can also be updated by the server too, so that there is a difference when the user hits refresh, and it will reload the images because their cache is outdated.

With all these images, you can get the performance information with backend metrics shit. Latency, speed, jitter, packet loss (depending on the transport protocol), and so on. Because the servers the images are hosted on will be in different parts of the world, you can be sure that most people will have very different results. Someone in the US will load the images faster if they're on US servers. Less latency and packet loss too. Someone who lives in China will load images from China faster. Some client-side stuff also affects performance, but that would be the same across multiple visits.

It's not just about location, it's about having a set of identifiers that can be used to consider that particular user to be unique. It doesn't matter if they're using Tor or a VPN, or if they block cookies or javascript. You can still log the performance of these hidden blank images. The more images there are, and in different places, the more accurate it will be, because the odds of someone having the same performance for 100+ of these things is really low. Sort of like cell tower triangulation, if you're familiar with that. I think some of the Snowden leak documents mentioned that shit. Stingrays too. But that's a little off-topic.

Of course, each time, there could be an anomaly for performance (something being way slower than usual), but that's why the server makes changes to the post-EOF padding, in order to make the user's browser reload it. So it will happen again and again. Then, you can use Bayesian stats or some shit to come up with confidence intervals. So then your tracking software would be like "83% confidence +-5% rDev that this is user 234234234234" or something. Or maybe some neural network/deep learning shit.

The only way to mitigate this would be to block images entirely, or to randomize your network speed.

This method isn't perfect, but this is assuming you don't have more traditional methods of tracking available, so it wouldn't be a first resort. Really though, you might want to just do canvas rendering performance if JS is enabled.

Tracking by performance of cross-site requests.

Shit, I forgot to edit that part. I changed it elsewhere.
Here's what that sentence should be:

Tracking by performance of loading images from different servers in different places.

I guess you could use cross-site requests for that, since I think it's more straightforward to have a 1:1 mapping of a server to a domain name than it is to do microservices or some shit for multiple servers for a single domain/subdomain (probably possible but I don't do much container orchestration/microservices shit at the moment), but the kind of people who block cookies and javascript might also block cross-site requests, so it'd be better to have them all on the same domain name.

umatrix lets you block images or css by domain and has default options to block 3rd party images and css. Thread neutralized.

Tor is the solution.

>>3
Wouldn't be third party if it's on the same domain name. You know a single website can correspond to multiple servers, right? You think all of Google is hosted on a single server? No, but just going to google.com takes you to many different servers.

>>4
Tor is not a magic bullet to all security and privacy concerns

onion routing makes everyone equally slow

there are more creative ways. like convincing users to send some data like a username password combo or some bitcoins. for a state actor that would be more than enough to go off.

>>5
If websites ever start doing this, our browsers can start muddying the data they collect by introducing noise.

>>7

If by noise you mean randomizing network speed and latency, then sure. Honestly, that kind of stuff doesn't really matter too much for web browsing. it's not like gaming or something.

It's just like how, when you make an incorrect login attempt on a website, if it's well done, it will have a semi-random sleep/pause before giving you the response that your login info is invalid. That's because, if you didn't get the random delay, you could figure out how much of the password was right based on how long it takes to respond. More correct characters makes the server take longer to process it.

Performance is unique to your machine. It's a kind of fingerprint worth looking into. We focus on exploit mitigation, ASLR, kernel security, IDS/IPS, data exfiltration, etc. but how many people are doing research into performance-based deanonymiztion/data inference?

Actually, you know what? I'm going to look up research papers on this. I'm still in university so I get to access all the premium research databases that plebs can't see. It's included in my tuition.

>>9
Are you a boomer? I can get any paper now thanks to russian hackers. For free.

boom my dubs

>>10

You can get malware even from PDFs.You really trust Boris not to trojanize those papers he's offering you for free?

>>12
LMAO I'm not using M$ Winblow$ lol no virus here

>>13
Where do you think the term ``rootkit'' came from, genius? It certainly wasn't Windows. ``root'' isn't the name of privileged accounts on Windows.

Low quality bait.

The only way to mitigate this would be to block images entirely, or to randomize your network speed.

I remember reading something similar on the old /frog/ IRC. There was a nutjob who said he sent out his messages with random delays because people could identify him by his typing speed or something equally as tinfoily. What >>1-san proposes is not that far-fetched.

That depends on the field, >>10-san.

>>14
I'm guessing it's a misspelling of ``pootkit'' because they stink if you're pwned by one or ``mootkit'' after the inventor of trolling.

>>17
moot didn't invent trolling
it was a thing even back in the days of usenet and dial-in BBSes, though it was usually called ``flaming''

>>18
flaming = saying ``you're gay`` 2008
trolling = saying ``your gay`` in 2016


>>19
/prague/: saying ``your're are an anus`` in 2018

>>20
calling out the anus is not trolling
that was the only way to stop his spamming

My'm am are an anus needs're are a hacking

>>22 Ok now this is's getting out of hand

whomst'd've'ly'yaint'nt'ed'ies's'y'es

Diddlydoo dily diddly hoobily gibb8ly gobbily jibbily jabbillydoo

>>23
your're are an anus

>>26
who's is an anus ?
You're are'st an anus

>>22
I love this board.

>>28
I love your post! I read it five times! Keep posting!

So a solution to >>1's problem is to either stop the browser from refreshing those images to not load in 1x1 images or to not load in completely transparent images.

Another way to identify users is through other data the browser sends like say useragents.

>>30

like say useragents.

Very easy to spoof. There are currently many browser add-ons that let you do that. Or you can use curl or wget or something and specify what you want your browser agent to be (I think).

But the image thing? Much harder to stop.

>>15 that isn't farfetched either. Text fingerprinting is a thing, y'know?

<---- Identify my dubs

The solution to stop tracking:
* disable cookies
* disable js
* disable images
* uninstall browser
* turn computer off