-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathbrowser-tracking.html
99 lines (84 loc) · 5.3 KB
/
browser-tracking.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
<!DOCTYPE html>
<html lang=en>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="referrer" content="no-referrer">
<meta name="color-scheme" content="light dark">
<link rel="stylesheet" type="text/css" href="/styles.css">
<script src="/theme.js"></script>
<script type="module" src="/button.js"></script>
<title>Browser Tracking | Madaidan's Insecurities</title>
</head>
<body>
<button class="theme-toggle">🌓</button>
<h1>Browser Tracking</h1>
<p class="date"><em><time datetime="2022-03-11">Last edited: March 11th, 2022</time></em></p>
<p>
Many common methods of preventing browser tracking are ineffective. This article goes over misguided ways in
which people attempt to improve their privacy when browsing the web.
</p>
<h2 id="tracker-blockers"><a href="#tracker-blockers">Tracker Blockers</a></h2>
<p>
Blocking a few tracker domains does not actually prevent tracking. You cannot make a list of every single
tracker domain and block them all since there are far too many. <a
href="https://www.ranum.com/security/computer_security/editorials/dumb/">Enumerating badness does not work</a>. <br>
<br>
Even if you did magically create a blacklist of every single tracker domain ever, the website does not need to
connect to a third party domain to run tracking code. For example, blocking Google Analytics does not prevent the
website from simply running their own first party tracking code or even <a
href="https://gist.github.com/paivaric/211ca15afd48c5686226f5f747539e8b">hosting third party tracking code from a
first party domain</a>. <br>
<br>
The website can then share this information to the people that made the trackers you've blocked, so everyone
gets the exact same information they would have gotten in the first place. <br>
<br>
Blocking trackers can only remove some low hanging fruit and is not a proper approach to systemically improving
privacy. This is the reason why <a href="https://2019.www.torproject.org/projects/torbrowser/design/#philosophy">
the Tor Browser does not include any tracker blockers</a>.
</p>
<h2 id="configuring-the-browser"><a href="#configuring-the-browser">Configuring / "Hardening" the Browser</a></h2>
<p>
You cannot configure your browser to prevent tracking either. Everyone will configure their browser differently,
so when you change a bunch of about:config settings, such as <code>privacy.resistFingerprinting</code>, and pile
on browser extensions like Privacy Badger, you're making yourself stand out and are effectively <em>reducing</em>
privacy. <br>
<br>
Additionally, just disabling JavaScript, while preventing large vectors for fingerprinting, does not prevent
fingerprinting entirely. Fingerprinting can be done with only CSS and HTML. One example is <a
href="https://matt.traudt.xyz/posts/2016-09-04-how-css-alone-can-help-track-you/">using @media rules to figure out your
browser resolution</a>. <br>
<br>
You also cannot substantially improve security by configuring the browser. Changing a few settings will not
fix deep architectural security issues. You can at <em>most</em> reduce some attack surface by disabling things,
but most people don't do this to an extent where it actually matters.
</p>
<h2 id="fingerprint-testing-websites"><a href="#fingerprint-testing-websites">Fingerprint Testing Websites</a></h2>
<p>
Fingerprint testing websites, such as <a href="https://coveryourtracks.eff.org/">Cover Your Tracks</a>, <a
href="https://matt.traudt.xyz/posts/2019-01-19-about-to-use-tor/#testing-your-fingerprint">cannot</a>
<a href="https://blog.torproject.org/effs-panopticlick-and-torbutton">reliably</a> <a
href="https://github.com/brave/brave-browser/wiki/Fingerprinting-Protections#why-does-panopticlickefforg-or-some-other-site-say-that-i-am-fingerprintable">
test</a> your fingerprint. <br>
<br>
These websites determine the uniqueness of your fingerprint based off of their own userbase, which will miss out on the
majority of real users, thereby providing inaccurate statistics and is not a viable way of determining how well you fair
off against fingerprinting in the real world. <br>
<br>
These websites also don't test for much. Do these websites fingerprint you by <a
href="https://twitter.com/davywtf/status/1124146339259002881">where your cursor is
on the screen</a>? By your <a href="https://trac.torproject.org/projects/tor/ticket/31324">clock skew</a>?
By the <a href="https://lists.torproject.org/pipermail/tor-dev/2019-August/013989.html">performance of
your device</a>? etc.
</p>
<h2 id="conclusion"><a href="#conclusion">Conclusion</a></h2>
<p>
The only real approach to preventing browser tracking/fingerprinting is by using a browser that is designed
to prevent this by default and the users do not change it. The most effective browser that does this is the
<a href="https://www.torproject.org/">Tor Browser</a>. However, the Tor Browser's <a
href="https://2019.www.torproject.org/projects/torbrowser/design/">fingerprinting protections</a> aren't
perfect, and its security <a href="firefox-chromium.html">is quite weak</a>.
</p>
<a class="back" href="/index.html">Go back</a>
</body>
</html>