Tracking Users Via the Browser Cache

From the department of old things I didn’t know about comes the following bit:

Tracking Users Via the Browser Cache. Original story: meantime: non-consensual http user tracking using caches. Also covered here: Clearing cookies is not enough to save your privacy. And it was already posted on slashdot (so please don’t post it again :)).

As you might know I personally believe that to gain 100% privacy and anonymity on the ‘net is almost impossible and if you take all possible steps to achieve it, you get a web which lacks many of the functionality which make it so attractive. In the end everybody must decide for themselves, but probably most of the people have better things to do than running around in a thin-foil hat. Now that I’ve got this off my chest, lets see the technical details for this new method:

Whenever an object (web page, image, etc) is downloaded from the web server, additional headers are returned which signal to the browser (and any proxy which may be in between) how long the given object should be cached (caching is essential and it improves page loading speed substantially, so no, turning it off is not the solution). The idea is to give the browser an object (and again, this can be even an html page, so turning off scripts, images & stuff won’t make you bullet proof) with a header that tells the browser that the object must be revalidated on every request (revalidation is the process where the browser asks the webserver: I got the version of this object which was produced on date X, do you have a newer one? And the webserver responds either with no or with the new version). Based on this the server can tell exactly when this particular client last loaded a page from it.

This is just an other possibility to track users on web pages (you can read about others on my blog). Possible defenses would be: (a) turn off caching (and live with very low performance) (b) some finer grained caching control (which to my knowledge doesn’t exists in any browser) or (c) embrace the truth: as long as they have something that you want, they can demand the price.

On the upside: it seems that currently this is not suitable for cross-domain user tracking without some additional stuff (like javascript – then again if you have javascript enabled, all kind of other technologies can be used).

, ,

Leave a Reply

Your email address will not be published. Required fields are marked *