Tor NoScript visit tracker (opens in new tab)

(bitbucket.org)

44 pointsSyrup-tan10y ago21 comments

21 comments

What else, besides using Tor, and turning off Javascript, does a user have to do that a website operator finally gets they don't want to be tracked?

emodendroket10y ago

You could use the Stallman method and download pages with wget to read.

ironsides10y ago

stop using repeat offending website

hackuser10y ago

Very few users can detect that they are being tracked, so they can't avoid it. The tracking methods are designed to be undetectable; web beacons are invisible pixels; sites don't tell users: we track this info and share it with these people; even privacy policies usually are ambiguous, and they are too long and complex to read for every site someone visits.

foobiekr10y ago

because sites can be hacked or changed at any time, the ability of users to avoid offenders is basically zero.

nickik10y ago

Also use this EFF Privacy Badger: https://www.eff.org/de/node/73969

korm10y ago

But this can't track individual users, it just provides general usage statistics, like visitor retention.

I'd be interested in a viable example of this being used to identify users.

Leon10y ago

That can help with fingerprinting. Any entropy escaping from a users session is useful.

1 more reply

Syrup-tanOP10y ago

I'm unsure why this is downvoted.

I think he is saying that users can't be tracked between page-loads using this method, or your risk sending multiple users the same token. (which is true, at least with this implementation)

The time they spend on the website, latency, etc can all be used to add to a fingerprint, but there isn't something magic that makes this accurate, especially without JavaScript.

Edit: please don't mind me ghostposting kthx

mordocai10y ago

I may be missing something, but it seems to me that this technique(if not this particular implementation) could be used to easily track individual users.

hackuser10y ago

> NoScript Tracker is a basic tracker that makes use of iframes and the Refresh HTTP header to measure how long users spend on web pages.

> It is ideal for getting basic usage statistics on the Tor network, where JavaScript is not an option for most users.

NoScript can block iframes; will that disable this tracker?

Also, does the Tor Browser, which includes NoScript, default to blocking iframes?

MajesticHobo10y ago

> Also, does the Tor Browser, which includes NoScript, default to blocking iframes?

No. Tor Browser defaults to the lowest security level, allowing all scripts, media, iframes, etc.

alphapapa10y ago

NoScript->Options->Embeddings->Additional restrictions for untrusted sites->Forbid <IFRAME>

Just turned that option on, myself. I might have had it on years ago--can't remember for sure--but now that I know it's being abused, I'll definitely leave it on. IFRAMEs are generally poor practice, anyway.

jakobdabo10y ago

Also, pay attention to these settings in about:config page:

accessibility.blockautorefresh

noscript.forbidBGRefresh

noscript.forbidMetaRefresh

Additionally, you can cherry-pick options (or just use it all) from this repository at https://github.com/pyllyukko/user.js for more privacy.

1 more reply

achairapart10y ago

I will not be surprised at all if something like this will be soon used to circumvent adblockers replacing classic javascript based analytics on the "bright" side of the web.

kaugesaar10y ago

AdBlockers will still block iframes and already does. Those I've seen blocks the full request based on a list of known domains. Many 3rd-party tracking cookies is often placed with help of iframes or a img-pixel.

With Google Analytics you have the option to actually do all the tracking server-side so AdBlockers shouldn't be an issue tracking-wise.

buro910y ago

Before Microsoft gave us the XMLHttpRequest, and before IFRAMEs were everywhere, this is exactly how, and with FRAMESETs and target="" one could track session length, reload other parts of a page after some given time, allow forms to interact with complex flows and various other things.

The "virtually invisible frame loading in the background" trick is going to be around for a long-term and seems destined to be re-learned many times over.

somebody110y ago

Why wouldn't you open a web socket

korm10y ago

Because you can't use WebSockets in the browser without Javascript.

j / k navigate · click thread line to collapse

21 comments

jakobegger10y ago

What else, besides using Tor, and turning off Javascript, does a user have to do that a website operator finally gets they don't want to be tracked?

emodendroket10y ago

You could use the Stallman method and download pages with wget to read.

ironsides10y ago

stop using repeat offending website

hackuser10y ago

foobiekr10y ago

because sites can be hacked or changed at any time, the ability of users to avoid offenders is basically zero.

nickik10y ago

Also use this EFF Privacy Badger: https://www.eff.org/de/node/73969

korm10y ago

But this can't track individual users, it just provides general usage statistics, like visitor retention.

I'd be interested in a viable example of this being used to identify users.

Leon10y ago

That can help with fingerprinting. Any entropy escaping from a users session is useful.

1 more reply

Syrup-tanOP10y ago

I'm unsure why this is downvoted.

I think he is saying that users can't be tracked between page-loads using this method, or your risk sending multiple users the same token. (which is true, at least with this implementation)

The time they spend on the website, latency, etc can all be used to add to a fingerprint, but there isn't something magic that makes this accurate, especially without JavaScript.

Edit: please don't mind me ghostposting kthx

mordocai10y ago

I may be missing something, but it seems to me that this technique(if not this particular implementation) could be used to easily track individual users.

hackuser10y ago

> NoScript Tracker is a basic tracker that makes use of iframes and the Refresh HTTP header to measure how long users spend on web pages.

> It is ideal for getting basic usage statistics on the Tor network, where JavaScript is not an option for most users.

NoScript can block iframes; will that disable this tracker?

Also, does the Tor Browser, which includes NoScript, default to blocking iframes?

MajesticHobo10y ago

> Also, does the Tor Browser, which includes NoScript, default to blocking iframes?

No. Tor Browser defaults to the lowest security level, allowing all scripts, media, iframes, etc.

alphapapa10y ago

NoScript->Options->Embeddings->Additional restrictions for untrusted sites->Forbid <IFRAME>

jakobdabo10y ago

Also, pay attention to these settings in about:config page:

accessibility.blockautorefresh

noscript.forbidBGRefresh

noscript.forbidMetaRefresh

Additionally, you can cherry-pick options (or just use it all) from this repository at https://github.com/pyllyukko/user.js for more privacy.

1 more reply

achairapart10y ago

I will not be surprised at all if something like this will be soon used to circumvent adblockers replacing classic javascript based analytics on the "bright" side of the web.

kaugesaar10y ago

With Google Analytics you have the option to actually do all the tracking server-side so AdBlockers shouldn't be an issue tracking-wise.

buro910y ago

The "virtually invisible frame loading in the background" trick is going to be around for a long-term and seems destined to be re-learned many times over.

somebody110y ago

Why wouldn't you open a web socket

korm10y ago

Because you can't use WebSockets in the browser without Javascript.

j / k navigate · click thread line to collapse