Anonymous on the Internet - Forget it!

By Bas Zurburg at 4. March 2010 16:00 in internet, security

Privacy on the web

 

It is a hot topic for many people, including politicians. Well just forget it, depending who wants to find out, you can't browse anonymously on the internet!

 

  • Some people want to surf anonymously over the web, for whatever reason. 
  • Others are just annoyed by Google's interest in their behavior on the net.
  • Or are worried about general Data Mining practices of certain companies, institutes and governments.
  • Anyway a lot of people are concerned about their privacy on the Internet.

 

 

IP

 

 

Personally I don't mind too much... yet, but I do think that it is NOT just normal or morally acceptable that my Internet behavior is preserved, analysed and commercially used by third companies I didn't give my consent for doing so.

The topic is interesting enough for some more study on the subject.

 

 

How to identify website visitors on the web?

  1. IP address. The IP address is a unique number and the main purpose is to ensure that the requested web content is delivered back to you. Most people today have a fixed IP address.
  2. Cookies. A cookie is a small file that a website can store on the visitors computer. The cookie is returned with any request to the corresponding website by the same visitor. A cookie contains usually specific information about the visitor and can also contain a unique number, e.g. your session id.
  3. Login details. When you log in to a site, you identify yourself. (In order not to have to log in for every page on the same website, the site will set a cookie after a successful login.
  4. Request information. If you request data from a Web server, you send a 'request', the request that you send contains the address you want to visit, your IP address and some other details such as your browser, your host, cookies for that site and other data.
  5. Details of your browser and operating system. Please continue reading...

 

This is nothing special and well known. These items normally provide a good "browsing" experience.

  • Your IP address is a unique number that ensures that the requested web content is delivered to you.
  • A cookie tracks data while visiting a site. HTTP (the protocol used browsing the Web) is stateless. That means that every web page in itself is not aware of the previous or next page. Therefore, certain data is "saved" in cookies (Your browser saves these cookies on your hard drive). Think of your session data so you don't need to log in on every page.
  • On some sites it is useful to log in, e.g. your bank site or your social network site (eg facebook) where your entire profile is stored.

 

Point four: The information you send with your request is useful and often necessary. It helps to return the web content in the correct format. This data is also often used to collect statistics on website visits

 

 

Details of your browser and operating system

The fifth point (details of your browser and operating system) is known too, but I was surprised by the many details and the diversity of the data that can be retrieved. This diversity makes it also possible to identify unique visitors.

 

The main item to uniquely identify a visitor is the ip address, but it could possible that you're surfing from behind a proxy (With a proxy several people use the same IP address and therefore can not uniquely identified by their IP address).

 

The Panopticlick site makes impressively clear that with Javascript much more details of the visitor can be discovered, making the visitor (almost) unique. The Panopticlick site has collected many unique broswer fingerprints (anonymous of course). The additional collected browser data include the fonts installed in your browser browsers and the installed plugins.

 

panopticlick logo
panopticlick

 

Be surprised and try it yourself.

 

 

My Results

I've tried it with different browsers and settings:

  • I started with a normal configuration that I use on a day to day basis to surf the Web. It has Javascript enabled. With all browsers (IE8, Chrome, Firefox and Opera) I had an unique fingerprint among the collected test data (about 710,000 until now).
  • Then I tried some other things (only with FireFox). I turned of off JavaScript, but to my surprise it gave the same result: still unique. - Perhaps I use a very special version of FF?
  • Next I performed the test behind an anonymous proxy with Javascript enabled. Now is it better, only 1 per 237,075 have the same fingerprint.
  • With Javascript turned off I am finally pretty anonymous: "only one in 9,118 browsers have the same fingerprint as yours. using 13.15 bits of identifying information". In the latter case, not all visits can lead to 1 and the same visitor.

 

 

Conclusion

It is best to use an anonymous proxy if you want to be anonymous on the internet. (Wow, that conclusion is really a surprise!)

But make sure you disable Cookies and JavaScript, otherwise you can be identified by your browser fingerprint.

 

This fingerprint could be compared by another site when you are not surfing in stealth mode - Bingo

 

Be aware that some proxy servers log your visits. This data can be retrieved by Government organisations, or can be sold or stolen.

 

 

Related links:

A couple of weeks ago a new Firefox plugin was released to make it more difficult for Google to identify individual web users http://www.googlesharing.net/.

 

I could list a large number of interesting links on this subject, but these are the main links as used for this article:

blog comments powered by Disqus

Latest tweets