Tracking Users Browser Activity Without Javascript
HTML-код
- Опубликовано: 4 авг 2024
- Link to the full security paper
arxiv.org/pdf/2103.04952v1.pdf
₿💰💵💲Help Support the Channel by Donating Crypto💲💵💰₿
Monero
45F2bNHVcRzXVBsvZ5giyvKGAgm6LFhMsjUUVPTEtdgJJ5SNyxzSNUmFSBR5qCCWLpjiUjYMkmZoX9b3cChNjvxR7kvh436
Bitcoin
3MMKHXPQrGHEsmdHaAGD59FWhKFGeUsAxV
Ethereum
0xeA4DA3F9BAb091Eb86921CA6E41712438f4E5079
Litecoin
MBfrxLJMuw26hbVi2MjCVDFkkExz8rYvUF
Dash
Xh9PXPEy5RoLJgFDGYCDjrbXdjshMaYerz
Zcash
t1aWtU5SBpxuUWBSwDKy4gTkT2T1ZwtFvrr
Chainlink
0x0f7f21D267d2C9dbae17fd8c20012eFEA3678F14
Bitcoin Cash
qz2st00dtu9e79zrq5wshsgaxsjw299n7c69th8ryp
Etherum Classic
0xeA641e59913960f578ad39A6B4d02051A5556BfC
USD Coin
0x0B045f743A693b225630862a3464B52fefE79FdB
Subscribe to my RUclips channel goo.gl/9U10Wz
and be sure to click that notification bell so you know when new videos are released. - Наука
Two hardest things in computer science: *Cache* invalidation and naming this exploit
@@____-gy5mq wtf
@@____-gy5mq Only at miller grove
@@____-gy5mq .
@@____-gy5mq LMAOOOO
ONLY AT MILLER GROVE
I'm done with the internet. I now send thumb drives with text documents on them in order to communicate with the outside world.
going to MITM your flash drive and put loli hentai on it
@@schizophrenicgaming365 here's my thumb drive and here's a copy if you lose the first one
Ah, so you use freenet then?
Hate to tell you about “bad usb” but Ive played with cheap usb firmware and they are crazy easy to modify and turn malicious or include invisible sectors (partitions you cant see/modify in linux or windows without playing with the firmware again). seriously give it a go with any phsion based usb, theyre extremely common and chances are (atleast p≈3/4)* your “namebrand” flash drive uses one of their controllers. no seriously it is pretty fun screwing around with their firmware but I’d use the chinese software from phison on an air gaped machine or a nested VM.
the asterisk was because I was obviously pulling that number out of my bum.. just incase my hyperbole wasn’t obvious enough.
Every time I watch a Mental Outlaw video I want to install Gentoo
Yes, I did it
Gentoo is a great distribution for giving the computer's owner total control, but they have to work for it.
Oh no! 😳
Just create a browser extension that randomly clears your cache, at random times.
Could that work? Sounds good but i wouldnt know
can you respond to this comment with a link to downloading that extension
I actually thought of randomizing different factors on security so even you are tracked you get a completely different unique internet fingerprint automatically so it’s more convenient. Thanks for the idea stranger.
What if the extension uses JS?
yeah just drop random stuff, browser wont crash :O
Here's a topic for you. Surviving the internet without JS.
I’d love to see that
Make it one level higher - surviving without JS nor CSS! We just saw that CSS can be used for tracking too
He already did a video about gopher
@@csolisr why stop there take it to the ultimate level, 0's and 1's
@@csolisrhow about surviving without JS CSS Cookies and Images since they can track you to
As these hardware based attacks become more common, progress toward the technological singularity will get slower and slower. Sorry, Elon
hardware cringe attacks
I really wanted to leave social media and mainstream services, but the rest of the world is on this fucked up reality and I'm poor and lonely enough to lose my only way of communicating with people.
They're not worthy of you.
@@StellaEFZ Dude, they're the only people I know
Oof.
which services are you on?
I purged all my socials except for Discord. Best decision of my life.
GNUtube
Cache Rules Everything Around Me.
I have to disagree about the convenience of fingerprinting in order to offer particular versions of sites or software downloads. The reason is that the user is not aware of what decisions are silently being made for them, and there is often no convenient way to override these decisions. The most annoying example is the number of websites which decide that because my IP address is in a particular country, I want content delivered in the language of that country. Some sites will even redirect me away from the domain I actually want to visit and force me to a localised version I can't read.
I agree to it. I once tried to download the Windows ISO on a Windows machine but Microsoft kept directing me to their installer tool to make an USB. I just wanted the ISO. I had to change my User Agent to bypass that. It was annoying.
I kinda experience the same thing where some sites give me their sites in their local language and I rly hate it as I can't read that language. also googling directing me local content when I am not looking for local content
thank you for this as always. i share your videos with all of my friends
the more I watch alphanerd the more likely is for the algorithm to decide that I'm not a viable user and deport me
Thank you for putting the Sauce in the description.
doesn't tor browser disable caching so these are not an issue there?
om nom nom no cookies
Thank you! It helped me about understanding the basics of op amps
We live in a dystopian technocracy
...why do you have Artoria eating a fish? She looks like she’s nomming on a fish...
@@liesdamnlies3372 that’s the real story here
The internet was a mistake
bottom website
You wish we lived in a technocracy, as technocracy might insinuate that our leaders are borderline competent, which they very much arent. No, we are just dystopian.
Regarding price discrimination, I heard many years ago that certain sites would charge more for Apple users. Not the same, or even nearly as effective as expensive video cards, but similar.
I love the thumbnail! It’s simple
@Mental Outlaw, wondering if this would detect the host OS/processor/RAM or the guest OS details (if the link was browsed through a VM)
Is it safe to browse the regular web with tor? I mean, if I'm using tor browser in the "safest" security level, is it still possible to be fingerprinted or even to get my real ip address leaked while browsing non-onion sites? Should i then always prioritize onion v3 addresses if i do not want to be tracked at all?
i think another good idea is to have browsers dedicated for certain things like if you need to use a google account for something have a browser for only your google account that way it makes it harder for cross site tracking
Great video. It would be cool if you actively performed how it works on screen
Have you misunderstood the article in the description? It's not really about tracking. It's about side channel attacks on browsers that are more akin to something like Spectre/Meltdown. It can be used for extracting cryptographic keys in memory for example, in addition to the obvious fingerprinting uses you mention. It's far more serious than just "tracking".
Hi, thank you for your videos, I have been watching your videos for awhile. Although I'm not good with Linux or have much knowledge about security, I have been slowly learning each day. I have been using hardened Firefox for several months now, and it has been very difficult to deal with. I need to access several websites for my job and sometimes, web pages break due to disabling Javascript or other tracking features. What advice would you have for the daily user to keep big brother from collecting data while also having some site functionality?
Use a separate browser for those sites. Your company already knows your info so just use brave or regular firefox with ublock origin.
"If you are gonna track me, at least don't use java"
*JavaScript
Just grab a fingerprint randomization (including canvas, hardware, etc) extension. Should be used in tandem with no-log VPN provider. You can even fork from Brave and build yourself if you use un-Googled chromium.
No log vpn's essentially don't exist unless you've built your own or have a RAT botnet at your disposal because of kyc laws
@@egg5474 to my knowledge Mullvad doesn't require any personal information, and ExpressVPN is more or less proven since Turkish authorities seized a server a few years back after an assassination and weren't able to do anything with it. If you really want you can rent a VPS in bitcoin and install wireguard on it pretty easily, although you'll have to make sure your bitcoin can't be traced back to you.
Man, you're so cool, love your videos, especially about crypto. Can you make a video about chainlink going into detail?
super interesting thanks for the video
Is there even a patch for this? Or is this just the kind of problems that can't be solved due to the browsera's structure?
Only patience can use gnu-icecat
So if you disable or clean cache this is mitigated. Would it also help if the browser sandboxes the cache ?
These cache-based side-channel attacks work in the w3m browser?
I just disable html and js in my browser. I have not had any tracking issues so far.
Do you also communicate with web browsers through hand made http requests?
@@tammemmaaref3544 I used to. I use speech to text now
Tracking without JS: cookies.
this
Websites: "You have a RTX 3070. You for sure are rich". Me: "I ate instant ramen during a year to earn for my card".
The "Web Developer" addon for Firefox allows you to disable all CSS styles.
My website wouldn't work for mobile without it detecting that the user is on phone and adding/modifying some stuff so it's usable on phones. Fingerprinting is just another tool. Then again, you said that in the video, I just felt like sharing that for some dopamine
doesn't the user agent do that?
Maybe I'm deaf then
I wonder if running tabs in different container processes mitigates this
Firefox has a container feature, I wonder if that would be useful against this?
Could you do a video on brave search?
So what exactly can be done with this attack? What's the end game?
Can you talk and get the word out about nvidia releasing an un-gimped rtx 3060 driver?
never call a thing un-something “unsinkable” or “unhackable”. Well i guess in the Nvidia’s case they messed up and released the driver themselves so it wasnt technically hacked. Fck you Nvidia
soon we will need to cripple our browsers using some sort of pseudo-rng based algo so every time it opens performance differs from previous browsing sessions
What is a website but information someone might want to know? I personally don't care how crappy it looks as long as I can get the data I want.
Maybe there is a setting or add-on that either segregates cache or limits cache usage by one site to a certain percentage?
Yes.
Firefox does this already :-)
Can you upload the transcript to your phlog so I can read it with Lynx? It really suits my workflow better. Thx 😘
youtube itself generates and provides the transcripts
It's possible to track using favicons too. Check it out if you have not already
I wonder what DuckDuckGo and Opera’s browsers “block trackers” do. How do they determine this, and is it good at it?
Mainly because those are the browsers I use.
Why tf are you using opera lol, I thought they were defunct when nokia's went the way of the dodo
Yeah uninstall opera right now. I used to use opera as my daily driver around 2013-2016 but now it’s been exposed as a total security risk scam
@@Toyking10 ok but how does the DuckDuckGo browser block trackers?
@@KnuxMaster368 no idea I just know Opera is not safe. If I had to guess, I’d guess duck duck go first sends a do not track request then it blocks third party cookies (such as google trackers)
Everytime the cli browsing looks less like a joke
It’s cool and resource efficient
Man you know a lot of things. Thansk to educate me
I use package managers I don’t download applications from the browser
Perhaps an extension that limits cache usage by domain?
Use iptables to rate limit port 53 (DNS)?
Fight fire with fire and make a script that constantly fills the cache with nonsense?
Use TempleOS?
You can set the browser cache small, or disable the cache completely. But That results in more web traffic.
Average social media consoomer vs average privacy enjoyer
First
Video starts at 5:23
i imagine closing the browser for every new page you open would work...?
Mozilla has now cache fragmentation ;)
Web browsers are bloat.
so true
Just turn off cache support on about: config and you're good to go
Welcome to favicon tracking ✨✨✨
(Favicon tracking is even possible with only one webpage)
Let's be honest, disabling Javascript is not a practical, ideal solution to online privacy. A lot of the web benefits from having some sort of scripting. You don't want to reload the page for every interaction. Spoofing of identifiable info would be a lot more interesting imo.
does disabling disk cache protect from this or are pages still cached in memory?
Visiting one site at a time should mitigate this assuming you’re not visiting bad actors consecutively
icecat vs librewolf?
...which is why we should use gopher
so, it isn't JUST THE JS after all? Again I say it now, as I've said it before: your browser is the endpoint to the net, so IT is responsible for most of the data leakage. If one uses a sophisticated VM with any proxy (VPN/Onion p2p networks) then it's as secure, as it could be. Anything but that isn't worth be called secure browsing at all. But do we really need that lvl of privacy? Some of us do, but most of the web users are pretty fine sticking to the good old plain chrome/ffox/opera and whatever browser one'd like.
Show forceful browsing vulnerability next, my friend showed it to me it was amazing how stupid tthe legacy was designed on his teams new project.
"ERROR" I tried to post the truth, LOL.
My post was straight up blocked by RUclips. They aren't even pretending to be unbiased, LOL.
STAB BLACK HATS.
Well yeah they do this constantly if they disagree with you
Mental outlaw talks about price discrimination.
Steam: ok. Say nothing. You will do just fine.
What about just start using a VMs
Hope someone makes a tampermonkey script to search for those massive strings and block them.
Tracking a browser without JS is easy, it is the only one that access the web without JS.
Umatrix could block these attacks, because it can completely block connections to servers
So the Toxy Onion Router isn't secure after all😶
TOR is a VPN designed to account for not being able to trust VPN relays. Useful for obfuscating the source of network traffic. It can do little to protect your connection beyond the outlet node.
I've been using noscript for ages on firefox
at some point everyone is gonna virtualize their hardware
when i go to a download page i wanna see links for all platforms and their respective offline installer
this is getting out of hand...
This tracking technique is called *Fingerprinting.*
There are anti-tracking plugins that relay false & random information to the sites, to try to avoid this kind of tracking (I don't know how effective it is (@Mental Outlaw, hint hint)).
You can *search for: "Fingerprint Defender"* to find those plugins.
*Firefox:* addons.mozilla.org/sv-SE/firefox/search/?q=Fingerprint%20Defender
*Chrome:* chrome.google.com/webstore/search/Fingerprint%20Defender?hl=en&_category=extensions
For algo
Aight imma block htmll and css too
3:12 don’t give them ideas
Instructions unclear, madonna is now crying and won't leave
At least you have a way to fight back in the web. But in the Apps (Apple store, Play store) you don't have any control over the application. :|
You may install apps not from Google Store ;-)
Even more risky@@igorthelight , because at least Google Store has devs checking for malicious code in the apps.
@@wakematta True.
But this is a "take your poison" situation:
* Google Play programs that spies on you
OR
* Alternatives but you have to check them with your antivirus
Hi
GIVE.ME.YOUR.DATAAAAAAH!!!!! *hiss*
This is interesting but I feel like it is a highly degenerate system. I cant imagine this method could ever work outside of highly specific situations
Can you make an application in VB to track down a users IP? (Must have a GUI)
go away
@@user-mx4vd4ow2e it is a movie reference
Fifth
Reading from your cache is nothing like spectre or meltdown. WTF are you talking about?
Just stop using internet
toropov
fucking hell not only was RMS right, he wasn't being schizo enough about being tracked
I go to obobaobababa base bye.
Good luck lol my browser has 330 different tabs opened
doesn't matter it's not like a person manage this data.. it's an AI
haha, hacking with HTML is true afterall
VPNs are in fact useful, they aren't glorified proxies, that said TOR is as useless cause of Javascript and hardware level Spyware. The best way to stay private is to blend in, turtling up only makes agencies interested
True
Google: New tracker method found! It runs without JavaScript, so we will put it in every service we own!
People will be kicking themselves in few weeks if they miss the opportunity to buy and invest in bitcoin
Investing in crypto is the only big chance of making money
For real crypto is profitable
Crypto is the new gold .
I wanted to trade Crypto but got confused by the fluctuations in price
@@cryptocapitalventure7586 That won't bother you if you trade with a professional like Mr William Ava
will we ever be free from this shit?