pull down to refresh

supercookie: ⚠️ Browser fingerprinting via favicon - jonasstrehlegithub.com/jonasstrehle/supercookie/
438 sats \ 12 comments \ @Scoresby 16 Nov devs

Is this as bad as it sounds?

Supercookie uses favicons to assign a unique identifier to website visitors.
Unlike traditional tracking methods, this ID can be stored almost persistently and cannot be easily cleared by the user.

The tracking method works even in the browser's incognito mode and is not cleared by flushing the cache, closing the browser or restarting the operating system, using a VPN or installing AdBlockers. 🍿 Live demo.
write
preview
related posts
123 sats \ 5 replies \ @optimism 17 Nov

This repo was created 4 years ago. Questions:

  1. Why does it pop up now?
  2. What makes us think that this has been ignored by privacy focused implementations like Brave or Safari in Lockdown Mode?
reply
100 sats \ 4 replies \ @Scoresby OP 17 Nov

Good point about the age of the repo. I found out about it because Alex Lewin mentioned it. I'm not sure what brought it across his radar.

Seems like consensus here is that it requires so many redirects that it's not particularly practical.

reply
102 sats \ 3 replies \ @optimism 17 Nov
Alex Lewin

Is that a browser security researcher?

Seems like consensus here is that it requires so many redirects that it's not particularly practical.

To me it's more that this is easy to fix within a few days, let alone 4 years. I can go test it out though... but I fear I'd waste my time.

reply
100 sats \ 2 replies \ @Scoresby OP 17 Nov

It's probably a waste of time.

Alex Lewin is a lightning developer, who I believe works on fedi.

reply
102 sats \ 1 reply \ @optimism 17 Nov

Alright. I'll try it out at some point, just so we know whether they should be listened to.

reply
0 sats \ 0 replies \ @Scoresby OP 17 Nov

I believe he came to a similar conclusion as others here (just after I posted it here):

source

reply
173 sats \ 3 replies \ @k00b 16 Nov

The attack requires floor(log2(id))+1 redirects where id is a numerical identifier.

They have a chart here which expresses the feasibility in terms of how many seconds it takes to perform the redirects required for generating ids in ranges of a certain size.

If someone were to use this attack at scale, they would probably pair it with some other kind of browser fingerprinting, because this is basically another, expensive but precise, method of fingerprinting.

If your browser redirects you more than a few times when you visit a website, I don't know what would make you stay/return.

reply
50 sats \ 2 replies \ @WeAreAllSatoshi 17 Nov

Don’t browsers stop redirecting after a certain number? I think there’s literally an error code in chromium for too many redirects

reply
50 sats \ 1 reply \ @k00b 17 Nov

Their demo manages to do 36 of them. Perhaps the limit only applies to server side redirects

reply
0 sats \ 0 replies \ @WeAreAllSatoshi 17 Nov

Oh yea, probably so.

reply
102 sats \ 0 replies \ @adlai 17 Nov

fonts are worse

reply
0 sats \ 0 replies \ @SimpleStacker 17 Nov

It's cute but doesn't seem very practical. It also only lets them identify that a browser visited their site previously. I don't think it lets them track any of your internet activity outside that website even if they've identified your browser

reply