Any way to disable "favicons"/"supercookies"?

General project discussion
Forum rules
This General Discussion board is meant for topics that are still relevant to Pale Moon, web browsers, browser tech, and related, but don't have a more fitting board available.

Please stick to the relevance of this forum here, which focuses on everything around the Pale Moon project and its user community. "Random" subjects don't belong here, and should be posted in the Off-Topic board.
Post Reply
Walter Dnes
Astronaut
Astronaut
Posts: 633
Joined: 2015-07-30, 20:29
Location: Vaughan, ON, Canada

Any way to disable "favicons"/"supercookies"?

Post by Walter Dnes » 2021-02-11, 11:08

This appears to apply to all OS's, so I'm posting here. According to https://gizmodo.com/favicons-could-be-t ... 1846229089 "Favicons Could Be the Supercookie That Tracks You Everywhere".
German software designer Jonas Strehle has published a proof of concept on GitHub that he says demonstrates a method in which the favicon’s cache can be used to store a unique identifier for a user that is readable "in the browser’s incognito mode and is not cleared by flushing the cache, closing the browser or restarting the system, using a VPN or installing AdBlockers."
The answer would seem to be an option to not load favicons in the first place, and another option to flush them at will. Any comments?
There's a right way
There's a wrong way
And then there's my way

User avatar
fatboy
Lunatic
Lunatic
Posts: 301
Joined: 2017-12-19, 08:03

Re: Any way to disable "favicons"/"supercookies"?

Post by fatboy » 2021-02-11, 11:14

Oops. I also posted about this haha
Systemd Free - MX Linux & Artix Linux

User avatar
gepus
Astronaut
Astronaut
Posts: 564
Joined: 2017-12-14, 12:59

Re: Any way to disable "favicons"/"supercookies"?

Post by gepus » 2021-02-11, 13:30

browser.chrome.site_icons set to false

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 29328
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: Any way to disable "favicons"/"supercookies"?

Post by Moonchild » 2021-02-11, 14:27

So when the browser requests a web page, if the favicon is not in the local F-cache, another request for the favicon is made. If the icon already exists in the F-Cache, no further request is sent.

By combining the state of delivered and not delivered favicons for specific URL paths for a browser, a unique pattern (identification number) can be assigned to the client.

When the website is reloaded, the web server can reconstruct the identification number with the network requests sent by the client for the missing favicons and thus identify the browser.
You know, this just isn't true, and unreliable even if it worked.
Think about this: By measuring requests for favicons you will cause the browser to request these icons. So the page reload will show an "all visited" status because favicons have been requested and stored in the browsing cache.
So this works ONLY ONCE, and then you'd be in a status of "all visited". So reconstructing the identifier on a new visit/a visit elsewhere based on "what has been visited of the sites tested" will not work, and as such you can't correlate one visit to another or track anyone on the web.
In addition, the tracker attempting this would be relying on volatile cache entries that can be purged at any time from one site to the next.

So, before you cripple your browsing experience by switching off favicons, use your brain. :ugeek:
"Son, in life you do not fight battles because you expect to win, you fight them merely because they need to be fought." -- Snagglepuss
Image

User avatar
edzieba
Newbie
Newbie
Posts: 3
Joined: 2021-02-24, 14:10

Re: Any way to disable "favicons"/"supercookies"?

Post by edzieba » 2021-02-24, 14:29

Paper is now out: https://www.cs.uic.edu/~polakis/papers/solomos-ndss21.pdf

The attack works. The injected fingerprint can persist for more than one session: server detects first page load - with generic favicon - as requesting apge contents but not the favicon, and for that session, will return all subsequent favicon requests as a 404. From there, you bombard the browser with subdomain redirects, each requesting a different 'fingerprint' favicon, and see which result in the browser requesting a favicon and which do not. The 404s mean the browser does not modify the favicon cache fingerprint (no new entries, no removed entries). However, even if the fingerprint only persisted for one session that is sufficient to bypass 'incognito mode' and match a previous session with the new one (and allow egregious behaviour like inflating flight and hotel booking prices for destinations you've previously browsed, something that switching to incognito mode is usually proof against without need to go full Tor + Tails).

Mainline Firefox has a bug that is also a solution to the attack: it caches the favicon, but regardless of a cache entry it requests a favicon every time anyway! Problem solved, data leak eliminated without losing the pretty little pictures, at the cost of an unnoticeable increase in bandwidth usage. More elegant solutions are possible to save a few bits, but seem frankly unnecessary.
In addition flushing the favicon cache can be added to the clear-cookies-and-so-on sequence, as could having Incognito mode ignore any existing favicon cache entries, but if the former mitigation is in place those become more belt-and-braces options than necessities.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 29328
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: Any way to disable "favicons"/"supercookies"?

Post by Moonchild » 2021-02-24, 15:38

Not sure why you're posting this here. Your post obviously talks about Chrome (we don't have "incognito mode", for example) did you just copypasta?

Also you're clearly ignoring what I wrote above.
"Son, in life you do not fight battles because you expect to win, you fight them merely because they need to be fought." -- Snagglepuss
Image

User avatar
edzieba
Newbie
Newbie
Posts: 3
Joined: 2021-02-24, 14:10

Re: Any way to disable "favicons"/"supercookies"?

Post by edzieba » 2021-02-25, 21:00

Moonchild wrote:
2021-02-24, 15:38
Not sure why you're posting this here. Your post obviously talks about Chrome (we don't have "incognito mode", for example) did you just copypasta?
'Private' mode, 'InPrivate' mode, 'Incognito' mode, whatever you want to call the particular flavour of "window opens without access to previous session data" mode. What you want to brand it is not particularly relevant to its functioning.
Also you're clearly ignoring what I wrote above.
As are you. I explained directly - as well as linking the paper that details it further - why the attack does indeed work, and why your claim:
By measuring requests for favicons you will cause the browser to request these icons. So the page reload will show an "all visited" status because favicons have been requested and stored in the browsing cache.
Is incorrect. The attack does not work that way.

It's all detailed in the linked paper if you do not wish to read my post. Or you can skip that too, and look through the code of an independently implemented proof-of-concept. Or you can also try that PoC here. I tested with Palemoon, and it successfully wrote and read a persistent ID. While that PoC brute-forces the reading and writing of the Id with very obvious redirects, it could in theory be implemented by serving unique URLs to the user and allow them to unknowingly navigate themselves down the selection tree during normal browsing.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 29328
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: Any way to disable "favicons"/"supercookies"?

Post by Moonchild » 2021-02-25, 22:35

All nice and good if you have full control over the specific server requests for favicons, but my point is that for the normal web you don't, not for a sampling of existing websites. This means that "writing" to the favicon cache would never be under your control.

Unless I completely miss the premise behind this kind of "supercookie" to fingerprint users based on websites they have visited, and it is actually something something that requires a user to visit a tracking server first to set this up THEN have that server's code be deployed on countless other sites also visited by the user to "follow them around"; which is, frankly, very unlikely.
"Son, in life you do not fight battles because you expect to win, you fight them merely because they need to be fought." -- Snagglepuss
Image

User avatar
New Tobin Paradigm
Knows the dark side
Knows the dark side
Posts: 8963
Joined: 2012-10-09, 19:37
Location: Seriphia Galaxy

Re: Any way to disable "favicons"/"supercookies"?

Post by New Tobin Paradigm » 2021-02-25, 23:30

If people are so concerned about favicons being some sort of issue.. Why not just flip browser.chrome.favicons and browser.chrome.site_icons then grab your collection of foil hats (which actually conduct signals not block them) and move on believing whatever nonsense gets media attention.
As a young boy, I dreamed of being a baseball.
But tonight I say, we must move forward, not backward; upward, not forward; and always twirling, twirling, twirling towards freedom!

Image

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 29328
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: Any way to disable "favicons"/"supercookies"?

Post by Moonchild » 2021-02-25, 23:44

As far as I can tell the demo fails to persistently fingerprint Pale Moon, anyway.
  1. Ran the demo, got E2 95 14 21 C9 95
  2. Went to permissions, demo.supercookie.me
  3. Clicked "forget about this site"
  4. Ran the demo, got 62 70 01 A3 87 90
  5. Opened a private browsing window
  6. Ran the demo, got 78 A7 58 B3 B0 40
And since we still have a status bar, a shit ton of rapid fire redirects will also be painfully visible to the user...
"Son, in life you do not fight battles because you expect to win, you fight them merely because they need to be fought." -- Snagglepuss
Image

User avatar
moonbat
Moon Magic practitioner
Moon Magic practitioner
Posts: 2785
Joined: 2015-12-09, 15:45

Re: Any way to disable "favicons"/"supercookies"?

Post by moonbat » 2021-02-26, 00:07

Off-topic:
Moonchild wrote:
2021-02-25, 23:44
And since we still have a status bar, a shit ton of rapid fire redirects will also be painfully visible to the user...
For those who haven't decided to Australis-ify their UI by removing it ;)
"One hosts to look them up, one DNS to find them and in the darkness BIND them."

Image
Linux Mint 20.1 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
Advanced URL Builder(fork)|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 29328
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: Any way to disable "favicons"/"supercookies"?

Post by Moonchild » 2021-02-26, 00:08

Off-topic:
moonbat wrote:
2021-02-26, 00:07
For those who haven't decided to Australis-ify their UI by removing it ;)
PEBCAK
"Son, in life you do not fight battles because you expect to win, you fight them merely because they need to be fought." -- Snagglepuss
Image

User avatar
edzieba
Newbie
Newbie
Posts: 3
Joined: 2021-02-24, 14:10

Re: Any way to disable "favicons"/"supercookies"?

Post by edzieba » 2021-02-26, 10:33

Moonchild wrote:
2021-02-25, 22:35
All nice and good if you have full control over the specific server requests for favicons, but my point is that for the normal web you don't, not for a sampling of existing websites. This means that "writing" to the favicon cache would never be under your control.

Unless I completely miss the premise behind this kind of "supercookie" to fingerprint users based on websites they have visited
The goal is to add a fingerprint using a website you control (e.g. UnscrupulousAirLineTicketSeller.com), and be able to subsequently read that fingerprint back either by:
- The same website you control (confirming the same user has visited your site regardless of whether they are using Pirvate/Incognito/etc or have cleared browsing data
- A different website you control
- A third party website that is using the same favicon fingerprinting service

'Visibility of rapid fire redirects' is purely a red herring: If instead of rapid forced redirects normal page-to-page user triggered browsing is used, the same fingerprint reading and writing can still occur.

If Palemoon is already resistant, great. Best to make sure it stays that way by design rather than by accident (as mainline Firefox was).

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 29328
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: Any way to disable "favicons"/"supercookies"?

Post by Moonchild » 2021-02-26, 11:09

So the goal is to identify a user on websites directly controlled by the malicious actor -- that's not tracking, and doesn't need to use something as elaborate as this (if you control the websites it's as simple as using e.g. an invisible pixel strategy to trackrecognise a returning user, or even something server-side only that is completely transparent)
edzieba wrote:
2021-02-26, 10:33
If instead of rapid forced redirects normal page-to-page user triggered browsing is used, the same fingerprint reading and writing can still occur.
That's not very realistic of a tactic either. Your granularity will then be variable (=unreliable) and directly dependent on the bounce rate for the site. When was the last time you browsed 16 pages in a row on a new website you're visiting?

As already pointed out there are much more reliable ways to identify and track users on the public web, and if you're really that concerned that this will be used in practice, then you have to only flip a preference to disable favicons altogether. I don't see any point in further discussing this.
"Son, in life you do not fight battles because you expect to win, you fight them merely because they need to be fought." -- Snagglepuss
Image

Post Reply