What server-side evidence can be used to conclusively identify a computer?

[ZippyDan]

From a forensic point of view, is there any kind of data that most server-side web applications (I'm thinking gmail, hotmail/outlook.com, Facebook, iCloud, etc.) would routinely store that could conclusively identify a specific computer? An IP address will only identify a connection, but not a computer.

 

[Chiefcrowe]

some networks can track MAC addresses too I believe. Correct me if i'm wrong.

 

[Red Squirrel]

some networks can track MAC addresses too I believe. Correct me if i'm wrong.

Mac only works between networks, so they'd only get the MAC of the router it's connected to.

Cookies can somewhat be used, then there is "super cookies" those are kinda scary, as they are not that obvious to clear. Basically uses Flash and stuff. I think if you have Flash disabled by default you're safe from those.

Then there's browser user agent, with all the variations of OSes, browsers, versions, etc that finger print ends up being quite unique. I really think the browser makers need to get together and come up with a standard so that less info is shown. They would have to all collectively do it, if one person does it, then they just made an even more unique finger print for themselves. IP address range can also be used in combination with other info.

If you see an entry from same IP range and same browser user agent, chances are half decent it's the same person.

Then there's all the stuff Facebook and Google do, I won't pretend to understand it but they are pretty good at being able to ID individuals quite accurately even between different computers. I've search for stuff at home, and get to work and see ads on Facebook for what I searched for at home. I think they use non human audible audio to communicate with your phone, so if your phone is near your computer it basically tracks what you do online too. Just a guess.

 

[corkyg]

Any electronic emitter can be "fingerprinted."

 

[sn8ke]

A very common method, and a basis for others, is zombie cookies. governments love 'em
http://samy.pl/evercookie/

 

[TheRyuu]

Then there's browser user agent, with all the variations of OSes, browsers, versions, etc that finger print ends up being quite unique.

On its own the user agent isn't very useful but when it's combined with other forms of available data is when it can be useful. A unique fingerprint will often come from seeing a user agent, which on its own may be used across a number of different clients, combined with other specifics such as Flash versions, available plugins, among a number of other things which a site can get from your browser.

I really think the browser makers need to get together and come up with a standard so that less info is shown.

Well if you're just using the latest stable version of a browser that's pretty much guaranteed to be the least unique. There are ways to override the user agent in most browsers but in doing so you could wind up giving yourself an even more unique fingerprint since as you've also said it's a combination of many things.

There are even ways which servers can determine if you're connecting to it through a VPN[1].

[1] http://witch.valdikss.org.ru

 

[John Connor]

A very common method, and a basis for others, is zombie cookies. governments love 'em
http://samy.pl/evercookie/

Works in crappy Chrome to set the uid, but my other browsers with their privacy/security addons it would not even set the uid.

 

[John Connor]

ZippyDan, you might want to remove your Skype. I can use a Skype resolver and grab your IP and I see your mug.

 

[sn8ke]

Works in crappy Chrome to set the uid, but my other browsers with their privacy/security addons it would not even set the uid.

That's an old proof of concept type thing as I recall, but it's surely evolved since and companies have their own proprietary forms of them which are surely far more advanced. It's how governments have tracked TOR users in the past.

Well if you're just using the latest stable version of a browser that's pretty much guaranteed to be the least unique. There are ways to override the user agent in most browsers but in doing so you could wind up giving yourself an even more unique fingerprint since as you've also said it's a combination of many things.

There are even ways which servers can determine if you're connecting to it through a VPN[1].

[1] http://witch.valdikss.org.ru

Very interesting link, thanks. It detects stuff from me that others have not, even without js. Gonna look more into it.

Related & handy web app to detect how unique you are online: https://panopticlick.com

 

[ZippyDan]

ZippyDan, you might want to remove your Skype. I can use a Skype resolver and grab your IP and I see your mug.

I have so much stuff about me all over the net. I'm not really worried about my own privacy

 

[ZippyDan]

Then there's browser user agent, with all the variations of OSes, browsers, versions, etc that finger print ends up being quite unique. I really think the browser makers need to get together and come up with a standard so that less info is shown. They would have to all collectively do it, if one person does it, then they just made an even more unique finger print for themselves. IP address range can also be used in combination with other info.

If you see an entry from same IP range and same browser user agent, chances are half decent it's the same person.

Then there's all the stuff Facebook and Google do, I won't pretend to understand it but they are pretty good at being able to ID individuals quite accurately even between different computers. I've search for stuff at home, and get to work and see ads on Facebook for what I searched for at home. I think they use non human audible audio to communicate with your phone, so if your phone is near your computer it basically tracks what you do online too. Just a guess.

But since Chrome auto-updates, it doesn't seem to me that that fingerprint would remain unique for long?

 

[bononos]

But since Chrome auto-updates, it doesn't seem to me that that fingerprint would remain unique for long?

I would think that browser fingerprinting would take updates into account by assuming version numbers would increase.

The newer fingerprinting methods work through webgl (like html5 canvas), audiocontext APIs.

 

[lxskllr]

Conclusively? Nothing. Others have given examples of sometimes strong *evidence* of a specific computer, but they all can be faked in some form or another. The only conclusive way is to monitor the traffic from both ends.

 

[TheRyuu]

Very interesting link, thanks. It detects stuff from me that others have not, even without js. Gonna look more into it.]

I don't think it uses javascript. It uses stuff like MTU/mss sizes and TCP connection properties to figure it out. Different ciphers in openvpn have different values which can end of being a fingerprint in itself.

 

[John Connor]

I would think that browser fingerprinting would take updates into account by assuming version numbers would increase.

The newer fingerprinting methods work through webgl (like html5 canvas), audiocontext APIs.

https://www.browserleaks.com/webrtc#webrtc-disable

 

[John Connor]

There are even ways which servers can determine if you're connecting to it through a VPN[1].

[1] http://witch.valdikss.org.ru

I'm using a VPN now that uses OpenVPN as part of its client software and the website says it can't detect OpenVPN. Might be due to other security/privacy things I have going on here.

 

[Red Squirrel]

Actually that's another thing, how can VPN even be detected? As far as the remote computer is concerned it should just be seeing a regular connection coming from the VPN server, but as a plain old normal unencrypted connection. But seems that's not the case. When I'm at work I often VPN into my home network as I may access stuff there or what not, and I was looking at this security site and it said it could detect openvpn. Seems kind of alarming that browsers are sending out way more info than they should.

 

[John Connor]

I actually tried this in plain Chrome as well and still couldn't detect OpenVPN. So I'm thinking the creators of my VPN did something to prevent that leak. Not sure. I do know they are pretty up and up on this stuff when I wrote to them asking if they had port forwarding on because if so that right there will leak your real IP.

 

[bononos]

Actually that's another thing, how can VPN even be detected? As far as the remote computer is concerned it should just be seeing a regular connection coming from the VPN server, but as a plain old normal unencrypted connection. But seems that's not the case. When I'm at work I often VPN into my home network as I may access stuff there or what not, and I was looking at this security site and it said it could detect openvpn. Seems kind of alarming that browsers are sending out way more info than they should.

I don't think its a problem with the browser. The security website probably looked your ip against a list of known openvpn nodes. Thats the same way websites detect tor users.

 

[bononos]

I actually tried this in plain Chrome as well and still couldn't detect OpenVPN. So I'm thinking the creators of my VPN did something to prevent that leak. Not sure. I do know they are pretty up and up on this stuff when I wrote to them asking if they had port forwarding on because if so that right there will leak your real IP.

You use chrome? For someone who seems to be careful about privacy, why not use a chromium browser - epic, slimjet, vivaldi, opera? All 4 have a decent privacy policy I think, especially epic.

 

[TheRyuu]

I actually tried this in plain Chrome as well and still couldn't detect OpenVPN. So I'm thinking the creators of my VPN did something to prevent that leak. Not sure. I do know they are pretty up and up on this stuff when I wrote to them asking if they had port forwarding on because if so that right there will leak your real IP.

It's highly dependent on VPN settings so if things such are MTU or mss-fix are changed then this might affect detection. It's not meant to be perfect. Which browser you use shouldn't matter.

I don't think its a problem with the browser. The security website probably looked your ip against a list of known openvpn nodes. Thats the same way websites detect tor users.

No it doesn't. It uses TCP fingerprinting such as MTU size to figure out openvpn settings. Common configurations stand out. Which browser you use should have no effect.

 

[John Connor]

You use chrome? For someone who seems to be careful about privacy, why not use a chromium browser - epic, slimjet, vivaldi, opera? All 4 have a decent privacy policy I think, especially epic.

No, I don't use Chrome as my main browser. But It's installed when my addons screw up a badly coded website so much I have to use something plain vanilla. Even then I try Cyberfox first. And if that don't work usually Chrome will. I find it completely stupid that websites sniff the useragent and render pages better in certain browsers. In fact, the Facebook AD mananger only works in Chrome.

 

[Red Squirrel]

I don't think its a problem with the browser. The security website probably looked your ip against a list of known openvpn nodes. Thats the same way websites detect tor users.

But how would it know my network is a VPN node? It's not like it's public or something. In fact the Open VPN is on a non default IP range and only accessible from my work IP. So even if they do a port scan it would not detect it. Seems to me the browser, or some other part of the communication must be sending out some kind of data indicating there is a VPN server. That is kinda alarming, it's information on my network that I rather not get out, because, what else is leaking?

 

[John Connor]

I think TheRyuu described it in post #21.

 

[TheRyuu]

But how would it know my network is a VPN node? It's not like it's public or something. In fact the Open VPN is on a non default IP range and only accessible from my work IP. So even if they do a port scan it would not detect it. Seems to me the browser, or some other part of the communication must be sending out some kind of data indicating there is a VPN server. That is kinda alarming, it's information on my network that I rather not get out, because, what else is leaking?

I think TheRyuu described it in post #21.

I found the article that goes with the test site[1]. From the article:

Because of this unique MSS values, we can determine not only if the user is connected via OpenVPN , but also used connection protocol (IPv4, IPv6), transport protocol (UDP, TCP), cipher, MAC and compression as they affect MSS.

And for avoiding this kind of detection:

If you don’t want to be identified, you can disable mssfix, just set it to zero on both server and client. With mssfix 0 your MSS would be 1460 which corresponds to MTU 1500 for IPv4 connection, and you’ll get fragmentation which leads to lower connection speed and higher latency. It may be better to disable OpenVPN mssfix and use more generic MSS values, like 1400 or 1380 (should be modulo 2 or better 10) as this values are often used for cellular connections.

As for Tor:

ＷＩＴＣＨ？ also detects Tor Browser users because Tor exit nodes are usually running on Linux or FreeBSD and Tor Browser has Windows User-Agent on all platforms.

[1] https://medium.com/@ValdikSS/detect...rs-on-the-server-side-1bcc59742413#.uztapvlei