Preventing Web Tracking via the Browser Cache

Written 13 years ago by Mike Cardwell

If your web browser uses a cache (it almost certainly does), it is possible to track you cross-site and across browser restarts, even if you disable or clear cookies and LSO-cookies. This is not something with a simple fix. There is not a single methodology for doing this, it is a technique that can be implemented in dozens of different undetectable ways. A few examples:

1.) Using entity tags

Send the following HTTP Response header to a browser:

ETag: "**UNIQUE_ID**"

When the browser “fetches” the same resource later, it will send the unique ID along with the request:

If-None-Match: "**UNIQUE_ID**"

2.) Storing arbitrary data in the Last-Modified header

If you send a HTTP response header as follows:

Last-Modified: **UNIQUE_ID**

The browser will send back the UNIQUE_ID when you make the same request later on:

If-Modified-Since: **UNIQUE_ID**

3.) Long cache CSS referring to a unique no-cache resource

Send the browser some dynamically generated CSS with a long cache time like this:

#element { background-image:url('/tracker.php?**UNIQUE_ID**') }

When the CSS requests /tracker.php?UNIQUE_ID, make sure it returns HTTP response headers that specify to not cache.

4.) Embedding codes in images and decode using JavaScript Canvas

Encode UNIQUE_ID in an image format such as GIF or JPEG. Send that image to the browser with cache headers far in the future, eg:

Cache-Control: public, max-age=315360000
Expires: Fri, 31 Dec 2021 00:00:00 GMT

Then read the image using javascript+canvas in the browser, and decode the UNIQUE_ID from it.

To prevent this sort of tracking across browser restarts, you can simply configure your browser to clear the disk cache on exit.

Preventing cross-site tracking within a single browser session is important too though. Otherwise, your various online accounts can end up being linked together without your knowledge. I’ve completely disabled my browser cache in response to this problem, and I haven’t yet experienced a noticable reduction in speed/usability, even when using content heavy sites like Facebook. Outright disabling the browser cache sounds scary and may not be for you depending on your network performance, but don’t dismiss the idea without giving it a try first. Under Firefox, I disabled both my disk and in-memory cache by visiting about:config in the address bar, searching for the configuration items, “browser.cache.disk.enable” and “browser.cache.memory.enable”, and toggling them both to “false”.

I am well aware that this isn’t a global solution to the problem. Many people on slow networks need caching, and many web servers and networks would experience a drastic increase in load if everyone switched overnight. If you’re reading this, it may be a solution for you though.

I also wanted to prevent any proxies from caching data on my behalf, so I installed the Modify Headers Firefox addon, and configured it to send the following two headers with every request:

Pragma: no-cache, no-store
Cache-Control: no-cache, no-store

Want to leave a tip?BitcoinMoneroZcashPaypalYou can follow this Blog using RSS. To read more, visit my blog index.