There are many ways to track users across the web,but they all behave differently to cope with privacy limitations, a securityresearcher said Wednesday at the Black Hat conference in Las Vegas.
Many reasons exist why organizations and online servicesmay decide to track the habits of web users, and there are many techniques that can beemployed to collect this, Gregory Fleischer, a senior security consultantat FishNet Security, told the crowd.
The reasons may range from needing to track users for metrics and analytics orto fine-tune the systems that deliver advertisements to theusers.
During his presentation, Fleischer discussed variousinjection techniques for web tracking. He interspersed his descriptions withactual demonstrations. At the conclusion of the session, Fleischer released anopen source tracking server that implemented the techniques covered in thetalk.
Just as there are different reasons, there are differentmethods for tracking. Passive tracking means the data is captured as the usernavigates a site, and the information is grouped into broad user categories.The information collected and sent can easily be faked or obscured, as the dataconsists of a user agent string and request headers, Fleischer said.
Active tracking, meanwhile, gathers information from the browser using avariety of JavaScript and CSS tricks, Fleischer said. It is harder for users tofake the data being collected or to hide from this kind of tracking because itrelies on direct interaction with the site. Data collected includes navigationinformation, screen resolution, time of interaction, plug-ins, fontsinstalled on the system and browser extensions in use.
Browser cookies are the most basic form of web tracking,and can be used in first-party and third-party tracking. However, they areseverely limited by the private browsing mode in most major browsers.
Plug-in-dependent methods such as what's seen in Adobe Acrobat/Reader, Flash, and Java use their own storage, offer flexibility and are animprovement over traditional web browser methods, Fleischer said. However,their abilities vary across browser, and some are still not integrated withprivate browsing.
There are some things that need to be kept in mind fortracking, such as allowing users to opt-in, and determining how long the datacollected is stored, Fleischer said. The goal of tracking is to install apersistent identifier that can be used to correlate user activity.