11

Assume I am a regular user of website A that forbids multiple accounts. I assume it can identify me with cookies and IP. So if I use a VPN, then open a private tab in my browser, can it still identify me ? The cookies sent to the website will have nothing to do with the old cookies right ? So is this as efficient as using another computer with another connection ?

eee
  • 119
  • 1
  • 3
  • 2
    Depending on who you're trying to defend against, have a look at the demo for HSTS super-cookies. It's a bit of a dilemma since fixing it involves a trade-off between security and privacy. – tangrs Oct 19 '15 at 11:13
  • 1
    What sort of bad design is forbidding multiple accounts from the same IP? Have they never heard of NAT? – Xophmeister Oct 19 '15 at 13:32
  • @Xophmeister The OP didn't say they are forbidding multiple accounts from the same IP, just that they forbid multiple accounts. – Jon Bentley Oct 19 '15 at 16:06
  • Also, webRTC STUN attacks can identify http://www.html5rocks.com/en/tutorials/webrtc/infrastructure/ – hd. Oct 19 '15 at 16:15
  • 2
    You might be better off with social engineering - "This isn't eee, this is eee's roommate fff!" - of course, you would also have to use the profiles in a way that was consistent with this story. Always having fff log in one way, and eee log in another way. If you stop at a coffee shop every day, send eee a note from fff saying "dude don't forget julie's coming over tonight, so don't come home bro" etc. – corsiKa Oct 19 '15 at 17:59
  • 3
    @corsiKa That might not help much if eee and fff make the same spelling mistakes in their respective online rants :) – Hagen von Eitzen Oct 19 '15 at 18:07
  • @HagenvonEitzen Presumably we socially engineer the Golden Gate, not the Tacoma Narrows... – corsiKa Oct 19 '15 at 19:03
  • If the browser in private mode is running in the same OS, I'd say no. All private mode does is start with a fresh session. That's useful for quickly testing something but not much else. It's technically not private and the browser vendors say as much. However, if you bury that in a virtual machine and carefully focus on creating a new personality being aware that we each have habits as well as being aware of how TCP, UDP, and IP operates under the hood (i.e. read the IETF specs), then you have a much better chance of remaining disconnected identity-wise. – CubicleSoft Oct 20 '15 at 14:26
  • A lot of popular sites use SMS messaging for account setup these days either directly or by requiring sign in with a provider that does. SMS verification severely limits anonymity. So no matter what web browser you set up in private mode, you could still find yourself going through an account sign up process that requires your phone to be used. If you want to test the waters, I'd start with just private mode. If it works, then that's that. Most site owners won't get overkill about the issue as long as you are behaving yourself. – CubicleSoft Oct 20 '15 at 14:35

8 Answers8

21

You can not be sure for that without testing because such websites combine more than one technique to identify their users. For example if you use the same computer with a reliable VPN, you still may be identified if the website in question relies for example on browser fingerprinting and/or operating system fingerprinting identification techniques.

Some websites can identify you even if you use Tor browser, VPN ... etc (after suspicion of bad behaviors a user may perform) as they analyze the way how you write.

  • 1
    Don't forget the latest dilemma in browser security, HSTS tracking. – tangrs Oct 19 '15 at 11:09
  • 3
    It is quite fun to visit https://panopticlick.eff.org - Surprisingly, Chrome's private window had different fingerprint than normal window. Sadly, only real difference was access mode to fonts - so I guess for real algorithm I would be traceable all right. – Mołot Oct 19 '15 at 14:04
  • 3
    Another new form of tracking is tracking and measuring how you type, no browser, vpn or proxy can change that! – matt. Oct 19 '15 at 15:20
  • 4
    @enki.dev A browser could add jitter to your keystroke timings, or slow them to a uniform rate (or one of a few uniform rates to handle different typing speeds). Also how is it measured - scripts run locally? This is assuming it's typing timings, as analysis of language used requires a fairly large data set. – Chris H Oct 19 '15 at 15:53
  • 2
    @ChrisH Correct. There are browser extensions available that just do that. If you're interested in underlying technology, check out http://behaviosec.com/technology/ - So, yes, my original comment would be incorrect. – matt. Oct 19 '15 at 16:09
  • 1
    (after suspicion of bad behaviors a user may perform) they analyse the way how you write. No, Stack Exchange does not do that, and tools moderators have access to via Stack Exchange are... not cutting edge, by any means. Yes, there are a number of ways to id a person based on their writing styles, but Stack Exchange does not have such an interface for their moderators. – HopelessN00b Oct 19 '15 at 17:11
  • @HopelessN00b I dared to state that because I experienced it. Moderators do not have tools for that, they check it manually –  Oct 19 '15 at 17:13
  • @Begueradj I was a moderator on ServerFault. While I was, no one bothered us enough to check things like that out of band. – HopelessN00b Oct 19 '15 at 17:25
  • @ChrisH, wow, that seems like it could have great potential for evil use. Thanks for the heads up. – Mark Buffalo Oct 19 '15 at 19:49
  • Is not this how they identified the authors of the Federalist Papers an earlier offline version of StackExchange which primarily dealt with political as opposed to technical questions. – emory Oct 19 '15 at 23:34
5

"But I'm behind 7 proxies!" It doesn't matter.

Even if you change your IP address, you are still likely giving the website(s) your browser fingerprint. You'll need to use a tool like SecretAgent for Firefox, or write your own.

What you need to do is randomize / disable the following values before they're returned by Javascript:

  1. Screen Size and Color Depth (randomize)
  2. Browser Plugin Details (disable showing / randomize)
  3. System Fonts (disable showing / randomize)
  4. User Agent (maybe randomize)
  5. Cookies (disable)

If you are able to randomize / disable those, like SecretAgent does, it's not likely that you'll be identified by websites / tracking cookies through browser-fingerprinting.

Either that, or you need to disable Flash, Javascript, Java, etc. while browsing. Note that fiddling with the screen size values may break responsive websites, though I haven't tested this.

Mark Buffalo
  • 22,608
  • 8
  • 75
  • 91
3

By 1) using a VPN you are effectively connecting from another IP, and by 2) using a private tab in your browser (or an incognito window, or a different browser altogether) the cookies from your old connection won't be used. So yes, using both will thwart the basic way in which websites identify you.

Note that you might be able to visit the website with a different identity by using #2 alone; VPN might not be needed.

dr_
  • 5,198
  • 4
  • 21
  • 31
  • 1
    Also, be careful of any dropped connection to the VPN. For example in OpenVPN if your connection to VPN server dropped it would revert back to your normal connection which would expose your identity. – Paul Oct 19 '15 at 11:36
1

An incognito window combined with a reliable VPN should indeed hide any correlation between your 2 accounts.

Sevaara
  • 181
  • 2
  • 8
  • 2
    You need to explain how/why this is true. – schroeder Oct 19 '15 at 18:08
  • 1
    I disagree. Even if you change your IP address, you are still giving them your browser fingerprint. You'll need to use a tool like SecretAgent for Firefox, or write your own. – Mark Buffalo Oct 19 '15 at 19:17
  • I'm guessing this entirely depends on what kind of website we're discussing here. A lot of sites that made it against the rules to run multiple accounts would only monitor for duplicate IP addresses. A VPN (that doesn't spray your real IP everywhere) would bypass that immediately. Incognito windows with multiple browsers is an additional layer of protection. Just out of curiosity, do you know of any sites that try to match accounts based on browser fingerprints? – Sevaara Oct 23 '15 at 15:50
1

You should better use a different browser or at least a real different profile like Firefox offers (Profiles in Chrome share too much). Incognito mode is note enough since some information are shared with this mode and some information are even shared between different browsers.

For deep and extensive information about this topic see Technical analysis of client identification mechanisms.

Steffen Ullrich
  • 201,479
  • 30
  • 402
  • 465
1

The best thing is to use a virtual machine with a different OS (Linux/Windows) or different versions (Win7/Win10), if you like a different browser in each (chrome/firefox) and the virtual machine has a firewall rule to only allow connections to the IP of your VPN-Server.

With a big or a second screen, you can run both in parallel and if you don't mix up the focus of the keyboard, you can even pretend to be both persons in chats. But I have seen too many people try and fail, mixing up the names or facts, so I would not recommend it.

If you type just little, try using google translate to one language, then bing translate back to yours, this should add enough differences to make you the foreign exchange student.

However, the general idea is "why would you want to cheat in a browser game?". You gain nothing of value and the impression of being good is tainted by the wisdom that you only achieved it by cheating. It doesn't matter what the rest of the gamers there think, you will know it's not true. You can always ask some of your real friends and invite them to play, way more fun this.

user89671
  • 11
  • 2
0

Your browser can be finger printed. Incognito mode will not protect your browsers finger print. Don't believe me go to the website https://panopticlick.eff.org/index.php?action=log&js=yes in incognito mode. Close your browser and open a new one and do it again. It's about the configuration of your browser being unique to your machine. Read their article https://panopticlick.eff.org/browser-uniqueness.pdf and you can learn more about this and how to hide/change your fingerprint.

David-
  • 434
  • 2
  • 8
-2

Please mark this down if this is no longer true and I will delete. But I have built a few apps that stored hostname that was passed via browser. Although this was supposed to be deprecated a long time ago, from the last time I looked, it still passed in all the major browsers.

blankip
  • 118
  • 1
  • 6
  • 1
    The hostname depends on the connection, not the browser. – A.L Oct 20 '15 at 09:55
  • @A.L - It is a variable stored in your browser. If you were on the same computer using different browsers I could identify you by it. Also your hostname does not depend on your connection. I wish I could double downvote your downvote.. – blankip Oct 20 '15 at 14:46
  • 1
    I didn't downvoted you (I don't have enough rep). Can you please provide an example? Hostname is not linked to the browser. Maybe you're thinking of the user agent? – A.L Oct 20 '15 at 14:49
  • No the hostname variable is captured by browser API. So I can get several things from your browser - your local IP address (and internet IP), your OS, your patches, and hostname. – blankip Oct 20 '15 at 15:05
  • How do you get this variable? And how do you get data about patches from a simple Internet request? That's crazy. – A.L Oct 20 '15 at 15:07
  • 1
    Looks like you are referring to the client's hostname. This was possible on really old versions of Netscape for example via Java: java.net.InetAddress.getLocalHostName(). Here is more modern ways to get the IP address: http://stackoverflow.com/questions/17414972/get-ip-address-with-javascript – Jonathan Cross Oct 20 '15 at 16:41