There are many ways to track users across the web, but they all behave differently to cope with privacy limitations, a security researcher said Wednesday at the Black Hat conference in Las Vegas.
Many reasons exist why organizations and online services may decide to track the habits of web users, and there are many techniques that can be employed to collect this, Gregory Fleischer, a senior security consultant at FishNet Security, told the crowd.
The reasons may range from needing to track users for metrics and analytics or to fine-tune the systems that deliver advertisements to the users.
During his presentation, Fleischer discussed various injection techniques for web tracking. He interspersed his descriptions with actual demonstrations. At the conclusion of the session, Fleischer released an open source tracking server that implemented the techniques covered in the talk.
Just as there are different reasons, there are different methods for tracking. Passive tracking means the data is captured as the user navigates a site, and the information is grouped into broad user categories. The information collected and sent can easily be faked or obscured, as the data consists of a user agent string and request headers, Fleischer said.
Browser cookies are the most basic form of web tracking, and can be used in first-party and third-party tracking. However, they are severely limited by the private browsing mode in most major browsers.
Plug-in-dependent methods such as what's seen in Adobe Acrobat/Reader, Flash, and Java use their own storage, offer flexibility and are an improvement over traditional web browser methods, Fleischer said. However, their abilities vary across browser, and some are still not integrated with private browsing.
There are some things that need to be kept in mind for tracking, such as allowing users to opt-in, and determining how long the data collected is stored, Fleischer said. The goal of tracking is to install a persistent identifier that can be used to correlate user activity.