jonasstrehle / supercookie Goto Github PK

I saw the documentation but didn't really get it how can you know if this is the first time for the user to enter the site so you car write some favicon to him and give him identifier or if he already have favicons and u will then give him 404 request on all favicons. so can you please tell in details how the script distinguish? Or maybe the first redirect is always test and if the user asked for favicon "a" then he is new and if not we start reading?

Hi,
brave browser and firefox, since 85+, are both not affected by supercookies.

https://habr.com/ru/company/itsumma/blog/542734/
There is Russian article about this repo. I am not the author, but I'd love to see it in README list.

Please make a video walk-through of this project.

I guess this happened by accident?
This lead to the situation that this repo is over 20MB huge.

Thus I guess you might want to add the directory to gitignore and remove the directory from history.

PS: I case this was added intentionally: why?

@jonasstrehle help me please.

I am useing node v15.12.0, but after install dependencies have next error. How can it be resolved?

mnt/d/Projects/Dev/supercookie/server$ node --experimental-json-modules main.js
node:internal/process/esm_loader:74
    internalBinding('errors').triggerUncaughtException(
                              ^

Error [ERR_MODULE_NOT_FOUND]: Cannot find package 'express.js' imported from /mnt/d/Projects/Dev/supercookie/server/main.js
    at new NodeError (node:internal/errors:329:5)
    at packageResolve (node:internal/modules/esm/resolve:714:9)
    at moduleResolve (node:internal/modules/esm/resolve:755:18)
    at Loader.defaultResolve [as _resolve] (node:internal/modules/esm/resolve:869:11)
    at Loader.resolve (node:internal/modules/esm/loader:86:40)
    at Loader.getModuleJob (node:internal/modules/esm/loader:230:28)
    at ModuleWrap.<anonymous> (node:internal/modules/esm/module_job:57:40)
    at link (node:internal/modules/esm/module_job:56:36) {
  code: 'ERR_MODULE_NOT_FOUND'
}

Maan, I have a lot of extensions which protect my fingerprint and one for No fingerprint (that is same name for extension :-) ) .
Also, I have one extensions which makes websites think that I am using Android Browser and also ProtonVpn which hides my vpn. BTW, I am on LM 20.3, Cinnamon.
And I am using LibreWolf.
I am asking question to you, dear dev: it never ends - does that means that I have full real privacy?????

If you can track and identify user for good by using this approach, you are depriving our right to privacy.
You said that this is only for educational usage but once it is carried out, there is no way to revert.
You are helping big companies like Google by identifying users. And you are violating First Amendment to the United States Constitution.
So I suggest you remove this repo or develop an approach to against it

I got one ID through chrome, another one through Tor. Opera without VPN gave a third identifier, Mozilla also showed another. This nonsense does not work and also does not run on NodeJs))

I tried running your docker as per your documentation, unfortunately it doesn't work for me.
I get the following error message, but it's out of the question.
Error [ERR_MODULE_NOT_FOUND]: Cannot find package 'express' imported from /home/node/app/main.js

This leads me to think I have the wrong node version. (I am no expert in JS environnement)

So would it be possible for you to update your docker-compose.yml with a specific node version ?

For example : image: "node:20.11"

Also it would be nice to know which docker version you're using and on which OS.

Last point in your documentation for docker you could add the creation of the network "main" that you use
docker network create main

(Thanks for the project, it's very interesting)

If I clear all history in the last 1 hour (see example below), I get a new identifier.

I'm using Chrome 88 on latest MacOS

Your solution is supposed to work without cookies enabled, but when I turn on the Block all cookies flag on Safari I am getting an endless redirect loop on demo.supercookie.me and on my local nodejs project.
It looks like you are highly reliant on cookies.

In your research have you explored the behavior when combined with ServiceWorkers? Possibly because it could remove the need for a server altogether by "spoofing" URLs under a specific prefix, but also because it can reduce round trip to the server by generating the response within the worker itself locally.

For me the function "Clear History..." and selecting "all history" in Safari 14.0.3 (Big Sur) clears the complete favicon cache in ~/Library/Safari/Favicon Cache/

With Safari on iOS on the other hand there appears to be no way to clear the cache short of factory resetting.

Or is that impossible to clear F-Cache on affected browsers?

As title says!

Google Chrome | 114.0.5735.248 (Official Build) (arm64)
-- | --
Revision | 6a4d58406feefcfe55d9fa6c53bf40ebc5453342-refs/branch-heads/5735_243@{#3}
OS | macOS Version 13.3.1 (a) (Build 22E772610a)
JavaScript | V8 11.4.183.27
User agent | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Command Line | /Applications/Google Chrome.app/Contents/MacOS/Google Chrome --flag-switches-begin --allow-insecure-localhost --flag-switches-end
Executable Path | /Applications/Google Chrome.app/Contents/MacOS/Google Chrome

I had the supercookie demonstration running; since its not coming to an end, my question: Is it still working? When should it come to an end? 1 Hour? 10 Hours?
The details of my test: "OSX" or mac Monterey 10.3
Browser Firefox Nightly 100.0a1 (2022-03-15) (64-bit)
In Safari Browser it runs endlessly. Should I expect the same for Firefox Nightly?

I'm getting two different identifiers when I'm using a "guest" profile on Chrome + Mac OS.

Click the stop button and the refresh button on the browser (left top corner) quickly when redirecting to next page, the process will continue but I get a new identifier.(Not every time but often.)

Loops on incognito, and once you do get the id its different that from that of a non incognito tab.

Can this solution bypass Safari's ITP?
Currently all browser storage from 1st party will only be available for 7days. This include cookies, local storage, etc.

Also how about firefox 'network partitioning'?
https://www.zdnet.com/article/firefox-to-ship-network-partitioning-as-a-new-anti-tracking-defense/

I can't reproduce my IDs with Firefox 85 (Linux). I don't know if it is related to this, they only mention cross-site supercookie protection.

Chromium 88 seems to be still vulnerable.
Tabs underlined in blue are part of the same container (Firefox extension), others (left to right) are vanilla Firefox, private Firefox and vanilla Chromium.

First try:

After restarting my browsers:

after 17/17 it somewhy restarts from 1/17