Newbie2Security: What Your Browser can Tell Sites About You

0

Here’s a great reader-submitted question, “I heard that if I connect to a site from a web browser, they can tell a lot about me.  Is that true? What can they see?”

It’s absolutely true, and your browser can tell a website or service a tremendous amount of information about you.  This can happen even if you haven’t specifically given the site, service, or app any privileges beyond just connecting to it in your browser.  That’s been the case for a very long time now – and this data doesn’t take a lot of technology or expertise for someone to see it and learn about you from it.  Let’s take a look at what your browser can be telling people about you.

Browsers transmit and receive a lot more data that is visible on your screen.  They also transmit what are known as browser headers – metadata (data about data) that identifies what your browser is capable of displaying, how much data it can accept, and a lot more details

When you connect to a website or service via a browser, the web server and your machine exchange a lot of information.  This is necessary since thousands if not millions of people visit a website, and not all fo them use the same web browser, Operating System (Windows, Mac, Linux, etc.), have the same fonts installed, have the same browser add-ons and extensions, etc.  So, in order to figure out what should be sent to your machine, the web server needs this metadata so it can send you the right information to display in your browser.

Most, but not all, of this data is sent in the browser headers.  Here’s what can be sent via headers during any connection to a web server:

 The IP address (a digital address assigned to your computer by your Internet Service Provider) so that the website knows who it is talking to.
The browser you are using (Internet Explorer, Firefox, Chrome, etc.) and what version of it you are running so that the website knows what your browser is capable of displaying
What fonts, add-ons, and extensions you have installed in your browser – also to help the website figure out what can be displayed.

That may no sound all that informative to a website, but it really is.  With the right tools, here’s what a website can find out based on that information:

 Your IP address can identify where you physically are at the moment.  While it’s not precise, IP geo-location is capable of finding your location within a couple hundred meters if not closer.  IP addresses can also identify what Internet Service Provider you use, if the connection is a cable modem, DSL, fiber, etc. and if you’re using something that can anonymize you (like a VPN or TOR networks).
Your browser type and version can identify what Operating System you use – Internet Explorer only runs on Windows and Safari typically runs on Mac, for example.
The combination of the above information combined with the add-ons, fonts, and other details can allow a website to “fingerprint” your machine to a high degree of accuracy.  This means that if you visit the site again – or go from site to site between websites that share information – these sites can track you and establish a pattern to your browsing history that cannot be removed by clearing your cache.

There are also small text files known as cookies that are placed on your computer/laptop/tablet/phone disk.  These cookies allow a specific site to recognize your device when you re-visit that site, and it’s how sites like FaceBook, Twitter, Amazon, etc. know you when you return to them later on.  Generally, cookies are harmless and only apply to a specific website you visit.  Others, known as “supercookies” are used by advertising networks to track you all around the Internet, however. By setting your browser’s “Do Not Track” settings you can eliminate most – but not all – of them.  Clearing your browsing history, cache, and cookies will get rid of them, though.

There are also tools for most major browsers that can help keep you more private while web surfing.  The Electonic Frontier Foundation (https://www.eff.org) has a tool called Privacy Badger that blocks most tracking cookies but can let you allow them on sites you do trust.  Ad Blockers can stop ad networks from landing supercookies on your machine.  They’re usually free, and well trusted tools like uBlock Origin are regularly checked for malware to make sure you’re not opening more security holes than you close.

So, as you can see, a browser can leak a lot of information about you and your devices.  Headers and cookies can tell a website a tremendous amount about who you are, where you are, and where you’ve been online.  Normally this isn’t a problem, as this information is fairly public and not considered Personally Identifiable Information like your name, phone number, social security number, etc. would be.  Just be aware that sites can see this information about you when you visit, and avoid even visiting sites that you don’t ever want to have this level of detail about you in the first place.