Comment by bastawhiz

5 years ago

This is a neat approach, but I'm not sure I'd expect it to be used in the wild. ~32 consecutive document redirects every time you want to fingerprint a browser would be slow: twelve (?) redirects on my (~fast) internet takes about ten seconds. On 3g, I could imagine this taking much longer.

You'd also likely need to do this at the (root) page level (i.e., it wouldn't work inside an iframe, since iframes don't have favicons), and it breaks the back button really hard. I'm not sure I can think of a practical situation where this could actually be used for tracking. Maybe if it was done in a popup?

12 comments

bastawhiz

Reply
toomanybeersies  5 years ago

> Maybe if it was done in a popup?

Funny you mention that, one of my friends was on a torrent site the other day and had tiny popup that appeared to keep redirecting. I assumed it was redirecting through multiple pages to generate fake ad impressions, but this is another possibility.

Philip-J-Fry  5 years ago

The site says that 34 redirects takes about 4 seconds.

The demo page is 1 redirect per second on purpose.

  • jonasstrehle  5 years ago

    Yeah, the demo page is using a ±800ms timeout on purpose.

    I chose the threshold so that even with a bad internet connection, slow browser, etc. the favicon is requested without the redirect being faster than that.

    So it is definitely possible to reduce the timeout significantly but it is not useful for demonstration purposes... ~jonas

cmeacham98  5 years ago

Potential workaround: redirect a more bearable amount of times (2-3) every time a user clicks a link on your website. An aggressive ad network could also do this across websites.

BiteCode_dev  5 years ago

If the browser supports JS, maybe you can quickly generate uuid based on the same pattern, load the favicon as data url and with onload, check if it's in cache. This would make it significantly faster.

  • jonasstrehle  5 years ago

    Great idea but favicons used in meta-tags does not support the onload event! I've found a workaround for this but it's only working in chrome. ~jonas

jaflo  5 years ago

I think you could also run this on an iframe embedded in a page

  • infogulch  5 years ago

    What is your response to parent's comment that "it wouldn't work inside an iframe, since iframes don't have favicons"?

    • scotty79  5 years ago

      Browsers send requests for favicons for pages in iframes even though they are not showing them.