Ask HN: How do you tell if a site is tracking you?
So when I see something new like that, I tend to try to visit the website or search google to see what they're trying to get me to allow them to run on my browser. Besides, it could be a lastpass related CDN.
Going to their website gave a blank window, not too shocking. But the web search gave me this page:
https://cdn.lmiutil.com/lpassets/track-pageload-lp.v11.html?gaid=null
Seems to be another blank page, but if I view the source, it's sketchy. Excerpt:
<meta http-equiv="Content-Security-Policy" content="img-src https://adfarm.mediaplex.com https://bh.contextweb.com https://sy.eu.angsrvr.com https://rtb.gumgum.com https://partners.tremorhub.com... (long list of known trackers).
How would you go about proving one way or another what's going on here? Is this kind of things standard ad code for their actual website? Or are they tracking everywhere I use LastPass? It would be cool to find a tutorial of tools of the trade for tracing down the behavior of these complex interdependent systems. Or do the patterns and techniques used evolve too fast for anyone with only moderate expertise to figure out what they're doing?
2 comments
[ 2.9 ms ] story [ 12.5 ms ] thread1) Why not install Privacy Badger? ( https://www.eff.org/privacybadger ) It watches which sites javascript files are loaded from, and if you go to three domains and get the same script, and it seems to be sending back information, it'll flag it and block it.
2) There is the possibility of seeing everything going from your browser to a remote computer. There are two ways.
a) Use the developer tools. In many browsers, you can bring up dev tools (possibly by hitting F12), bring up the 'Network' tab, and hit the 'Preserve Log' button. Everything that goes between your browser and the internet is recorded. You could dive into every javascript file requested, see which data and URLs are requested, etc. In most browsers, you can save this data to a .har file for later analysis, but it will contain cookies, etc, and allow someone else to spoof you.
b) similarly, you could set up a proxy (Charles Proxy, Proxie.app, mitmproxy, etc), to proxy HTTP traffic, but you'd also need to go to extra effort to proxy HTTPS traffic. Then, with your browser (or OS) set up to use the proxy, you can obtain the same sort of data as in (a).
With this information, you could see which sites you are requesting data from, what the data is, and, I suppose, analyze the sources to find out what it is doing.
- cookies
- javascript
- authentication
then it is less likely to be tracking you. There are some clever tricks that do not require those three things, but that is getting into hypothetical and less practical territory.
If you are using NoScript / uBlock or uMatrix / Self destructing cookies or similar and not logging into any sites, then your odds of being tracked are fewer.
If you run a combination of BleachBit, CrapCleaner and BCWipe every time your browser closes, then your odds of being tracked are fewer.
If you have an application firewall that prevents applications from chatting with the internet without you explicitly initiating the communication, that also helps. They may contain user-identifiable strings and may share browser functions.
As for LastPass, I have always steered clear of sites like that. This may have changed, but for a long time, they required your vault decryption password to sync with their site. Unpopular opinion, I know.