Published implementation of the new Techniques for identifying a specific browser instance. The technique is based on the features of caching images Favicon , with which the site determines the icons displayed in bookmarks, tabs and other elements of the browser interface. The method is based on the peculiarities of Favicon processing in browsers, which allow using the Favicon cache as a storage area that was not originally intended for permanent storage of information (“Supercookies”).
Favicon images are stored by browsers in a separate cache that does not overlap with other caches , is common for all modes of operation and is not cleared by the standard tools for clearing the cache and browsing history. This feature allows you to use the identifier even when working in incognito mode and makes it difficult to delete. Identity using the proposed method is also not affected by the use of VPN and ad blocking add-ons.
The identification method is based on the fact that on the server side it is possible to determine whether the user opened the page by analyzing the information about the Favicon loading – if the browser did not request the Favicon image specified in the page parameters, then the page was loaded earlier and the image is shown from the cache. Since browsers allow you to set your own Favicon for each page, there is the ability to encode useful information through a sequential user forwarding to several unique pages.
The more redirects in the chain, the more identifiers can be determined (the number of identifiers is determined by the formula 2 ^ N, where N is the number of redirects). For example, 4 users can address two redirects, 3 – 8, 4 – 16, 10 – 1024, 24 – 16 million, 32 – 4 billion. The disadvantage of this method is large delays – the higher the accuracy, the longer it takes for redirects to open the page. 32 redirects allow generating IDs for all Internet users, but lead to a delay of about 6 seconds on the first login and 3 seconds on subsequent ones. For a million IDs, the delay is about 3 seconds on the first login and 1.5 seconds on subsequent ones.