What happens if a reputable site runs a tracking script?

[freakedman]

I am worried about being tracked by online gambling sites as I access more than one account from the same device.
Currently I use noscript to only allow necessary scripts run and ublock origin so that in case I allow a tracking script by mistake I would hope that the site this script is run by is on one of the blocked lists they have.

But what is stopping a site from running a tracking script from their own site rather than a third party one?

[barbaz]

But what is stopping a site from running a tracking script from their own site rather than a third party one?

Well, uBlock Origin to a certain extent because it's much more than just a domain filter. But beyond that, nothing really.

[barbaz]

Also, "reputable" site would become, er, much less reputable if it did that

[freakedman]

Amazing thank you for your response once again!

So a reputable site can allow a third party run a script through their site to track us (such as iesnare) and nobody blinks an eyelid but if they run the script through their own site people decide this is too much? Or is it quite problematic trying to run a tracking scipt from the same site and this is why most sites track us using a third party site?

And that’s good news about uBlock origin, so in summary it reads the scripts that sites try to run on us and if anything is trying to extract information that isn’t standard it will block it?

[barbaz]

Let's move this thread to Security, because it's not about NoScript.

So a reputable site can allow a third party run a script through their site to track us (such as iesnare) and nobody blinks an eyelid but if they run the script through their own site people decide this is too much?

That's a bit of an overstatement. Enough people realize the site is running a nasty tracker and some of them are going to speak out and bring the site's reputation down on places like WOT (and if the tracking is extreme enough the site will also get outright blocked in various blacklists, even more so if tracking is spyware).

But some 3rd party trackers don't even "present" as trackers - for example, in my opinion Facebook widgets are likely far more privacy-invasive than the likes of, say, Google Analytics.

There is no clear-cut answer to your question.

Or is it quite problematic trying to run a tracking scipt from the same site and this is why most sites track us using a third party site?

It's easier to track from a ready made 3rd party solution than host everything yourself (and sometimes site does host scripts itself, but most such cases it's still has to send the tracking info to the 3rd party site so you might see the 3rd party site in the NS script listing anyway).

There is yet another scenario though - viewtopic.php?f=7&t=20777
Don't know how to defend this in OS X.

And that’s good news about uBlock origin, so in summary it reads the scripts that sites try to run on us and if anything is trying to extract information that isn’t standard it will block it?

uBlock Origin is a URL filter / content blocker, it doesn't filter scripts based on contents.

[freakedman]

Thanks again.

So if the site I need to use decides to employ it's own tracking script or the scenario that we cannot defend against then it can run active content and obtain details of my hardware?

If so maybe it is impossible to remain anonymous? My solution is to try to appear as a different user every time I need to by:
- changing up my addons and plugins so that my fingerprint changes
- changing my ip address by resetting my router
- clearing my cookies (my browser can defend against the evercookie, not sure if there is a stronger test?).
- spoofing my MAC address

I also never use ipv6 as it can leak my real MAC address. Are there other ways my real mac address can be leaked when I am spoofing it?
And can a site obtain hardware details other than MAC address, that are impossible to defend against or spoof?

[barbaz]

the scenario that we cannot defend against

Actually we can defend against that. I just don't know how to do it on a Mac.

The basic idea is to use a local "DNS proxy" (something like dnsmasq) and configure it to return either 0.0.0.0 or NXDOMAIN for blacklisted sites. If you find a solution for this on OS X please post it here

So if the site I need to use decides to employ it's own tracking script or the scenario that we cannot defend against then it can run active content and obtain details of my hardware?

Right, assuming you've Allowed it in NoScript. Keep in mind that Allowing a site is trusting that site: FAQ 1.11
I would say, if the site you need to use decides to do that crap, maybe you don't need to use that site anymore.

If so maybe it is impossible to remain anonymous?

You can't remain completely anonymous on the Internet. No one can. All we can do is attempt to block out the entities we distrust.

If you're willing to sacrifice security for anonymity, there's Tor Browser...

My solution is to try to appear as a different user every time I need to by:
- changing up my addons and plugins so that my fingerprint changes
- changing my ip address by resetting my router
- clearing my cookies (my browser can defend against the evercookie, not sure if there is a stronger test?).
- spoofing my MAC address

That sounds pretty effective. I would recommend also changing your user-agent string and the like using an addon such as https://github.com/dillbyrne/random-agent-spoofer/.

I also never use ipv6 as it can leak my real MAC address. Are there other ways my real mac address can be leaked when I am spoofing it?

Sorry I don't know anything about MAC address spoofing. This is the first I've heard that it's possible, sounds like something I should look into. Thanks!

And can a site obtain hardware details other than MAC address, that are impossible to defend against or spoof?

I would think not unless it manages to installs spyware or uses a plugin, but not sure...

[freakedman]

I read the following study about spoofing my user agent
https://seclab.cs.ucsb.edu/media/upload ... ieless.pdf.

In summary, if you spoof your user agent there is always a way to tell you are spoofing it, and if they know you are spoofing something it will be a red flag.

I make money from these sites I "need" to use and
1. Don't want them finding out who I really am.
2. Don't want them to suspect I am not who I sign up as, and ask me to extensively prove it (which they can due to terms and conditions).

Seems like I am as protected as I can be right now, but any more advice please pass it on

[barbaz]

if you spoof your user agent there is always a way to tell you are spoofing it

This is not necessarily true. Spoofing user-agent strings for any of the latest few Firefox releases on any major supported OS will surely be undetectable if done right - if a site tries to probe to see that the user-agent string is valid, they'll just find Firefox, Firefox, Firefox, and Firefox, all the way down. (Verifying OS is not easy without plugins.)

I make money from these sites I "need" to use and
1. Don't want them finding out who I really am.
2. Don't want them to suspect I am not who I sign up as, and ask me to extensively prove it (which they can due to terms and conditions).

Locking thread. We're not here to help you violate TOS of a site, especially if doing so is illegal.

Leaving this thread visible for those who have legitimate reasons to try to protect their privacy on the Internet.