6

If you visited a website, of course they will know your IP address, right? But what about when you change your broadband connection?

Will they still know that it is still from the same source or person, because you are using that “same desktop computer” you used earlier?

Giacomo1968
  • 55,001
Selin Peck
  • 517
  • 1
    What do you mean by "change your broadband connection"? Do you mean change your ISP, or move, or what? – trysis Jun 01 '14 at 18:38
  • Yes correct, change ISP. – Selin Peck Jun 01 '14 at 19:22
  • Wow, I was not aware you could switch ISP's using a USB stick. Whenever I changed ISP's with a computer it was a matter of changing the network it was attached to. – trysis Jun 01 '14 at 19:55
  • You'll usually get a different IP address when you disconnect and reconnect to your ISP; handy for sites which limit what you can download (ie one download per hour). If you use TOR then your IP address can changes per page. –  Jun 01 '14 at 22:15
  • 2
    @SelinPeck, why did you delete your earlier comment about USB sticks? Also, why didn't you put it in the question in the first place? This was vital info & could have helped any answerers. As is, your question is very unclear as to whys, hows & whats, which is why I asked for verification. – trysis Jun 01 '14 at 22:44
  • @ trysis : Locally here, when you purchased two broadband connections which are both prepaid, you can interchange which you want to use when surfing online. Let's say, one have a USB stick which is purchased from Verizon and one from AT&T (just an example). Both have different IPs associated with each connection ofcourse. – Selin Peck Jun 02 '14 at 13:25

2 Answers2

10

An IP (version 4) address has the following problems if you are using it to track individual users:

  • Many users use an ISP that gives them a temporary DHCP-issued address which can change anytime.

  • Many users are behind a router that uses NAT to allow multiple users to appear to originate from the same IP address.

  • Some users may be using a proxy server to access your website due to a policy of their workplace, ISP, or government.

So, while a well-designed website will still do things like block on the IP level if abuse from a specific IP is detected, the website itself will use cookies to tell users apart.

If a server "sets" a cookie, what is supposed to happen afterward if the client "accepts" that cookie, is that the client sends those cookies back with each future HTTP request (in the HTTP headers).

So, all the server needs to do is "set" a single cookie that has a random value, and preferably is a nonce - a value that can only happen once. Then the client keeps sending it back and it can be used to identify the client.

So, this cookie will determine your session on the server (hence why it is called a session cookie) and will allow the website to connect incoming HTTP requests with a current login, determine if your login has timed out, etc.

An interesting yet not totally relevant thing: Some cross-site scripting attacks try to trick your browser into giving a different website such a session cookie and then using it to do things as if the attacker were logged in as you. A good website can mitigate this by invalidating the session cookie and maybe raising a security alert if it detects a sudden IP change.

LawrenceC
  • 73,957
  • Thanks for the answer. Does this work with emails too? When a certain person sends email using an anonymous email using Yahoo or Gmail (there will be an IP associated in the header of email), then changes his broadband connection, sends an email again using another anonymous email. Is there any way I could know if it is coming from that same person or computer? I hope you understand my explanation. – Selin Peck Jun 01 '14 at 15:46
  • @SelinPeck: assuming the sender uses the email provider's web interface to send both emails, the recipient of the two is unlikely to have any means to identify that they're from the same sender. Yahoo or Gmail might have enough information to do it though, especially if the user visted using the same browser both times. If the sender uses an email client installed on their machine, that might include recognizable email headers that give the sender at least grounds to suspect it's the same sender even though they can't be entirely sure. – Steve Jessop Jun 01 '14 at 18:08
9

It depends on the website, what techniques it uses, and how reliable those techniques are.

The "official" way to recognise a user when they change IP address (or when multiple users share an IP address) is by a cookie. That is, some information generated by the site, stored on the user's machine, and returned to the server each time the user requests a page from that site or a closely-related site. If the IP address changes but the cookie is the same, then the site will reckon that you're the same person. Of course, some sites "bind sessions" to an IP address, which means they'll make you log in again when they detect an IP address change, and perhaps give you a new cookie. Often that's a question of them making sure you're the same person. They already strongly suspected it, and were correct in their suspicion, they're just confirming to make it harder for someone to steal your cookie and hijack your login.

Now, you could choose to delete that cookie (for example perhaps you configured your browser to delete cookies when closed, and at the same time as changing broadband connection you rebooted your machine or at least restarted your browser). Then the site has a harder task identifying you, but there are tricks it can use. Generally it will not admit to you that it has identified you, because it's not using the "official" means, but it might try to identify you for example because:

  • it has trouble with abusive users, so it tries to match up unknown visitors to known abusers
  • it wants to track all users, and chooses not to restrict itself to the official agreed means of doing so

The main means to identify are as follows, each breaks down into many separate tricks and techniques:

  • data stored on your machine other than cookies (https://en.wikipedia.org/wiki/Zombie_cookie, https://en.wikipedia.org/wiki/Evercookie). Sometimes this is more or less legitimate, for example a flash app is likely to use flash cookies without any specific intent to avoid the restrictions of regular browser cookies. Sometimes it's an outright abuse of user privacy.
  • properties of your machine and browser that allow it to be uniquely identified (to a certain confidence) without storing anything at all, aka "fingerprinting": (https://panopticlick.eff.org/, https://en.wikipedia.org/wiki/Device_fingerprint). This is unlikely to happen incidentally: a site doing this knows that it's taking steps to try to identify you even if you don't want to be identified. So it's rare.
  • behaviour of the user (this is available in principle but rarely very practical. It can for example help detect automated web-scrapers that the site wants to block).
Steve Jessop
  • 525
  • 1
    @ Steve Jessop : So you are referring to the characteristics of the browser for Yahoo and Gmail to pinpoint if the sender is from the same source, right? Is it the most that Gmail and Yahoo could get into (browser level only, cookies, flash, sites visited, etc.etc.)? How about the characteristics of the source computer ie: operating system, version, files on hard disk, etc., those are not accessible by Google or Yahoo, am I right with my assumption Steve? – Selin Peck Jun 01 '14 at 19:23
  • @SelinPeck: the browser will usually tell the server something about the OS, look at "user-agent" on http://www.whatismybrowser.com/developers/what-http-headers-is-my-browser-sending. It won't let the site or its javascript read any old files it wants to, though (or if it does, that's a serious security flaw in the browser that should be fixed when discovered!) – Steve Jessop Jun 02 '14 at 08:10