Can a website see/know my MAC address even if I use a VPN? [duplicate]

Solution 1:

The only web sites that can access MAC addresses, are sites that have you download a software component to interface with them, which allow the site to circumvent the usual rules. So you technically have to give permission first by doing that. ActiveX & WMI (Windows Interface via Windows Management Instrumentation) for Internet Explorer and Java are methods used that could pass on a MAC address. ActiveX requires WMI is installed for this to work.

Here is a script using WMI that reads MAC addresses: http://www.qualitycodes.com/tutorial.php?articleid=19&title=MAC-Address-Using-WMI-on-Internet-Explorer [NOTE: this link is now dead, but the script previously hosted at that location did the job for WMI enabled Windows-based computers so still needed as information for this question.]

Here is a question with code to do this in Java on StackOverflow: https://stackoverflow.com/questions/10962072/get-mac-address-in-java-using-gethardwareaddress-non-deterministic

As mentioned in the comment below by Hennes, MAC addresses are internal only. Web servers do not generally pass on that information... just the IP addresses, and even then- users often only show the IP address of their location. If you are going to a web site for example, in a coffee shop, the IP shown is that of the coffee shop, not a user on the network.

Regarding IP addresses-- JavaScript can use WebRTC (these examples for newer versions of Chrome and Firefox) now to show internal IP addresses as explained in this article: https://hacking.ventures/local-ip-discovery-with-html5-webrtc-security-and-privacy-risk/ See live working examples here: http://net.ipcalf.com/ and one that attepts to detect all ip addresses in your local range here: https://dl.dropboxusercontent.com/u/1878671/enumhosts.html This is not to be confused with MAC address data. If your JavaScript is turned off this will not work of course.

Since it was mentioned in the question, JavaScript reads the time from the clock on your system. When you post from one page to another in a form, it could post the time from javascript, giving away the time zone you are in. Applications that use real-time like online bid applications do that. If that is different than the time the server sees that would be a 'flag' so to speak. The solution is to kill JavaScript or change your clock time. By itself it doesn't give much out though. Not everyone has their clock set properly but most have them auto-sync with real timeservers especially mobiles.

In the comments below, specializt mentioned that WMI can be disabled. So can ActiveX, JavaScript, and Java which can simply be uninstalled.

The cookies by themselves get server time, not the time from the web browser. If you want client-side time, the JavaScript method I mentioned above is a way to do it.

If you are looking at a site, and two web browsers come up from the same ip (which yours would if you did not use proxies)-- it would not be necessary to check a cookie to know they came from the same location. The IP log tells them that. They cannot know it was from the same computer in the 'lab', but it may be guessed because they are in the same time slot in the web log. That may not help - one person or a person with an accomplice... it could be seen in that light.

Proxies and VPNs would resolve the server log IP problem of course. Both browsers using a different proxy location like you mentioned is great.

Solution 2:

The others have already answered you main technical questions and my comment to some of them answer your doubts about MAC address. So I'll just concentrate on this:

And lastly,

Is there an extra way to be anonymized that I can do? For example, can my system clock or anything else give an information?

Yes, there is one more thing that can trip you up: your personality. What you're trying to do is called sockpuppeting. You may have noticed that some sites like Stackoverflow and Reddit have moderators. They're the last-line defence against sock puppets. And in my personal experience is that they base their detection primarily on "hunch".

Once they have a hunch that something is fishy they'll usually dig your posting history and find phrases or political views or mispellings or any pattern that's consistent. That is how sock puppet detection is done once you get past auto-detectors like referrer detection or IP address detection or username similarity detection (it's amazing how some people insist on using discoverable patterns when choosing usernames) etc.

Against another human it's quite hard to avoid detection unless your second account does not do anything at all that's related to your first account. Then again, that generally defeats the purpose of sock puppets.

Solution 3:

Websites can't see your MAC address at all, so you don't need to use a VPN.

Solution 4:

A client's MAC address is used by the layer 2 protocol, eg ethernet, to uniquely identify each node on the local network. It is most likely that the web site that you are reaching is NOT on your local area network and hence will not see your MAC address.

For sake of illustration lets say you have a PC on a LAN and you want to access a web site, eg google.com. First thing you need to do is find the best route to google.com. This will be via a router. most likely some sort of broadband router. If you are on ethernet, your networking systems places an ethernet frame round chunks of data in your request. In each frame there will be a to MAC address and a from MAC address. The to MAC address is the MAC address of your router and the from MAC address is your PC MAC.

The router, when it receives the frame will strip off the frame and reframe it for the next leg of the journey. I don't know much about ADSL framing but there will still be a frame used - some sort of dsl type frame. This time the to MAC address will be the MAC of the next node on the route to google.com. The from MAC will be the MAC of the broadband side of your router.

So you see, google.com will never see your PC's MAC address. It sees your IP address, sure, but not your MAC.