Very interesting, and evil: abusing the ETag mechanism for user tracking. (If a user requests some sort of unchanging resource without an etag, you give them a fresh one; and if they request a resource with an etag, you give it to them, with the supplied etag, and record the user.)
Even if Hulu turned off cookie respawning via etags, you can still track users this way, on the server side. I guess the tricky thing is to correlate the etag of the tracker resource with the rest of the requests that a user makes on a site.
> Even if Hulu turned off cookie respawning via etags, you can still track users this way, on the server side. I guess the tricky thing is to correlate the etag of the tracker resource with the rest of the requests that a user makes on a site.
The important distinction is that the ETag is literally no different than a cookie, when used this way. Turning off caching is the new turning off cookies.
> ...the tricky thing is to correlate the etag of the tracker resource with the rest of the requests that a user makes...
Not tricky though. Just put 1-pixel Etagged gif on every page. It gets requested on each page. Or just associate (server-side or client-side) the user's session cookie with the Etag.
It is a lot older than evercookie. I remember porn affiliate scripts that were using ETag back in 01-02. It is a well known method, as is using Last-Modified.
Reminds me to write a firefox plugin to strip etags and "if-none-match" - pretty sure most pages can function just fine without them and use last-modified, etc instead. Kind of surprised to not find anything yet on addons.mozilla.org
That's a good point and this would not be practical in a regular browser session but if someone chooses private browsing, an extension could be sure to strip "last-modified" as well as "if-none-match".
Would hurt the server a little and reduce speed because there would not be any caching but still helps guarantee no tracking.
On a properly written server you could "fuzz" the date of "if-none-match". Then it would still work for caching, but would not uniquely identify you.
The trouble is that most servers are not written properly, the date is not parsed, rather it's string compared with the file date.
For example if the server sends the timezone as EST vs +0400 the browser will send it back exactly as it gets it, when normally you would think that should not matter.
Last-modified is just as vulnerable as ETag are since you can set any string as the modified date (it doesn't have to parse as a date) and the browser will replay it
The writeup about the two extensions for firefox is wrong, those two were meant to block the trick where you can determine if a user has visited a specific site/page by looking at the link color/state.
I don't understand why this keeps getting press. It's nothing new, this method has been around for at least 4 years. Schneier should be well aware of it.
We created a PoC a while ago showing ETag + browser fingerprinting to replace cookies/client-side storage: http://www.adperium.com/tracking
It works in all major (desktop) browsers, but not in some mobile browsers.
I think the cookie debate (in the EU) is not in the best interest of users: with cookies, the user has full control of the data stored, can easily purge cookies, etc. With user-tagging technology moving server-side, this gets a lot more complicated.
What it really boils down to is this: you cannot have both caching and privacy.
For the cache to work your browser must reveal to the server what it has already downloaded, this way or another. And the browser cannot really tell which of the downloaded pieces of data were specially generated to track this particular user.
A possible workaround is to create an intermediate cache to share it with multiple other people, but this creates other privacy concerns.
I believe Google is doing this with its google voice product. We're unable to access our google voice accounts outside the USA, despite disabling flash, deleting all cookies, etc. The ironic thing is, of course, that this is when we need it the most, as we miss more calls being in a radically different time zone.
Well, I'm using different IPs than the "home" IP we used when we signed up. Any attempts to get into google voice for me, though, say that it is not allowed outside the USA.
Yep, so they just filter by whatever IP you are connecting from from outside the US and that's it. Countless websites and services have been doing that for a looong time - just as evil but should not have anything to do with cookies because then you should be able to sign in just fine on a different machine and use voice.
What do you mean by this? I've always been able to send and receive texts through Google Voice in Canada, I can also call (only have it set up to call my gmail) using the web interface. What I've never managed to do is activate the app on my android phone to allow my send/receive texts there even if I couldn't do calls without a US phone number.
I sometimes run into a problem with Google that when I try to log out, I remain logged in. Even after deleting my cookies, I find myself logged in still. This may explain why.
Why wouldn't google want people to access their voicemail,texts,etc and make web calls with their GV number all on the computer when they are outside of the country??
Hm, not sure what to tell you. Check the country you have specified in your account settings too, it has to match. All I can say is that I was able to create a "US Google Account" where my country said "United States of America", but was denied when I tried to access Google Voice. My Tor endpoint was in Russia. When I directed Firefox to use an HTTP proxy with a US endpoint, Google Voice fired right up and let me choose a phone number. Hope that info helps somehow.
They tried to make their cookies undeletable. Why would they do something like that? The fuss is that it's a bad, dishonest, skeezy thing to do. Kissmetrics has shown that they are not an honest company, they're a dishonest one that will disregard the privacy concerns of their user's visitors.
RyanGWU82 makes a good point though. People only whined about the "evercookie" method of tracking because of the potential for abuse (across multiple Web properties). Why on Earth would you care if someblog.com knows for sure that you've been to their site five times? I don't think the problem here is that you can be tracked using multiple methods that were not originally intended for use in tracking. I think the problem is that people always had a false sense of privacy (i.e., there was ignorance about what can and cannot be used to track your client).
You're accessing a remote server. There will always be a way for sites to track your visits. There is a necessity for those sites to track your visits. Don't care about their necessity to track you? Stop going to those sites.
See, I still don't understand how this is dishonest. They didn't try to make "undeletable cookies," they're not using cookies! I understand that to a layperson "cookie" means "anything that identifies me to a web site," but they're wrong, and what's dishonest about using an analytics mechanism that's not a cookie?
Even if -they- never aggregated the data, does that really mean that nobody aggregated the data? If the clients get raw data, couldn't they (privately) swap data with another client? I assume that if it can be done, it will be done.
Even if Hulu turned off cookie respawning via etags, you can still track users this way, on the server side. I guess the tricky thing is to correlate the etag of the tracker resource with the rest of the requests that a user makes on a site.