Cookieless Web Tracking Using HTTP's ETag

An anonymous reader writes "There is a growing interest in who tracks us, and many folks are restricting the use of web cookies and Flash to cut down how advertisers (and others) can track them. Those things are fine as far as they go, but some sites are using the ETag header as an identifier: Attentive readers might have noticed already how you can use this to track people: the browser sends the information back to the server that it previously received (the ETag). That sounds an awful lot like cookies, doesn't it? The server can simply give each browser an unique ETag, and when they connect again it can look it up in its database. Neither JavaScript, nor any other plugin, has to be enabled for this to work either, and changing your IP is useless as well. The only usable workaround seems to be clearing one's cache, or using private browsing with HTTPS on sites where you don't want to be tracked. The Firefox add-on SecretAgent also does ETag overwriting."

Secret Agent

[Jeremiah+Cornelius]

Here we come. :-)

Add this feature to a chaff-creating plugin, to crapflood servers with fake tags.

Re:Secret Agent

[kasperd]

Can SecretAgent detect tracking through ETags? Or will it disable ETags across all sites and thus slow down browsing by effectively turning caching off?

The way I'd detect it would be with some extra background probes after a page has been loaded. The background probes start once the browser has finished loading and has become idle. Then the browser could open another connection and request the same resources again without sending any information, that could be tracked. If it receives a different ETag or different content this time around, it empties the cache for that domain and disables caching for that domain for a few hours.

Re:Secret Agent

[KiloByte]

Or will it disable ETags across all sites and thus slow down browsing by effectively turning caching off?

ETags are only one of many methods to achieve caching. Getting rid of them shouldn't have a big effect on caching.

Other methods typically have privacy holes as well, but it's easier to deal with them, for example by rounding timestamps down to the last midnight. ETags on the other hand store an arbitrary attacker-provided string, which is an outright security vulnerability.

Re:Secret Agent

Etags are the only viable method for caching information that doesn't have a clear expiration window when it is served. Many pieces of dynamically generated content can provide an etag to safely allow caching until some unknown future event requires an update. Simply slapping a 24-hour expiration header on will not achieve the same effect, and will break many services.

Plus even a lot of static content is served with short expiration times (if any) because content publishers want to be able to make changes at any time without constantly monkeying with the web server settings, and want to ensure that updates are atomic so users get a predictable experience rather than images from yesterday's new story with today's text.

If you're happy only caching according to expiration dates and making unqualified requests for everything else, go ahead. But don't pretend it won't have an impact on the amount of data you transfer or the speed of your browsing.

Re:Secret Agent

If you get a new etag with new content that's the normal and expected use of etags. They could be tracking, or they could simply have updated their content since you first loaded it.

If you get a new etag with the same content that's more likely to be tracking. At the very least it's a poorly configured etag generator, because it's making you re-fetch data you already have. But you do see this behavior sometimes from "innocent" sites that always provide an etag but don't base it on the actual content -- for example, a caching proxy that provides an etag for every document it receives in one chunk but doesn't actually cache all of those documents, and generates the etag based on the caching ID instead of the content itself. In any case, you probably wouldn't lose much disabling conditional GETs for such a site.

Re:Secret Agent

[Wrath0fb0b]

ETags on the other hand store an arbitrary attacker-provided string, which is an outright security vulnerability.

I hate to break it to you, but the entire browser is nothing but a device for storing (and then parsing!) arbitrary attacker-provided strings. It's even got a perverse sort of link-chaining mechanism where, after receiving one such string, it will go out and fetch (and parse!) another one at the attacker's choice of address.

This is not a security vulnerability, it's the design of the system in which there was never a requirement to ensure that a client could visit a server multiple times without the server knowing (or inferring) that it was the same client. It's meaningless to say that a protocol is vulnerable because it doesn't meet a property that it was never designed for (any more than RSA is broken because it doesn't offer repudiation).

Now a client can always elect to send random e-tags, slowing himself down (most dynamic content is not time-cached) and adding to the bandwidth load on the server. I'm sure someone will cook up an extension that does this, and we'll be back to where we were before this non-story.

Re:Secret Agent

[kasperd]

If you get a new etag with new content that's the normal and expected use of etags. They could be tracking, or they could simply have updated their content since you first loaded it.

True, but since the secondary background probing would be started immediately after page loading has completed, there is only a very short period during which this could happen. So it would only happen in rare cases. The possibility that it could happen is why I would only disable caching for that site temporarily.

There can be dynamic content, which changes every time you access it. Such content shouldn't be send with an ETag in the first place. It is however an obvious candidate for use in tracking. It is easier to implement, if you don't have to worry about interaction with legitimate use.

Re:Secret Agent

[psydeshow]

ETags on the other hand store an arbitrary attacker-provided string, which is an outright security vulnerability.

I hate to break it to you, but the entire browser is nothing but a device for storing (and then parsing!) arbitrary attacker-provided strings....

This is not a security vulnerability, it's the design of the system in which there was never a requirement to ensure that a client could visit a server multiple times without the server knowing (or inferring) that it was the same client.

Yep. Bingo.

Safest solution is to write your own "browser" in PHP or something and keep the request headers limited to just GET and Host:, and don't download any linked stylesheets, scripts, images, favicons, objects, or embeds. Have fun with that!

It *would* be nice if there was a paranoid mode in Firefox or Chrome that prevented cross-domain resources from being loaded. But that would break a bunch of sites, too, where some yokels bought the argument that speed is everything and spread their frontends over a bunch of different subdomains and third-party CDNs.

Re:Secret Agent

[allo]

Of course, you could use cache times and checking which images were loaded to store information as well. But one image has 1 bit of information, while one single e-tag (i.e. on one imagE) has many bits.

Firefox makes cache clearing difficult

Changes were made in the past few years to make it much more difficult to clear the cache frequently and easily.

You must jump through various menus and dropdowns. The team argued that this was progress, and it helped prevent inadvertant cache clearing. Their argument was very weak.

It forces me to hassle with yet another plugin to make my very frequent cache clearing quicker. But at least it is now an icon on the toolbar, with no prompting.

Re:Firefox makes cache clearing difficult

[Ambiguous+Puzuma]

Or you can press Ctrl+Shift+Del. One of the options (which should already be checked if you used it last time) is to clear the cache. A three-key combination and a button click and you're done, with no plugins needed.

Re:Firefox makes cache clearing difficult

[realityimpaired]

Lack of ability to clear the cache at all is why I stopped using Firefox on my tablet, actually... Still haven't found a browser that has as much privacy as I would like, but at least Dolphin lets me turn off cookies entirely and clear history/cache on exit.

Re:Firefox makes cache clearing difficult

[seyyah]

Or you can press Ctrl+Shift+Del. One of the options (which should already be checked if you used it last time) is to clear the cache. A three-key combination and a button click and you're done, with no plugins needed.

I also like the Ctrl+Alt+Del option. I've yet to see a website that can track me after that.

Re:Firefox makes cache clearing difficult

[ChrisMaple]

rm -r /<your_home_directory>/.mozilla/firefox/<some_peculiar_directory_name>/Cache/* in Linux.

Re:Firefox makes cache clearing difficult

"Settings > Clear private data", or always use private tabs.

Re:Firefox makes cache clearing difficult

[Mike+Frett]

Edit>Preferences>Privacy Tab> Check 'Clear History When Firefox Closes' and click Settings to select what to clear on Exit. How is that difficult? Note: This is for the Linux version, I dunno about Mac/Win.

Re:Firefox makes cache clearing difficult

Here, let me give it a try. Nope nothing yet that I c

<NO CARRIER>

Re:Firefox makes cache clearing difficult

[Agent+ME]

History -> Clear Recent History -> checkmark the cache box

How much easier do you want it?

Re:Firefox makes cache clearing difficult

[TheGratefulNet]

see 'prefbar' plugin for firefox. turn off animation, flash, cookies, clear-cache, etc. configurable. been using prefbar for years and my installs always include this plugin.

Re:Firefox makes cache clearing difficult

[fast+turtle]

fstab - mount the firefox cache directory on /tmp (ramdisk)

Re:Firefox makes cache clearing difficult

After reading TFA, I asked FF to clear my entire history on exit. Then I closed the browser and waited... and waited... and had lunch... twenty-five minutes went by and Firefox was *still* running in the background (this is Windows 7), so I brought up Task Manager and killed it. Big mistake. The next time I brought up Firefox it hung on open, and kept doing that even after rebooting.

I had to resort to firing up IE (!) so I could google the problem. What I found is that you have to fire up the DOS command prompt (as in C:\) and start up the Firefox profile manager and create a new user profile. Because you can't do that from the regular UI when it hangs at startup! Someone helpfully explained that the FF cache filesystem structure looked like it was designed by morons, and that sounds like the best current explanation. OK, I understand about growing pains for software projects, and not everything can be state of the art the first couple times around. Only, this is *FF 23* I'm running, in 2013, not FF 2 in 2003. If they are going to advertise this as Version 23, it had better be a hell of a lot better than a vintage 1985 DOS product.

Re:Firefox makes cache clearing difficult

[zippthorne]

If you're messing with fstab, why not just mount it to its own tmpfs?

Re:Firefox makes cache clearing difficult

Pressing Ctrl+Alt+Del on any Windows NT variant takes you to the lock screen ... are you still running Windows 3.11 or something?

Re:Firefox makes cache clearing difficult

Wooosh.

Re:Firefox makes cache clearing difficult

[psydeshow]

Or you can press Ctrl+Shift+Del. One of the options (which should already be checked if you used it last time) is to clear the cache. A three-key combination and a button click and you're done, with no plugins needed.

Cmd-Shift-Delete on a Mac.

Nice shortcut, thanks!

Re:Firefox makes cache clearing difficult

[allo]

The most annoying problem: Firefox caches redirects. You cannot easily clear the cache, and it will redirect you, even when the url does not redirect anymore.

Nothing new

[deanrock0]

Did they just invent ETag or what? This "feature" is known for a few years and there are existing implementation, including this one: http://samy.pl/evercookie/ from 2010.

Re:Nothing new

Did they just invent ETag or what? This "feature" is known for a few years and there are existing implementation, including this one: http://samy.pl/evercookie/ from 2010.

The wikipedia article on ETag links to a page from 2003 discussing ETag's usability for tracking.

Re:Nothing new

It isn't new. It's just a reminder the lengths at which marketers go to track you online (and by extension the NSA, since they can request those records at any time).

Re:Nothing new

[maxwell+demon]

One more reason to use RequestPolicy. A request that isn't even made cannot reveal any information.

Re:Nothing new

NSA can just request the ISPs to give away logs of every connection ever made, they don't need to track using cookies when they can just see who connected where. Not even stuff like Tor is safe against that (since they can just trace back the node chain with those logs).

Re:Nothing new

[behrooz0az]

I'm afraid tor is safe against that.because it's traffic crosses borders that NSA cannot. And you can manually adjust hop count if you're too paranoid(developers advise not to; because it only degrades performance).

Tracking $$$$

[Ed+The+Meek]

Tracking information is worth billions of dollars. With that much money on the line - we'll be tracked like escaped inmates - one way or another.

Re:Tracking $$$$

[hedwards]

Or we could actually have the legislature make doing so in any form without the expressed written permission of the person being tracked, illegal. Unfortunately, getting the conservatives to allow an up or down vote on that in the Senate is rather unlikely. Because ZOMG TEH BIG GUBMINT GUNNA HURTZ TEH BIZNISS.

Re: Tracking $$$$

[Ed+The+Meek]

Well, that sounds good in theory, but I doubt that any laws would be written in such a way as to actually cure the problem. Usually too many loopholes in the laws. Like the "established business relationship" in telemarketing laws. Oh, and there's always the NSA....

Re:Tracking $$$$

Ah, I hate to break it to you, but leftists have plenty of reasons to want to track us too.. It's hard to to grow a state bureaucracy and overstepping government without surveillance.

Re:Tracking $$$$

LOL Yeah, cause [sarcasm] gubmint does SUCH A BANGUP job with telemarketers, finance area, etc [/sarcasm]. Oh wait...

Re:Tracking $$$$

[hedwards]

You do realize that this is the result of the legislation being watered down to permit that behavior, right? Causing problems so that you can be antigovernment is not a strategy for better governance. It's a strategy to ensure that the government never functions well.

Re:Tracking $$$$

The economy is spiraling out of control, every TLA is spying illegally on hundreds of millions of americans, we have Obamacare which is spiking the costs of health insurance to unafforadable levels, and the problem with all of it according to you? We need MORE government.

You are a total tool.

Re:Tracking $$$$

[hedwards]

There are very few leftists in the US government. I know that you right wingers like to pretend like Obama is a leftist, but the fact of the matter is that he's a conservative, it's just that you folks have gone so far to the right, that you can't tell the difference between a moderate and a lefty.

Re:Tracking $$$$

"but leftists have plenty of reasons to want to track us too.." I hate to break it to YOU, but you're a paranoid moron.

Re:Tracking $$$$

Even if a law didn't have loopholes, it wouldn't matter because face it, tracking on the Internet is not a high priority for any police or regulatory body. Maybe the FTC would like handing out fines or letting people sue for easy damages, but that doesn't matter when most people don't care.

This is one of those cases where the technical solution is better. You can't trust everybody to follow the law on the Internet and let's not forget any law can only be enforced in it's jurisdiction.

Re:Tracking $$$$

[Moridineas]

I agree that beyond a few hot button primarily social issues (the issues that are at best paid lip service by the parties, but gets the blindeyed partisans really riled up--abortion, gay marriage, immigration, taxes, etc) there's little difference between the parties in overall philosophy. Neither pants wants a small--or even a smaller--government, they just want it big in different ways.

It's long been noted that despite their intense mutual loathing, many of the complaints of the Tea Party and Occupy are the same. Many of (Ron/Rand) Paul's and Dennis Kucinich's complaints are the same. One would never accuse Tea Party, Occupy, Pauls, or Kucinich of being moderates or on the same end of the spectrum, yet they share a lot in common.

However, your statement is patently silly. Beyond the implicitly nebulous nature of left/right (and of course you will trot out the tired "but in Europe Democrats/Republicans would be..." trope. Europe is only one, relatively small example of the spectrum of left/right politics worldwide), many--if not most--of Obama's plank platforms are not in the slightest rightwing. Maybe, just to toss this out there, it's just that the Democrats have gone so far left (and the big government Republicans have followed), that you can't tell the difference either!

Re:Tracking $$$$

oh, you're right of course.. I forgot that the 'real' leftists, ie lenin, stalin, hitler, pol pot, kim il sung, et al are the real leftists then? Trust me, today's USA 'liberal' is not that far away..

Re:Tracking $$$$

Uh no.. I'm not. I'm telling the truth. Most of that shit the neocons passed over the last decade couldn't have happened without democrat support. Power is power, buddy. I don't care what ideological boilerplate you slap on it. You need to get a clue. Both parties routinely shit on the constitution and what it represents.

Re:Tracking $$$$

[Concerned+Onlooker]

I guess the corollary is that todays USA "conservative" is not that far away from Franco or Mussolini. (By the way, Hitler was not a leftist).

Ease up on the hyperbole, eh?

Re:Tracking $$$$

oh, and one other thing.. extremism isn't necessarily wrong as it's just a measure of relative distance to popular opinion. Things like heliocentricity were once considered 'extreme' too, but it's still the truth, and that's all that matters. You're basically making an argument from consensus. Extreme or not, it is true that the USA democrats are moving further and further left as time goes on, becoming more and more like the socialist dictators of old.. None of the shit they've been pushing over the last 8 years would've flown, even as late as the mid 90s.. Americans have just gotten too jaded.. It's too bad, really, to watch this country spiral down into 3rd world, socially feral, entitlement zones like much of the rest of the world.

Wake up, there are other answers besides the old democrat/neocon battleground.

Re: Tracking $$$$

[grantspassalan]

Is there a law that states that browser makers, such as Microsoft, Apple and others MUST include all that extraneous information that their browsers send to Web servers without the user's permission? Why must there be *any* information sent to a Web server other than the actual request for data? Why must a Web server know any information at all about what kind of an OS, sites last visited or whether or not a user has visited a site before? If these companies that make browsers really cared about privacy, they would enable their users to select which, if any, of this data to send out on the Internet. Perhaps somebody might get rich making a browser that allows users to return off the sending of all that extra information.

Re:Tracking $$$$

1. yes, hitler was a socialist.. nazi = national socialist.
2. you are telling me that USA democrats are not true 'socialists' (no true scotsman fallacy), yet, the neocons are one step away from mussolini, and you want me to ease up? My hyperbole was a tongue-in-cheek response to his. I really dont care how far left Europe is.. Those countries have a very different sense of what liberty means..and they're welcome to it. I just wish they'd cut the smarmy "USA has no leftwing" routine. I don't want my country to be like western europe, as those cultures have become way too passive aggressive and feelings driven for my taste... of course, today, american culture is pretty far gone at this point anyway.
3. BOTH parties are becoming more extreme in their ideology as they push it harder and harder as the solutions for problems they caused in the first place. Just to be clear, I want them both gone.

Re:Tracking $$$$

hitler called himself a socialist that doesn't mean he actually was one

as usual with politicians: ignore the retoric and watch what they actually do

Re:Tracking $$$$

Interesting assumption, too bad there aren't any leftists in the US to begin with.

Re:Tracking $$$$

[the+eric+conspiracy]

Only in the US does Obama get called leftist. He is either centrist or moderate rightist.

http://www.theamericanconservative.com/dreher/the-conservative-obama/

Compare his policies to Ronald Reagan and you will find very little difference. For example both ran huge deficits in order to stimulate job growth.

http://www.thedailybeast.com/newsweek/2009/11/20/channeling-the-gipper.html

The fact of the matter is that the right wing of American politics has become really extreme over the past 10 years.

Re: Tracking $$$$

[maxwell+demon]

Why must a Web server know any information at all about what kind of an OS, sites last visited or whether or not a user has visited a site before?

You have a point about the OS and half a point about "site visited before" (but that's one thing I don't care about; if I visit a site I expect the site to know that), however the browser does not by default send a list of sites last visited. That's only revealed by tricks using features which were certainly not intended for that .

Re:Tracking $$$$

[hedwards]

In case anybody is wondering why I'm so mean to conservatives, this kind of dribble is precisely why.

Considering that the GOP Presidents spent $10tn of the national debt, mostly during good times, it's hilarious that you're singling out Obama for being a thief. What's more, the largest transfer of wealth in US history happened because the Federal Reserve decided that inflation is a good thing and then set the inflation rate higher than the interest rates. Basically adding more paper to ensure that the rate of inflation would be higher than the interbank loan rates.

Re:Tracking $$$$

[hedwards]

It's not silly. It is somewhat arbitrary which side you label as being left and which is right. However, the spectrum is the same no matter where you live in the world. In no part of the world is Hitler a moderate, nor Stalin for that matter.

Obama's policies are roughly in the middle between the two extremes in general. Sure on things like security, he's on the right, but for the most part, his policies are in the middle.

Re:Tracking $$$$

Go and try to deceive your wife, children, parents, relatives, and friends with that puke, but don't ever think that such a lie will ever have any effect upon a wise conservative. You are nothing more than a pathological liar and deceiver!

Re:Tracking $$$$

In case anybody is wondering why I'm so mean to conservatives,

No, you are mean because you think the purpose of the government is to punish people you don't like, not to do good things for the people. You get a thrill up your leg every time a tax increase is mentioned because for some reason you think it will apply to other people and not you. You get excited when you hear about new regulations because you think it will destroy companies you don't like and you don't give a crap about how many people will lose thier jobs when that happens, just as long as the three people at the top are "taught a lesson"

What you fail to see is government abuse hurts everyone, including you. You are just another moronic idiot voting for more opporession on yourself because you think being a good little DNC voter will make you immune to such things.

Re:Tracking $$$$

[Ixokai]

The thing is, you're wrong.

Very, very little of what Obama wants or has done is even close to what the progressives of the left actually want. Health care reform? He enacted the model proposed by the Republicans and devised by a right wing think-tank to create a market-based approach to near-universal healthcare: if you think the left is happy with Obamacare, you're not paying attention.

Its simply *better*, and so we will stick with it. What the left wanted was a single-payer really universal healthcare, but we compromised and were willing to go along with the ACA as long as we'd get a single-payer *option*. Then that got dropped, but most of the left decided to support the ACA anyways because really, it was better then what we have now.

Obama is a centrist; center-right in most issues, occasionally center-left. There is nothing even remotely radical about anything he's done, there's been no great pull to the left. The left has gone a bit farther left then we were a decade or so ago, but that's been in response to the monumental shift the right has gone.

There's a wholesale assault on reproductive and fundamental voting rights going on from the right these days, which is just stunning in that these are things that *only* the most extreme of the right's base want.

On civil rights, surveillance, foreign policy, environment, business regulation, ... and on and on, Obama is not at all in line with what the left wants. He's just not as bad as what the crazy people on the far right want.

Yes, there are some narrow places where the far left and the libertarian wing of the far right actually agree, and its weird when it happens: but those are on very specific and very narrow issues. The problem with that libertarian wing is then they fall flat on their face in when the social conservative bloc of the far right has to be dealt with in primaries, and suddenly small government meets bedroom and private health, and oops.

Re:Tracking $$$$

" Both parties routinely shit on the constitution and what it represents."

OP to which you replied, yes that's of course true. What have you done lately, warmonger? Democrats were sold out by their leadership on the wars. Republicans feel sold out when there ISN'T a war. Denying minority CITIZENS the right to vote, that's your next election strategy? Ask Colin Powell if you have the balls.

Re:Tracking $$$$

See: Argentina calling itself leftist, yet probably being the country with the most intrusive and massive surveillance in the entire world, making the NSA or China or everybody else look like complete pussies in the process, and having developed an entire culture around it to top it off, to ensure it can never be removed.

This will happen as long as individuals are given any sort of power. Even if temporarily.

Re:Tracking $$$$

It's not that they don't have some of the same complaints, its what they want to do about those complaints.

The Pauls, Teas and Repubs all want more corporate control over our lives and government so small the only thing it can regulate is a vagina all while the public still gets spied on, the water gets poisoned with industrial waste and the food supply is filled with every disease and genetic modification ever discovered by man and some we have yet to find all for a quick buck this quarter, the future be damned since they wont be prosecuted and even if they are they'll have their golden parachute to fall back on in Milan.

While the left wants companies and government out of our personal lives and instead want the government to force the companies to not the things that are not good for anyone else but the executives and their paid off personal politicians.

In the middle you have most of the democratic party led Obama, the spineless compromiser in chief.

Re:Tracking $$$$

Vermont and I think it was Colorado are already putting in for federal vouchers to build their own single payer system. Once a single state has single payer it will only take a few years for the insurance company dominoes to start falling around the country to kill off the health insurance leeches once and for all.

CAPTCHA = clinics

Re:Tracking $$$$

And Stalin called himself a communist, doesn't mean he actually was.

Re:Tracking $$$$

You should try and get a patent on the crack you are smoking, it is some seriously powerful stuff.

Re:Tracking $$$$

[dave420]

If we remove the ability for those people to track us, doesn't that mean that those Sagans of dollars need to be put back in to the industry in order for our current "internet experience" to remain as it is? I'm not saying where we're currently at is great or all, but if it is that large amount of money, we'll notice the difference if it leaves.

Re:Tracking $$$$

You should try and get a patent on the crack you are smoking, it is some seriously powerful stuff.

And you're right at the top of the mailing list, like always.

Oh yes, your request for a larger line of credit has been approved. We can't leave our best customer hanging!

Re:Tracking $$$$

lol
The wise never call themselves wise. Only fools claim to be wise.

Ahh, Progress

It's amazing how no one sees these issues during the development of these new 'features', or if they do no one listens to them about the pitfalls.

Progress, it's not just for the user experience. At least it's less painful than a dart with a tracking device attached.

Re:Ahh, Progress

People knew caching could be used to track people way back when it was created.
The thing is you can't realistically fix it, either. Fixing it would mean breaking a huge optimization feature and make costs rise for everyone.

It isn't some feature like javascript alert loops (which only got fixed a few years back where everyone agreed to add "ignore any other alerts" option on alert boxes if there are enough of them popping up. I think Chrome is 3 alerts), or creating window loops, or locking the keyboard out from accessing the system. (still an unfixed problem)
Development got much better when WHATWG came around.
All these new features being added have huge safeguards in them, such as requesting by default on things that could give out information such as geolocation, or the new mouse-window-locking feature and so on.
Some other things are also being fixed from the mess of the W3C age, even iframes getting some TLC since they were neglected for so long.
Nothing wrong with iframes, but the implementation is what was lacking, sandboxing, some basic security and that.
For example, being able to render a sandboxed iframe that flows with the document, that would have been a glorious feature. But XHR and element creation took over.

Caching is something that likely won't get any fix.
More than anything, there will likely be a push for better cache-clearing so you can clear on a per-site basis, or even per-item.
I'd be for the former, but the latter would empower people even more.
I guess we wait for the cache-clearing war in the coming year.
I can SO clear my cache better than you. I can flip bits with cosmic rays in my browser. Does your browser have that? Checkmate.
Also, asking to allow a site to cache content on the computer in question would become so annoying people would enable or disable outright since caching is used everywhere.
Talk about being between a supernova and a blackhole.

Secret Agent addon

The addon's homepage appears to be this:
https://www.dephormation.org.uk/?page=81

Just clear the cache...

[AliasMarlowe]

On all of our PCs, Opera and Firefox are set to clear their caches and delete all cookies etc. every time they exit.
Also, I occasionally clear all private data while browsing in Opera, including the cache, cookies, history, and so forth (passwords are never saved by the browser). Obviously, I have to log in again the next time I visit slashdot.

Re:Just clear the cache...

[aliquis]

delete all cookies etc. every time they exit.

I have to log in again the next time I visit slashdot.

Too much work. Well, except if I'd never quit the browser but then it wouldn't make any difference.

Re:Just clear the cache...

Keepass. You press a hotkey and are logged in. Wow, that was a lot of work.

Re:Just clear the cache...

[SGT+CAPSLOCK]

Security is a trade-off. It's always going to take more work to set up and maintain security for yourself than it would to, say, remain traceable and insecure.

If you're lazy, then you're certainly the best kind of target.

SecretAgent - Not Found Firefox 23.0.1

Sorry, but I couldn't find the add-on mentioned in the article. Tried a few different terms other than "SecretAgent" as well. Anyone have the equivalent for Firefox v23+
?

Thanks.

Re:SecretAgent - Not Found Firefox 23.0.1

https://www.dephormation.org.uk/?page=81

Old News is So Exciting!

Several big sites, including Hulu, were discovered using this technique back in 2011.

Slashdot probably reported on it then, but I doubt any of the editors understood what they were reading.

Another Job for RequestPolicy

[Jah-Wren+Ryel]

The RequestPolicy add-on should handle this too. RequestPolicy blocks cross-site references by default and lets you whitelist individual cases. If you don't even talk to the tracker websites then they can't track you.

If the main website you access tracks you via etags the risk is limited to tracking your actions on that website which you'd have problems avoiding anyway since they can track you via ip address or if you have an account on that website.

Re:Another Job for RequestPolicy

I use RequestPolicy, and it definitely isn't for most people. It increases the amount of effort needed to browse the web by a factor of ten.

Every other site I go to is actually served from about two dozen separate locations. CSS comes from one domain, images come from as many as 6 domains, javascript comes from as many as 3 domains, and it isn't unheard of to see twenty different sets of trackers and widgets getting bolted on, not including the addidional baggage that they bring.

It's fucking ridiculous.

Oddly enough, sites hosting their own tracking will make RequestPolicy fail miserably, since it only deals with cross site refs. Such sites are the exception, though.

Re:Another Job for RequestPolicy

[Jah-Wren+Ryel]

I find that about half the sites I go to don't require any whitelisting at all, another ~30% are good enough with white-listing only a couple of other sites (usually CDNs). But it does take a while to get the hang of guessing which are the required sites and which are just fluff and/or trackers.

Re:Another Job for RequestPolicy

[Idetuxs]

Luckily for us, most sites have petitions to domains like wetrackyou.com, adsadsandmore.com, doubleclick, exoclick, and so on. The CDNs are identifiable by the name too. And lots of petitions to googleapis, googleanalytics, googleajax (or something like that).

But yes, every time you go to a site never visited before it may be a struggle. That's something to think about when designing websites.

*Surprisingly way more cross site petitions to google domains than to facebook's. WAY more. It's actually really impressive, like if google owns the frickin internet.

Re:Another Job for RequestPolicy

[TCM]

Yeah, it must be immensely hard to have a domain foobar.org and just create a cdn.foobar.org subdomain. Instead, every hipster startup goes to register fbrcdn.org instead. It's as if noone understands DNS anymore - every purpose gets a new domain instead of having a good structure.

Re:Another Job for RequestPolicy

Considering the Google outage taking down 40% of the Internet the other day and the fact that most people are dumb enough to Google URLs instead of going to them directly Google does indeed technically own nearly all of the English speaking Internet and a large portion of the rest.

Re:Another Job for RequestPolicy

[allo]

hosting you own tracking isn't bad at all. You know what i'm doing at your site, anyway. Because you have the httpd-logs. But services like google analytics provide the page owner very limited information, but have themself detailed information where the user was, because many many sites are using it, and it can track the user across all these sites.

They just don't seem to get the message

[Somebody+Is+Using+My]

I always imagine the webserver as having an internal conversation that goes sort of like this...

Hey, a new visitor to the website? I wonder who he is?
Well, I'll just drop a cookie on there to keep track of him... and, hmm, it seems he's blocking cookies.
Oh well, let me just insert this bit of Javascript; that'll work just as well.
Dear oh dear, it seems Javascript isn't working.
No worries, I'll just insert a little 0-byte web-bug graphic and... wait? That's prevented as well?
Damn it, Flash-cookie! That'll get him! WHAT?!?!? Disabled as well?
E-Tag! That has to work, right?
ARGH!!!!!

Gee... I wonder if he's trying to tell me something like, oh I don't know, "I don't like being tracked".

Nah, who doesn't like being pushed, filed, stamped, indexed, briefed, debriefed, or numbered? I wonder if there's some other way I can use...

You might think at this point that companies and advertisers start getting the message. Instead, they just keep finding more and sleazier ways. All these technologies have valid uses but have been so abused by corporations and marketing that people increasingly don't trust it anywhere. It just further antagonizes the very people they are trying to connect with. And then they wonder why they lose the respect and trust of their customers, resulting in an ever-more aggressive relationship between the two.

Some days I dream about what the Internet might have been like had Canter and Siegel been definitively smacked down back in '94, setting an inviolable precedent that the 'Net was not a platform welcoming /any/ advertising. What repercussions might that have had on the world as a whole?

Re:They just don't seem to get the message

Some days I dream about what the Internet might have been like had Canter and Siegel been definitively smacked down back in '94, setting an inviolable precedent that the 'Net was not a platform welcoming /any/ advertising. What repercussions might that have had on the world as a whole?

Well the advertising giant Google would cease to exist, for one....

Re:They just don't seem to get the message

[dotancohen]

You might think at this point that companies and advertisers start getting the message. Instead, they just keep finding more and sleazier ways.

Which companies? You do realize that this is a browser feature, right? Mozilla et. al. introduced this into the browser, not some third-party. Go look up the Bugzilla page and commit for this feature for the guy's name and contact info.

Re:They just don't seem to get the message

[CRCulver]

Some days I dream about what the Internet might have been like had Canter and Siegel been definitively smacked down back in '94, setting an inviolable precedent that the 'Net was not a platform welcoming /any/ advertising.

The global economy would be smaller and internet access would be less available worldwide. Once the model of advertising-supported services arose, people in the third world could have nice things like e-mail and entertainment in spite of their countries' lack of means or an infrastructure where individuals could pay for whatever they used themselves.

It's easy for someone in the West to say, "They should just bill you $20 a month for your usage of service x, and get rid of advertising", but try to be considerate of the rest of the world.

Re:They just don't seem to get the message

unintended consequences are not intended, you would think that was obvious.

Re:They just don't seem to get the message

[Ksevio]

Part of the issue is browsers/programs that portray cookies in a bad light. When malware scanners flag cookies as "harmful to your computer", people get nervous about all cookies and want them gone (then wonder why they have to keep logging in).

Re:They just don't seem to get the message

Some days I dream about what the Internet might have been like had Canter and Siegel been definitively smacked down back in '94, setting an inviolable precedent that the 'Net was not a platform welcoming /any/ advertising. What repercussions might that have had on the world as a whole?

That day ended when Napster went viral, and an entire generation became manifesto'd with the idea that "Everyone's digital stuff should be free as in beer, for now on I only pay for devices and (some) services." The record industry managed to shut down Napster but not the manifesto.

Google encouraged that kind of thinking because it fit their business model perfectly. Businesses will find ways to make large profits for their shareholders.

Re:They just don't seem to get the message

[bbn]

E-Tag! That has to work, right?
ARGH!!!!!

Gee... I wonder if he's trying to tell me something like, oh I don't know, "I don't like being tracked".

By this point you are being tracked as the guy that blocked everything else. There is only going to be one of you.

Re:They just don't seem to get the message

[mcgrew]

Some of us don't like being stalked by the government or the corporations that own it.

Re:They just don't seem to get the message

[dotancohen]

unintended consequences are not intended, you would think that was obvious.

What do you suppose the intended consequences were, then? Keep in mind that cookies already exist, and did so when this feature was added.

Re:They just don't seem to get the message

[BenoitRen]

You do realize that this is a browser feature, right?

*WHOOSH*

Re:They just don't seem to get the message

Cookies make great sense on a website where I have an account and need to log in.
They are of no use to me on the other 99% of the web.

Re:They just don't seem to get the message

[mopower70]

You might think at this point that companies and advertisers start getting the message. Instead, they just keep finding more and sleazier ways. All these technologies have valid uses but have been so abused by corporations and marketing that people increasingly don't trust it anywhere.

I'm honestly curious here. Advertising isn't going away. It's what keeps the Internet "free". So you're saying you'd rather have completely irrelevant advertising than stuff you may actually be interested in? When I'm in the market for any kind of product, I actively seek out sources of advertising to survey what's available. Being flooded with irrelevant information and advertisements (like happens on the radio and television) is personally unnecessary but financially necessary noise to provide the content I want. I'll take trackers any day over having to pay for every single site I visit.

Re:They just don't seem to get the message

[maxwell+demon]

What do you suppose the intended consequences were, then?

Less network traffic.

Re:They just don't seem to get the message

Yes, that's what I'm saying. I don't want these people to know what I want. They have proven that they will take advantage of that, and try to make me impulse-buy things when I'm at my most vulnerable to targeted ads.

Ads are not a good way to form a worthwhile opinion on what product is the best for you, the consumer. They're designed to drown out the competition and are practically worthless for making a judgement call, unless you happen to notice it's something you already wanted that has a special-offer.

Without competition, ads are no more relevant than they were without being targeted. I've seen no evidence of more competition with more targeted ads. I just get the same products over and over, from whomever can afford the most ads. It's not a healthy situation for commerce.

Plus, if it's something I'm going to buy, I'll buy it. I don't need an ad asking me to click on it while I'm doing other things. I'd rather the business model was revamped than the customer's privacy model.

If ads can sustain the web as-is, then I don't see a need to "upgrade" them. And if they can't, then it's just another reason to revamp the business model instead of desperately clinging to it.

Re:They just don't seem to get the message

The advertising is pointless for that rest of the world demographic. If it's worth $20 in advertising for your eyeballs, the companies that are advertise must expect you to spend more than that on their products or services.

Re:They just don't seem to get the message

[Jah-Wren+Ryel]

Once the model of advertising-supported services arose, people in the third world could have nice things like e-mail and entertainment in spite of their countries' lack of means or an infrastructure where individuals could pay for whatever they used themselves.

You know that is only true because advertising is imprecise, right? Those people have no money to buy crap anyway so advertising is completely wasted on them. If the advertising people could figure out a way to avoid paying for ads targeting people like that they would and that would quickly mean that the service providers would drop them too. Kind of like how streaming video sites use geo-location to block them now.

So it isn't really a benefit so much as an accident that may be corrected at any time. We would be better off coming up with another way to get the poor online instead.

Re:They just don't seem to get the message

"Advertising isn't going away. It's what keeps the Internet "free"."

Ad-infested internet is not 'free'. The internet started ad-free, and was much more free than at present.

The myth that the web needs advertising is only pushed by... you guessed it, advertisers. The web does not need ads, and would actually benefit greatly from the elimination of advertising.

Re:They just don't seem to get the message

[dltaylor]

Hardly; still isn't known to be using an anonymizer.

Re:They just don't seem to get the message

[Arrogant-Bastard]

You know, we had a "free" Internet long before the advertising filth showed up and began polluting it. They are expendable, although they would certainly like you to believe that they're not. "Oh noooes the free sites could go away with advertising!!"

Yes, they could. So what?

Newcomers (anyone who didn't have an address ending in .ARPA is new) are directed to study the history of the 'net. Those of adequate perception will quickly realize that it was flourishing WITHOUT the hordes of imbeciles, WITHOUT the masses of illiterates, WITHOUT the tracking and ads and spam. Our mistake was not crushing these out of existence with ruthless ferocity as soon as they appeared: every ignorant newbie should have been flamed to oblivion, every spammer's business destroyed. We were far too nice and far too tolerant, and thus...look at what we have now. But it didn't have to turn out that way. And it still doesn't. The situation is fixable.

Ads don't reach because I have those sites firewalled or null-routed. I don't care to look at them or have my extremely valuable time and resources wasted by them. Nor do I wish to be exposed to the malware and other attacks carried by an increasing number of them. I recommend this same approach to others: block them at your network perimeter: ALL of them. Yes, this will have consequences -- good consequences. It passes the "what if everyone did it? test because if that happened it would starve the ad networks of revenue and deprive of the resources they require to engage in ever-more-intrusive tracking and data collection on Internet users. Everyone won't do that, of course: but those who do will reap at least some of the benefits. Perhaps that will be enough. I certainly hope so.

Re:They just don't seem to get the message

[Ksevio]

And we're the ones that understand what we're doing when we disable cookies or tracking for certain sites.

Re:They just don't seem to get the message

I'm honestly curious here. Advertising isn't going away. It's what keeps the Internet "free".

Sorry, I have to call BS here. I've been on the Internet (USENET), since the early 90's. There was no advertising, spam was unheard of (for a couple more years anyway), and there was actual content worthy of reading (no there wasn't crap sites like Facebook, or Twittter that only exist to stroke people's egos by telling them how many "friends" they have). You are following the same failed logic that the cable companies use. When cable was first started, it was advertising free because you were already paying to receive it. Then, as the months went by the advertisers started sneaking the ads back in. Now we have to pay a monthly cable bill AND watch 23+ minutes of advertising every hour. This is not counting things like product placements.

I'm sure that if no advertising was allowed, the Internet would have become a place where actual content exists instead of the empty wasteland of crap sites similar to watching mindless "reality" shows on evening television.

Re:They just don't seem to get the message

Yes, I'd rather have completely irrelevant advertising that I filter anyway than having those slimy scumbags' hands in my pocket. Fuck you very much.

Too much ad-supported "information" is a perverted travesty where purpose and effect have become reversed. Too much bullshit is out there, not to help your fellow humans and living off ad dollars, but instead to reap in the ad cash and only make a profit off its visitors with trivial non-information.

The whole advertising business needs to be burned and every marketer shot in the head, twice, and buried along with the lawyers and politicians. They are not decent humans.

Re: They just don't seem to get the message

You know, we had a "free" Internet long before the advertising filth showed up and began polluting it. They are expendable, although they would certainly like you to believe that they're not. "Oh noooes the free sites could go away with advertising!!"

Too bad most of the people reading your post weren't even born in September '93.

Re:They just don't seem to get the message

Nah, I want no advertising, no tracking, nothing. It wouldn't be a bad thing if the internet got a downsize since there are tons and tons of sites regurgitating the same information needlessly.

There are exceedingly few good websites out there and most sites would survive just fine on subscriptions of $0.25/month or even lower. Hell at that rate they would likely make more money then they do with advertisers.

Re:They just don't seem to get the message

[dotancohen]

In what sense? As opposed to a cookie, how much less network traffic is sent? What percentage of the average page size does that represent?

Re:They just don't seem to get the message

[squiggleslash]

The ETag feature is supposed to help caching. That's why it was implemented. It's a unique ID associated with a particular version of a page, the browser sends a code saying "Send me X if the current version isn't $ETag, a copy of which I already have", and the server responds either to say the browser has an up-to-date version or sends the updated version.

Why not use timestamps or something like that, I pretend you ask? Well, because that's a less reliable method, as we've learned over many decades of trying to get that to work. Plus, I hate to mention it, but you can probably profile a user based upon a collection of timestamps if you try...

The network traffic saved is that saved by not sending new copies of every single image and static HTML page every time the user navigates around a website and sees common content. With today's image-heavy web design, I'd estimate it's at least 100k (this /comments.pl I'm-using-to-write-a-reply-to-you Slashdot page alone has over 200k of images, yet is only 11k of HTML), and up to a megabyte, per page, probably constituting more than 90% per click, averaged over pages you've been to, pages you haven't but that are part of a website you've already navigated some of, and pages on websites you've navigating for the first time.

So yeah, it's quite a substantial amount of bandwidth being saved.

Re:They just don't seem to get the message

[Hypotensive]

Time to break open the adverts for products to improve your privacy!

Re:They just don't seem to get the message

Internet is not free. Look at your monthly bill each month. Public TV is free, fine take all the add in your head. Internet is paid, please let me enjoy it as a paying customer. :)

Re:They just don't seem to get the message

[dotancohen]

All those images that you mention should have a long-term cache set on them.

In my limited experience writing web applications, I've have files that I would long-term cache (1 year, such as .png images) and no cache (actual dynamic pages). The site homepage I might set to cache for 1 hour or so. Also, the client client could set the "If-Modified-Since" header. This is a solved problem, with many solutions for different use cases. Also, the 'store data on the client' idea is also a solved problem with cookies. If a page needs a more dynamic cache than what is available, then use a cookie to set the version of each page that is had. I suppose that the etag is like a per-page cookie as opposed to a per-site cookie (only guessing) which might have some advantage if the dev is uncreative enough to use real cookies properly.

Panopticlick is another method

[danceswithtrees]

The ETag method is a clever solution to cookieless tracking. I find this method I stumbled upon a couple of weeks ago a bit startling. I had no idea the amount of information routinely sent from my browser/computer to web servers-- information about plug-ins, time zone, screen resolution, accepted headers, etc WITHOUT letting me know. It is enough to give more than 21 bits of identifying information and uniquely identifies me among the 3M visits.

https://panopticlick.eff.org/

Re:Panopticlick is another method

Thanks! I reconfigured my browser a bit.

Re:Panopticlick is another method

I think I just "leaked" I use noscript or similar ;).

Re:Panopticlick is another method

The ETag method is a clever solution to keep the ammount of re-retrievals of unchanged data to a minimum.
It gets abused by certain people for cookieless tracking

There, fixed it for you. :-)

I've been wondering for quite some time (IIRC years, in which I've simply blocked all of them) why ETags has not been getting more publicity as another "store am unique ID on the users machine" method.

It looks like that both the security-hole researchers and browser-builders are not as clever as they want us to believe (or maybe something bad is going on ...)

Re:Panopticlick is another method

[flyingfsck]

You cannot win. If you don't respond with anything, then that still identifies you uniquely, since nobody else does that.

Re:Panopticlick is another method

[VortexCortex]

And With PRISM's power's combined, welcome to the Panopticon. -- Panopticlick's namesake. TADA: The world is now a giant prison.

Bentham himself described the Panopticon as "a new mode of obtaining power of mind over mind, in a quantity hitherto without example."

Indeed.

Re:Panopticlick is another method

I'm not responding with nothing. I'm responding with more general data.

Re:Panopticlick is another method

We just assumed that it was already long common knowledge that etags were used for tracking?

Re:Panopticlick is another method

where can I get info about what is the most popular "panoptical" data today?
I mean what is the the most used user agent string and all the rest, so I can set my browser to pretend to be the most used "general" setup.

I assume it is some english version of explorer or firefox (or chrome today?) on Windows XP, and I'm totally fine with that, I don't care a tiny bit about helping statistics about what browser is most "popular". the webservers around the world don't need to know I'm using firefox3.6.x on linux. What "marketshare" a browser or operatingsystem have, is data the world can do without (except right now then when I want to copy the most popular hehehe). There is also the rest with http_accept headers, plugins-list, and pretended screen size, timezone and that stuff I don't want to tell webservers either. what is the most used data?

(btw why at all do firefox tell websites this: "gecko-mediaplayer ; {a href=\"http://kdekorte.googlepages.com/gecko-mediaplayer\"}Gecko Media Player{/a} {br}{br}Video Player Plug-in for QuickTime, RealPlayer and Windows Media Player streams using {a href=\"http://mplayerhq.hu\"}MPlayer{/a};" a couple of times in plugin list?)

Re:Panopticlick is another method

It if of interest to note that the EFF PDF notes javascript/AJAX of being of major beneifit to their gathering of "unigue identifiers" in this little research project of theirs. These same things that Slashdot is basically broken without for some time now, those not logged in can not access the "Classic" view and therefore are limited to what they can read here after the posts get to a certain extent. So it comes down to "identify yourself" and choose the classic view, enable scripting and increase the number of identifiers possibe, or leave scripting off and not be able to read greater then xxx comments here. Wonder why that is? Wonder why they refuse to re-enable the "Classic" view for non-members? AC's "preferences"? Please, don't be so rudely absurd. What is wrong with just defaulting to "Classic" when scripting is disabled?

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Re:Panopticlick is another method

[nmb3000]

The ETag method is a clever solution to cookieless tracking. I find this method I stumbled upon a couple of weeks ago a bit startling. I had no idea the amount of information routinely sent from my browser/computer to web servers-- information about plug-ins, time zone, screen resolution, accepted headers, etc WITHOUT letting me know. It is enough to give more than 21 bits of identifying information and uniquely identifies me among the 3M visits.

https://panopticlick.eff.org/

Yep. It's absurd, and unfortunately many "privacy-enhancing" tools (for example, anything that alters the user agent) can actually make a browser more unique rather than less-so.

NoScript is an exception, and one that works very well. I know it's parroted on Slashdot a lot, but if you care about privacy and security on the web there isn't a single better option. Using Panopticlick on my browser as an example:

Without NoScript: Your browser fingerprint appears to be unique among the 3,316,576 tested so far. Currently, we estimate that your browser has a fingerprint that conveys at least 21.66 bits of identifying information.

With NoScript: Within our dataset of several million visitors, only one in 2,433 browsers have the same fingerprint as yours. Currently, we estimate that your browser has a fingerprint that conveys 11.25 bits of identifying information.

Still not great, but a lot better than unique. It's quite unfortunate that the web evolved with the assumption that arbitrary code may be executed in the browser. If we had started out instead with an opt-in approach to Javascript, I think things would be quite a bit better now in terms of privacy and security than they currently are.

Re:Panopticlick is another method

[kermidge]

Well, I'm screwed. From panopticlick: "Your browser fingerprint appears to be unique among the 3,319,469 tested so far."
And later, "21.66 bits of identifying information". Turns out much of it comes from the fonts at 18.69, but the plugins kill it, with the full 21.66.

I like being an individual when I'm at home, so to speak, but when out and about on the 'Net I'd prefer being an anonymous face in the crowd. I have ghostery to prevent tracking via cookies and web bugs, but have no idea about these etag things, never heard of them before.

Ah, crap. It's getting to the point that David Brin's idea of "The Transparent Society" is looking better all the time. Even so, one wants to say, "You first."

Re:Panopticlick is another method

And the reason we have not made the same assumption for the easier-to-spot-and-manipulate "cookies" might than be ... what exactly ? :-)

Re:Panopticlick is another method

yes while I don't use cookies and don't know what "classic view" is, I totally agree with you that slashdot should allow me to see all posts without having to turn on javascript.

Even if they for some reason don't want to show all text directly, can't they provide a single link "show all posts" for people that don't want to use javascript?
so all of the discussion is shown with full text.

Re:Panopticlick is another method

[allo]

yes and no.

They are proud, they can extract that much information. Yes, this is bad. BUT, if you consider, that much of this information is unstable (think of installing a new font), the fingerprinting gets more complicated and you need some machine learning to extract the relevant data and/or match changed fingerprints, to correlate them to the same user. This is possible, but then a fingerprint is not an 100% unique thing, even when panopticlick believes it, because matching two slightly changed fingerprints lowers the chance of having the same user from 100% to 99% or something. And the more the fingerprint changes, the wore the result will be.

So, maybe the best option is, to randomize many of these values on browser start.

Unleash the Botnet

That sounds like old school good times.

I don't get it

let's assume 50 computers behind a NATed gateway.
they all have cookies and cache and javascript disabled.
they all visit the same website at the same time.
the website(server) thus sees 50 connections coming from one (the NATed) IP.
the website allows one to, say ..uhhmm, upload pictures.
so one client goes to website to the page where one would insert the image.jpg.
BUT the client forgot where the picture is on the local 1TB harddisk.
thus s/he spends 10 minutes looking for it.
what happens now is that the tcp/ip from local.port (>1024) to server port.80 times out. syn-ack-fin stuff.
the client in the mean time found the funny.cat picture. posts the image into the upload box (which is still open)
and clicks SUBMIT.
HOW in hell shoud the server now know WHICH of the 50 NATed clients (all coming from the same ip and
with timed out syn-ack-fin stuff) wants to upload the funny.cat picture?
seriously ... abit of tracking (or state keeping) is required, non?
FEAR! FEAR! and MEOR(sic) FEAR!
-
methinks this is another play to push fear into ETAGS and make javascript look good.
me? i'd rather have etags and no javascript for interactive (web2.0) websites thank you very much.
'cause with both disabled, forget interactivity.
the more interactive websites work WITHOUT javascript the better!
-
just delete the cookies and cache after each browser session?

Re:I don't get it

[maxwell+demon]

HOW in hell shoud the server now know WHICH of the 50 NATed clients (all coming from the same ip and
with timed out syn-ack-fin stuff) wants to upload the funny.cat picture?

Session cookies.

Re: I don't get it

Uploading cat pictures, or more generally uploading files, has been solved so many times and in so much better ways than through HTTP, it's just a shame that we're still trying to make this bizarre misapplication work, instead of educating users that you use an FTP client to upload a picture, and working on the inter-application communication to make it easy to launch your FTP app of choice from your web browser.

Re:I don't get it

[Phroggy]

No need to wait for a TCP connection to time out. As soon as the page has finished loading, all connections are closed. HTTP is a stateless protocol; just because you have a web page open in front of you doesn't mean there's any connection to the server right now.

If you're not using cookies, you can use query strings to track state. For every link on the page, you add a query string to the URL containing a session ID number, so when the user clicks any link, the session ID is passed in the query string. But that looks ugly, so you should just use cookies.

Re: I don't get it

[Phroggy]

FTP is a stupid protocol and needs to die. Please use something else (such as SFTP).

Re:I don't get it

Fortunately, IPv4 is no more, and NAT went away along it. Your IPv6 uniquely identify you again.

Re: I don't get it

[Zan+Lynx]

Except that on a LAN FTP is almost the only protocol I can rely on to get high speed data transfers. SFTP blocks at about 30 MB/s when FTP can easily get 90.

If the Linux distros would be reasonable and enable the "none" crypto on SSH it would be a good thing. If I explicitly ask for no crypto then why are they making it hard for me to get what I want?

Yes, I know I can recompile OpenSSH for "none" crypto but it is easier to set up FTP, or even use tar and netcat.

Gaming the trackers

Want to get back at the folks tracking? Blocking or changing the communications with thigns like Ghostery or SecretAgent is great. However, if there was software that connected to the tracking servers but never completed the TCP connection, thus leaving the tracker with a bunch of half open TCP connections, then one could effectively ddos the trackers. There are several other techniques along these lines that can be employed. What good is a tracking system that is clogged up with connections that never complete or fail in various unfriendly ways?

Captcha: capacity

Re:Gaming the trackers

[viperidaenz]

How do you know which URL is the tracking one? What if its that CDN one that delivers actual content your browser needs to render the page? Like some CSS or Javascript resource.

Re:Gaming the trackers

[xelah]

Umm.....so someone uses an ETag legitimately on their dynamic site, and you respond by DDoSing them? That's sort of the problem.....you have no idea if they're tracking you or not, and a great deal of wanted legitimate content will come with ETags.

Can't talk to trackers?

You're ok via custom hosts files courtesy:

---

APK Hosts File Engine 9.0++ 32/64-bit:

http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74

(Details +benefits hosts files provide are in link above)

I.E.-> Hosts do FAR more w/ less (1 file) @ a FAR faster level (ring 0/rpl0) vs redundant browser addons that slow up already slower ring 3/rpl 3 browsers as a filter for the IP stack (coded in C & load w/ OS + 1st net request & 1st resolver queried w\ 45++ yrs.of optimization): Especially cached in RAM (w/ large hosts via kernelmode diskcache subsystem or w\ small ones via native faulty w\ larger hosts files dns OS cache service (usermode slower) - saves CPU & I/O (bonus)). Hosts files yield more speed (blocks ads & hardcodes fav sites - faster than remote DNS), security (vs. malicious hosts-domains serving mal-content + block spam/phish links), reliability (vs. downed DNS http://tech.slashdot.org/comments.pl?sid=3985079&cid=44310431 or vs. Kaminsky vulnerable DNS, 99% = unpatched vs. it & worst @ ISP level + weak vs FastFlux + DynDNS botnets), & anonymity (vs. dns request logs + DNSBL's).

---

* "Less is more" = GOOD engineering, UNLIKE Request Policy http://yro.slashdot.org/comments.pl?sid=4127345&cid=44669753 OR Secret Agent https://dephormation.org.uk/?page=81 that changes user-agent dynamically - Except hosts do it with less + via faster levels from the IP stack itself w/ less parts + ANY BROWSER (& doesn't slow your browser down but speeds it up)

APK

P.S.=> Bottom-Line: "The premise is, quite simple: Take something designed by nature & reprogram it to make it work FOR the body, rather than against it..." - Dr. Alice Krippen "I AM LEGEND"

.... apk

Re:Can't talk to trackers?

[maxwell+demon]

OK, then please tell me how host files can at the same time stop third-party requests to a site (like embedded YouTube videos, or Facebook like buttons) and at the same time allow explicit access of the very same site (that is, when you explicitly go to Youtube or Facebook).

With RequestPolicy that's trivial (indeed, it's the default, you don't even need to know the third party site to be sure that it is blocked, let alone explicitly deny it).

Re:Can't talk to trackers?

[nmb3000]

I know, replying to APK about magical hosts files is pointless, but here we go anyway:

Can you answer these two questions:

How many domains and subdomains does Facebook operate?
Please make sure to include those added in the last 4 hours!

Can you enumerate every domain used to host advertising and/or malware on the planet?
Please make sure to account for dynamically changing and the infinite number of wildcard domains!

If you cannot give me exact answers, then your hosts file method is useless and obsolete. Please wake up and stop peddling your crap here.

Re:Can't talk to trackers?

Don't go down that path. APK feeds off intelligence, sucking it out of you and then it goes nowhere. He doesn't become smarter and you become dumber. It's a no-win situation.

can I set firefox to not send back etags at all?

is it impossible to set the web browser to never use etags?
(without clearing the cache but never store any etags it gets)

and if I have a picture in the cache, why would I want to send a request for that picture again? When I start my web browser I do want it to show all the hundred tabs from yesterday just as they where when I left them, not a changed version. When I open a new webpage I would like the newest version but I don't think it is much time saved by webserver generating the webpage, then calculate a checksum or whatever (I mean for pages not using etags for tracking...), and then compare it to the etag the webbrowser sent, and then if equal reply they are equal - instead if just sending the page it generated! it is just a html file, shouldn't be that many kb.

Panopticlick is another method-Squid knows.

People who used Squid already knew a lot of this.

ETag leaks between Incognito mode and regular mode

[ThatsMyNick]

It also seems to leak info between regular windows and incognito mode in chromium. I assume the cache is shared between the modes, and they need separate caches.

My browser passed the test

[Skapare]

My browser passed because of the way I start it. A whole new user/home environment is dynamically created every time I start a browser. I originally did this so that as I browse hundreds of sites, I don't end up with extreme memory waste. This was done back in an older version that was quite memory leaky. It would build up too much in-process memory as I visited sites, and eventually crash. So I ended up with multiple browsers running (separate processes). At first that might seem to have used even more memory. But that was at the OS level where I did have more, including swap space. But it was at least finite since when I left some website, its browser actually exited, rather than just unlink fragmented virtual pages. Today I just haven't changed it now more because of the tracking breakage it creates. I can still be tracked within a site like Slashdot. Slashdot know what articles I read and what articles I ignore. Slashdot know what I post. But I am logged in, so "duh". No, it's not perfect at all, as the Slashdot advertisers can see my repeat appearances, too. But at least they can't so easily figure out what other sites I visit, besides the IP address (which I plan to work on some day).

Re:can I set firefox to not send back etags at all

[maxwell+demon]

It's not the loading of the HTML file which is avoided with ETags, but the loading of the image. Basically, if the image today is still the same as the image last week, and the image from last week is still in the cache, then it makes sense not to load the image again.

Its nowhere near as good as a cookie

[viperidaenz]

You can't correlate access across multiple URLs, since every URL has a different ETag.

Re:Its nowhere near as good as a cookie

[wonkey_monkey]

So you just put the same image on each page.

Re:Its nowhere near as good as a cookie

[viperidaenz]

But then you need to rely on the Referer header to find out where the user came from. You still have no idea who they are unless the HTML URL gives away the identity of the user. All you can tell is anonymous user A went to pages X Y and Z.

Common "internet security" software packages blank out referer headers.
Browsers won't send the referer header if the HTML page came from an HTTPS location and the other resource is not HTTPS

Re:Its nowhere near as good as a cookie

[null+etc.]

But then you need to rely on the Referer header to find out where the user came from

There's this web technology called "query string parameters" that can be appended to any request for a resource on the web. A query string parameter containing a site identifier is more than enough to correlate with an etag identifier.

Re:Its nowhere near as good as a cookie

[viperidaenz]

But you need to deliver the query string in the HTML page on a different URL, and any change you make to the query string, results in the browser treating it as a different resource and will not send the ETag value. So when you append the 'site identifier' the browser treats it as a different URL. The same base URL with a different query string will not resend the same ETag.

Let me spell it out for you again: A URL includes the query string. If you change the query string, you've changed the URL.
The browser stores the ETag against the local cache entry, which is associated with the URL - including the query string.

All you will be able to tell is "Anonymous User A visited site X at Y" You can't track them through multiple URL's using solely the ETag.

The best thing that can be done is a website can associate a browser with their a users session after they have logged out and cleared their cookies (unless they clear their file cache too, or the files in their cache have been purged)

Re:Its nowhere near as good as a cookie

[wonkey_monkey]

The best thing that can be done is a website can associate a browser with their a users session after they have logged out and cleared their cookies

So, kind of (exactly) like a cookie, then? What am I missing?

Okay, the server can't immediately identify you if all you do is fetch index.html, for example*, but it's pretty trivial for a server to correlate the user who fetches index.html with the user who fetches an image in index.html milliseconds later. HTTP requests don't exist in total isolation by any means.

*assuming it's not tagged, itself

Using YOUR example?

I don't see YouTube ads. Hosts work for it apparently, & yet certainly do more than any 1 browser addon from faster levels of operations by many orders of magnitude (kernelmode vs usermode) by blocking out access to 3rd party cookies servers (like hosts do for ads). Proof's "in the pudding" results I get!

I.E.-> If the cookies are served up from diff. servers, like ads are, then there's your answer. YouTube, of all things you used, PROVES it for me so far - as I am a AVID user of YouTube!

Determining those servers = Easy with any WinPCap using tool (e.g. - WireShark &/or NetWork Latency Viewer -> http://www.nirsoft.net/utils/network_latency_view.html )

(Glad you chose that example in fact... Why? Well, I had a pal who couldn't understand WHY he saw ads on my connection, yet I didn't, on YouTube on the SAME video we both watched for a test! He uses IE10, I use Opera 12.16 (last "real" Opera)).

* By way of comparson - You're putting on more redundant layers that = unnecessary in browser addons (that for a fact also slowdown webbrowsers too).

APK

P.S.=> There ya go - It works for me, & perfectly on YouTube no less (the very example you used)! Yes, I have JavaScript active on YouTube too (Via Opera 12.16's "by site" preferences as an "exception site", rest have it, plugins, & frames/iframes blocked by default, globally - this is a "native" no addons necessary feature of Opera by the way - again: NO extra "moving parts" needed in addons that slow browsers down)... apk

Re:Using YOUR example?

[maxwell+demon]

I don't see YouTube ads.

I'm not speaking about ads served on YouTube (actually I didn't remember that those actually exist, having seen none for quite some time). I'm speaking about YouTube embedded videos on non-YouTube sites.

Hosts work for it apparently

I know for sure that those embedded videos, when they come from YouTube, are loaded directly from youtube.com (or one of the other common YouTube domains, like youtube.de). I know that because every one and then, I decide that I want to see the embedded video, and decide that it's worth more for me than the tiny bit of possible tracking that involves (since most accesses are blocked, I don't think that the little tracking data from the very few videos on third party sites I actually watch is too valuable anyway). BTW, that's another thing you cannot do with host files: Easy temporary enabling.

As far as ads on YouTube go, if they were served from the same server as YouTube itself, RequestPolicy wouldn't work either (but then, I've also got AdBlock Plus installed, as a second line of defense). It's not only ads which cause cross-site requests (and thus potential information leaks).

Proof's "in the pudding" results I get!

No, the proof of the pudding is in the eating. But since you were speaking about a whole different pudding than I did, your conclusion doesn't hold.

BTW, I notice the absence of an argument about Facebook (whose "like" buttons are the far more important tracking mechanism anyway).

And the slowdown by RequestPolicy is certainly not noticeable (and my computer is over seven years old; I wonder how old yours must be to notice the difference). Nor should it be; after all, it's just a comparison of short strings.

Re:can I set firefox to not send back etags at all

what websites changes the content of their images (instead of letting the web page point to a new image url) ?

I can't think of one case when an image would be updated...
"lets have our newspapers first image always be called img1.jpg regardless what todays top news article is about" nahhh... :-D

I think 'if I have an image in the cache - then don't download the image again' would be enough. No need need to check with the server if an image of some strange reason have changed. (unless the user press F5 to reload the page to always reload everything)

Not new, apparently

[wonkey_monkey]

http://en.wikipedia.org/wiki/HTTP_ETag

ETags can be used to track unique users,[2] as HTTP cookies are increasingly deleted by privacy-aware users. In July 2011, Ashkan Soltani and a team of researchers at UC Berkeley reported that a number of websites, including Hulu.com, were using ETags for tracking purposes.[3] Hulu and KISSmetrics have both ceased "respawning" as of 29 July 2011,[4] as KISSmetrics and over 20 of its clients are facing a class-action lawsuit over the use of "undeletable" tracking cookies partially involving the use of ETags.

Re:can I set firefox to not send back etags at all

When I open a new webpage I would like the newest version but I don't think it is much time saved by webserver generating the webpage, then calculate a checksum or whatever (I mean for pages not using etags for tracking...), and then compare it to the etag the webbrowser sent, and then if equal reply they are equal - instead if just sending the page it generated! it is just a html file, shouldn't be that many kb.

Well, first off, it's not "just an html file", because ETags also apply to the images. So once the html is downloaded, do you want it fetching multiple MB-scale images (in the case of, e.g. a photo gallery) from scratch even though you've got a cached copy? (No.) Do you want it using the cached images regardless of whether the images have been changed? (No.) So you need to use one of four schemes:

1. TTL-based. If the server knows when the new image will be modified, or knows some acceptable time that things can lag, it could state a TTL when you first download the image. Your browser keeps the TTL in cache with the image, and next time you load that image, if TTL has expired, you fetch a fresh copy; if not, use the cached copy. Done with Expires: or Cache-Control: maxage.

2. client-timestamp-based. The client provides a timestamp of when their cached image was retrieved, and makes a request using If-Modified-Since: header; the server makes the determination whether that version's the same or not, and responds appropriately.

3. server-timstamp-based. The server provides a Last-Modified: timestamp, the client uses this (instead of the last retrieval) when making the If-Modified-Since: request and the server determines if it's changed since then and responds appropriately.

4. server-tag-based. The server assigns a ETag: tag to the image, which is cached along with the image. When requesting a cached image, the client includes this tag in an If-None-Match: header, the web server compares the tag to the current version's tag, and responds appropriately.

From a functionality perspective, 1. is horrible for anything not updated on a strict schedule (e.g. at the top of each hour) -- you end up reloading a bunch of stuff that hasn't changed because the TTL has to be set short. 2. is almost perfect if you're honest, but not very good if the client lies for better privacy. 3. is similarly almost perfect. 4. is perfect, slightly edging out 2. or 3. in the practically-rare case where there's a change followed by a reversion, and your cache holds the old version (which now matches the current version again). 4. will correctly skip the download while 2. will reload needlessly. (Actually, 2. or 3. can work around this, at the expense of the server maintaining a log of checksums at every change, but this breaks things even further for the dishonest client.) Additionally, 4. removes the requirement for a coherent clock on the server, which might matter in embedded web servers.

From a privacy perspective, 1. is pretty good. 2. leaks information about when you last visited, but the client can lie (basically, reduce the granularity, rounding to the previous hour or day) to increase collisions. 3. is of course bad for privacy as the server can give you a false Last-Modified:, but if you trust the server to be honest, is good because because the granularity is automatically reduced as far as possible, but no further -- if the data goes unchanged for 3 months, the web server can only tell you accessed it in those three months, but if it's changed multiple times in 1 hour, you will only download it when you need a new version -- whereas the lying-client version of 2. will redownload it every time if it's been changed since the last rounded time. 4. is likewise bad for privacy, and should only be used with servers you trust not to use any user- or session-specific information in generating the tags (i.e. tag=f(content) only). If the tag depends solely on the content, though, it's better than 2. for the same reason and in the same way 3. is.

S

Re:can I set firefox to not send back etags at all

[maxwell+demon]

what websites changes the content of their images (instead of letting the web page point to a new image url) ?

Wikipedia, for a start (whenever you upload a new version of the image).

Also, the image may be dynamically generated from changing data, say stock charts, or captured from a web cam.

Vodafone injects the X-VF-ACR header

[wabrandsma]

Vodafone makes tracking of users possible which does not require access to the user's equipment. The HTTP request is enriched with a piece of identifying information. This involves an HTTP header called X-VF-ACR: 'Vodafone Anonymous Customer Recognition.'

See also: http://referaat.cs.utwente.nl/conference/16/paper/7306/using-browser-properties-for-fingerprinting-purposes.pdf (pdf)

Re:Vodafone injects the X-VF-ACR header

From RFC2616, section 7.1:

"Unrecognized header fields SHOULD be ignored by the recipient and MUST be forwarded by transparent proxies." (and let me assure you, any header starting with "X" is unrecognized)

So you would be well within expected behavior to install a browser extension that stripped that field. The problem is that most browsers retain unrecognized headers for just such purposes, even though that is an undefined area of the spec. Given Fielding's recent behavior, I wouldn't be surprised if this is not accidental.

Re:Vodafone injects the X-VF-ACR header

derp, of course if it's being injected into HTTP requests by your ISP there's pretty much nothing to be done...

So, browse with links, lynx, or what?

I have a haunting suspicion I'm going to move away from all modern, full media browsers at some point, and resort to text based modes, programs only. I'd like to think most tech. sites I visit are combat, but I won't hold my breathe.

How about...

[guruevi]

Simply not allowing 3rd party URL's on any website. Sure it might break some ancient things but you shouldn't really be including iframe's, cookies, JavaScript or anything else from a 3rd party domain anyway.

Re:can I set firefox to not send back etags at all

[WQSE]

is it impossible to set the web browser to never use etags?
(without clearing the cache but never store any etags it gets)

I'm using Modify Headers since Firefox 3.6 to filter and and modify ETag and some other headers. http://www.garethhunt.com/modifyheaders/
I realised it was used for tracking some years ago when I happen to notice some cached images carried the tag.

I don't think you can avoid storing the tag as it is image meta data.

Re:can I set firefox to not send back etags at all

2. is almost perfect if you're honest, but not very good if the client lies for better privacy.

As long as the lie only has consequences for that particular client, who cares?

WRONG: I meant those

In youtube's vidplayer before a video plays - & on any YouTube website pages also (in "normal adbanners").

I.E.-> I just don't see ads on YouTube @ all.

Only reason I know ads are there is my pal's pointing it out to me via HIS laptop on MY network connection. Again: It "blew my pal's mind" who uses IE 10, & Windows 7 64-bit as I do, & on the same network connection, mine, from my spot here - He DID see them (he used IE, & no custom hosts) - I, by comparison, don't (ever)...

Again: All I see is the video player frame, no ads (external to player OR in the player itself before the video plays) & the video playing immediately, + the YouTube "search" bar above it, & up/down right hand side, some links with preview photos to other videos... (that's it!).

---

In fact (to prove it's not Opera) - I tested in IE 11 64-bit, no addons @ all too - & NO ADS OF ANY KIND (in video OR youtube pages as normal adbanners) on YouTube just like Opera!

Guess what else:

Only thing doing ANY "filtering" here for ANY webbound app (since hosts cover all unlike browser addons) = A single large custom hosts file!

That's it, so... it must be my custom hosts file doing it.

---

On "FakeBook": I don't use it - & as I am about to say to WISEASS nmb3000 in my other reply here beneath my initial post you replied to (IF /. quits stalling my posts for an 2 hour++ @ a time as they're doing now & for the past 3++ hrs or so)? Imo @ least: "FakeBook's" for folks with insecurity issues imo - Got none of that here (so I don't use it!)

APK

P.S.=> So - Could or WOULD hosts cover "FakeBook" Ads also? Based on your example so far on YouTube, & the fact my 12 reputable & reliable sources from the security community (malwarebytes hpHosts = 1 such example) update me via my program + cover all else?? Hosts probably can (for 'fakebook' too), but again - I don't use it myself, can't comment directly on it, as I don't need or use 'fakebook'.

... apk

Re:WRONG: I meant those

[maxwell+demon]

You just proved that your reading comprehension is a complete failure. Here's a hint to you: If your answer contains the word "ad", it is most probably not a proper answer to my post.

Re:WRONG: I meant those

[Ash-Fox]

I have pointed this out numerous times to APK myself. Sadly, he doesn't get that either.

NY Times

[careysb]

OK, so how does the NY Times track me. I'm running Firefox on Win 7, I've cleared my cache, I've cleared my cookies, I've cleared the Flash cookies, no luck.

Re:ETag leaks between Incognito mode and regular m

[complete+loony]

Incognito modes have never been about being anonymous to the web sites you visit. It's all about leaving no trace on the local machine.

I'm OK with it as long as....

I'm perfectly fine with websites tracking my web behavior so long as...

- They don't use algorithms to find out exactly who I am
- They don't track detailed personalized information like e-mail, name, and phone numbers
- My habits aren't logged and/or monitored by the government
- Ads are delivered with better relevance to me as I can see ads being useful
- This information doesn't cross-over into the real-world somehow whether it's futuristic billboard ads or what
- My insurance providers don't get to find out what I do on my computer
- My work doesn't get that information either

I guess with those requirements, having my habits tracked seems kind of pointless. So I think websites should just focus on their core demographic audience and deliver ads based on that.

yet another one to clean for

Good to see my usual clearing procedures zap this little mechanism -- clearing/deleting certain cache directories.

Expect this will be fixed in next generation of browser upgrades (tracing the original source of the cached image taggy and forcing refresh if its along a sufficiently different URL path/source -- if its within the same net source already they can track you countles other ways)

Re:ETag leaks between Incognito mode and regular m

If the cache is being stored then it's leaving a trace on the local machine.

More on cookieless tracking

[DJ+Beret]

There are more sneaky ways than ETags to track you without cookies. Some of the more diabolic schemes involve sending you a specially crafted PNG file, then reading is pixel values using HTML5 canvas, or inserting invisible links into pages and then checking if they have the ":visited" pseudo-class. For more information, see the Wikipedia entry for Evercookie.

Anyway, most of these techniques can be mitigated by clearing your cache. I clear mine after each browsing session, so while I might get tracked for a few hours, I should appear as a different person the next time I come online.

md5sum and sha1sum not matching

[kill_-9]

Has anyone noticed that the xpi file downloaded from the Dephormation website does not agree with the values published on that website?

From my PC:
26-Aug-13 01:40 PM 497,689 SecretAgent.xpi

F:\downloads>sha1sum SecretAgent.xpi
294673877b38e6044248cfd51f91542886297090 SecretAgent.xpi

F:\downloads>md5sum SecretAgent.xpi
d60880a495465aa0df69c4bb3312799e *SecretAgent.xpi

From: https://www.dephormation.org.uk/?page=2 website:

Latest version 5.21 (released 2013-04-14).

Please follow the installation instructions below carefully. Protect your right to communication privacy, security, and integrity. Stop Phorm.

MD5 Checksum: 7458753a7f54aac38e56f802fa7eb731
SHA1 Checksum: 9f12928d15eccf92bd376638097d3451f2141f09

Comment removed

[account_deleted]

Comment removed based on user account deletion

I don't get ads in embedded video/youtube

Especially on YouTube OR embedded videos on other sites either that point elsewhere, typically!

* Besides: I've NO reason to lie - it'd be the WORST thing I could do in fact... & I know it, so I don't DO that.

APK

P.S.=> You can change conditions all you like & you did (since you FIRST stated 3rd party links like cookies, ads, video http://yro.slashdot.org/comments.pl?sid=4127345&cid=44670699 ), but I am telling it how it is here, & I even re-tested (IE 11 & Opera 12.16), etc. to make SURE it wasn't some Opera unique feature doing it! apk

Re:I don't get ads in embedded video/youtube

[maxwell+demon]

OK, then please tell me, when sequentially numbering the words in my post you linked, which numbers go to the words "cookies" and "ads". Because I cannot find either in the post.

I dusted you with 3 questions

On DNS (vs. hosts) - You ran from them -> http://news.slashdot.org/comments.pl?sid=3929071&cid=44181567 OR was it your lack of reading comprehension??

* Take your pick, either way, you failed.

This was EVEN BETTER http://linux.slashdot.org/comments.pl?sid=3110069&cid=41305947 and you had squat vs. it (I've got a dozen more where you did the same vs. myself, you "ne'er-do-well" troll)

APK

P.S.=> You're also a PROVEN "ne'er-do-well" troll in the art & science of computing whom I made YOU "EAT YOUR WORDS" on that regarding myself, here http://tech.slashdot.org/comments.pl?sid=3153677&cid=41553465

(That's my favorite - it proves you're nothing but the "ne'er-do-well" I called you in computing, and it proves I am ANYTHING BUT... I've done it, you never will!).

... apk

Re:I dusted you with 3 questions

[Ash-Fox]

Maxwell Demon, this is why there is little point replying to the guy, you can see through the numerous posts his reading comprehension is poor regardless.

LMAO - see Ash-Fox "Run, Forrest: RUN!!!"

"Rinse, Lather, & Repeat" troll (you failed) -> http://yro.slashdot.org/comments.pl?sid=4127345&cid=44675877

Care to tell us WHY you couldn't combat my points on:

---

A.) DNS vs. HOSTS

B.) On how much Windows is used in Fortune 100-500 companies + governments statewide??

C.) How about any software YOU have done that's commercially sold & successful as I have since the 90's to this very day?? NDA eh??? Bullshit

---

* Regarding yourself especially: I've got a dozen more of those types of proofs of your WEAK incompetence in the art & science of computing... & I am going to have a Field Day on you.

APK

P.S.=> Fact (you provided the lack of data to prove it after all in the link above): You haven't done squat in computing that did any good, that others noted in tech trade shows, books/magazines/newspapers in articles on computing, or commercially sold wares to YOUR name in code (I have done all of the above while the "trolling likes of you" were STILL IN DIAPERS)... and you know it, I know it, & anyone else READING know it (especially now), troll!

... apk

Comment removed

[account_deleted]

Comment removed based on user account deletion

Disprove my points on hosts

"your hosts file method is useless and obsolete. Please wake up and stop peddling your crap here." - by nmb3000 (741169) on Sunday August 25, 2013 @03:36PM (#44671255) Homepage

Summary of hosts usefulness you must disprove after your statement above:

Hosts files yield more speed (blocks ads & hardcodes fav sites - faster than remote DNS), security (vs. malicious hosts-domains serving mal-content + block spam/phish links), reliability (vs. downed DNS or vs. Kaminsky vulnerable DNS, 99% = unpatched vs. it & worst @ ISP level + weak vs FastFlux + DynDNS botnets), & anonymity (vs. dns request logs + DNSBL's).

---

* Go for it - I am going to take GREAT PLEASURE in seeing you FAIL, as well as seeing you pull a "Run, Forrest - RUN!!!" when you fail, in YOU evading a simple challenge put to you, troll!

APK

P.S.=> As far as "fakebook" goes - imo, it's for people with self-worth/esteem issues (mostly). I don't use it - I have no such "issues". Thus I can't comment on it DIRECTLY!

HOWEVER - on those "questions" of yours - I don't evade them, like you will vs. that challenge above?

I add as needed manually to my custom hosts file, OR, I get them added by 12 reputable & reliable sources in the security community (e.g. -. malwarebytes' hpHosts site) - blocking as needed, when/if they show up malicious exploits OR if they're ads. Simple... That's the ONLY time to do it anyhow (otherwise, it's hosts file bloat for no reason)... apk

Secret Agent

I've just tried the Secret Agent addon mentioned in the article. It seems to work, at least on the demo page.

So that's one to keep installed, then.

WHY would I block YouTube vids?

"OK, then please tell me how host files can at the same time stop third-party requests to a site (like embedded YouTube videos, or Facebook like buttons) and at the same time allow explicit access of the very same site (that is, when you explicitly go to Youtube or Facebook)." - by maxwell demon (590494) on Sunday August 25, 2013 @02:24PM (#44670699)

Answer that question in my subject-line!

CLUE: As I have REPEATEDLY TOLD YOU - I use YouTube, avidly in fact!

QUESTION:

So why should I block it @ all, either @ YouTube.com directly, OR, in linked videos on other sites that point to it WHEN I USE IT MYSELF A LOT?

---

On "Request Policy": Fine, use it IF that's what you use, I have no problem with that!

HOWEVER:

Everyone/anyone knows that browser addons slow up webbrowsers!

Yes - that's a known & proven fact!

(Especially if you "stack up a few" & load them concurrently & by the way? Well - hosts, by comparison? Don't!)

---

1.) Hosts also run in a far, Far, FAR faster ring of privelege (ring 0/rpl 0/kernelmode) than addons stacked on already SLOWER webbrowsers in usermode/ring 3/rpl 3

2.) Hosts load with the IP stack & OS itself in ring 0/kernelmode also, making your browser addons redundant (AND more "moving parts complexity" + room for breakdown!)

3.) Hosts also offer DIRECT CONTROL of their content via simple texteditor edits of hosts - does RequestPolicy?

---

* Lastly - I don't use "fakebook" (it's for people with self-esteem/self-worth issues imo, mostly) either!

APK

P.S.=> Again (because your point's STUPID imo & thusfar, experience vs. your b.s.) - I have NO reason to block YouTube @ all!

So why the HELL are you asking why I should?

... apk

Re:WHY would I block YouTube vids?

[maxwell+demon]

I don't care about whether you do or want to block YouTube videos on third party sites. But the point is that you claimed that host files are better than RequestPolicy. Which they are not because they simply offer different functionality. You cannot replace RequestPolicy with host file entries. And blocking embedded videos from third-party sites (and especially YouTube) is one thing I use RequestPolicy for.

And no, I do not want to completely block YouTube (if I would want that, then blocking in the hosts file would probably be the better alternative). I want to block embedded YouTube videos in third-party sites (and moreover, I want to easily unblock them in the case that I decide I want to see that video, which happens in the minority of cases). Why? Well, because I don't see why I should let YouTube (that is, Google) know that I'm on that third-party site when I don't have the desire to watch that video.

And BTW, you seem to have the misconception that ring 0 code runs faster than ring 3 code. That is wrong. Unless you try to execute privileged instructions (which code that just compares strings certainly does not do), the code is executed exactly the same..

ONLY thing I'd like to know

Is this -> http://yro.slashdot.org/comments.pl?sid=4127345&cid=44678705

APK

P.S.=> I've answered YOUR questions, repeatedly - answer mine in a reply to that link above (pretty simple, I think you can manage it)... apk

Article topic = cookies

Ads/sites use em: Get it? Why'd you run from this http://yro.slashdot.org/comments.pl?sid=4127345&cid=44678705 ?

Is it since I am going to set you up like a bowling pin after that to take you down & your choice of "request policy" too?

(It'd literally be the 8th time that I have bookmarked regarding yourself where I've torn you up before in fact...)

* You posted 25x yesterday - funny you're "shutting up" suddenly now vs. what's in that link!

APK

P.S.=> "Strange That", eh? NOT - I'm going to dismantle you, AND, your "reguest policy" tool vs. hosts (easily)... apk

Re:Article topic = cookies

[maxwell+demon]

Why'd you run from this http://yro.slashdot.org/comments.pl?sid=4127345&cid=44678705 [slashdot.org] ?

I didn't "run from this". But sometimes I also do other things than reading/writing on Slashdot (like sleeping, working, or listening to radio broadcasts which certainly don't wait for me while I write comments).

And BTW, your claim that you answered my questions is completely wrong. You answered questions which I never asked, while leaving the questions I asked unanswered (maybe because the answers could have not been in favour of hosts files?)

SecretAgent Extension Conflicts with PrefBar

[DERoss]

For Mozilla-based browsers such as Firefox and SeaMonkey, the SecretAgent extension conflicts with the PrefBar User Agent menulist.

Because some Web sites I visit are sensitive to what user agent they see, I unchecked (disabled) the "Rotate User Agent" checkbox in SecretAgent. Then, if I used the PrefBar User Agent menulist to spoof some other browser, it kept resetting to my actual user agent. Since I consider the PrefBar capability to be very important, I removed SecretAgent. The PrefBar capability was then restored.

The 'E' is for...

[thoughtlover]

Evil. Seriously, this shit is getting messed up.

Can "Request Policy" do ALL this?

1.) Blocking malware/malscripted sites.
2.) Blocking Known sites-servers/hosts-domains that are known to serve up malware (especially "fastflux" types, the predominant design that uses host-domain names vs. IP addresses (far easier to 'kill' in the latter is why)).
3.) Blocking bogus dns servers malware makers use (via fastflux + rogue dns servers).
4.) Blocking botnet C&C servers.
5.) Blocking bogus adbanners that are full of malicious script content for security, & regular ones for more bandwidth.
6.) Blocking known phisher links embedded in email.
7.) Blocking trackers
8.) Blocking spammers.
9.) Getting back speed/bandwidth paid for by blocking out adbanners + hardcoding in your favorite sites (faster than remote dns resolution).
10.) Added reliability (vs. downed or misdirect/poisoned DNS servers - since most are NOT patched vs. the Kaminsky flaw).
11.) Added "anonymity" (to an extent, vs. DNS request logs).
12.) Ability to bypass DNSBL's
13.) More screen "real estate" (since no adbanners appear onscreen eating up cpu, ram, & other forms of I/O too - bonus!).
14.) Universal Protection (since any OS, even on smartphones has a bsd ip stack).
15.) Faster & more efficient operation vs. browser plugins (which "layer on" ontop of usermode browsers & are generally written in slower interpreted languages (e.g. AdBlock = python/perl/javascript)- Whereas by way of comparison, the hosts file operates @ the kernelmode of operation (far faster) as a filter for the IP stack itself which is written in C & Assembly language (run directly @ Operating System startup with the IP stack itself, making browser/usermode advertiser owned 'solutions' like requestpolicy redundant)).
16.) Custom hosts files work on all webbound apps (browser plugins don't).
17.) Custom hosts are completely controlled by end users

APK

P.S.=> Can "Request Policy" do ALL of the above, & for any webbound app?

Re:Can "Request Policy" do ALL this?

[maxwell+demon]

I had written a large point-to-point reply, but the lame(ness) filter won't let me post it (and doesn't even tell me why; Slashdot is really going downhill!). Therefore here's a summary:

1. RequestPolicy doesn't do all from the list (but most). But I never claimed it was the solution to everything. And BTW, against your claim, hosts files also do not do all of that.

2. RequestPolicy can do things hosts files cannot do. Which was my whole point: It is not made redundant by hosts files. Now it is true that also hosts files can something RequestPolicy cannot do. But I never claimed otherwise.

So, now let's see if the lame(ness) filter likes this.

(BTW, is there any place where I can ask why my original post did not pass the lame(ness) filter?

Or do you have a hosts file solution to it? ;-))

Can RequestPolicy do ALL this?

1.) Block malware/malscripted sites.
2.) Block Known sites-servers/hosts-domains that are known to serve up malware (especially "fastflux" types, the predominant design that uses host-domain names vs. IP addresses (far easier to 'kill' in the latter is why)).
3.) Block bogus dns servers malware makers use (via fastflux + rogue dns servers).
4.) Block botnet C&C servers.
5.) Block adbanners that are full of malicious script content for security, & regular ones for more bandwidth.
6.) Block known phisher links embedded in email.
7.) Block trackers
8.) Block spammers.
9.) Get back bandwidth paid for by blocking out adbanners + hardcoding in your favorite sites (faster than remote dns resolution).
10.) Reliability (vs. downed or misdirect/poisoned DNS servers - since most are NOT patched vs. the Kaminsky flaw).
11.) "Anonymity" (to an extent, vs. DNS request logs).
12.) Ability to bypass DNSBL's
13.) More screen "real estate" (no adbanners appear onscreen eating up cpu, ram, & other forms of I/O too - bonus!).
14.) Universal Protection (even smartphones has a bsd ip stack).
15.) Faster more efficient operation vs. browser plugins ("layered on" over usermode browsers & are generally written in slower interpreted languages (e.g. AdBlock = python/perl/javascript) - hosts operates in kernelmode of operation (far faster) as a filter for the IP stack itself which is written in C & Asm (run directly @ Operating System start + IP stack making browser/usermode advertiser owned 'solutions' like requestpolicy redundant)).
16.) Custom hosts work on all webbound apps (plugins don't).
17.) Custom hosts = completely controlled by end users

APK

P.S.=> APK Hosts File Engine 9.0++ 32/64-bit:

http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74

Can Request Policy do ALL this? No

1.) Block malware/malscripted sites.
2.) Block Known sites-servers/hosts-domains that are known to serve up malware (especially "fastflux" types, the predominant design that uses host-domain names vs. IP addresses (far easier to 'kill' in the latter is why)).
3.) Block bogus dns servers malware makers use (via fastflux + rogue dns servers).
4.) Block botnet C&C servers.
5.) Block adbanners that are full of malicious script content for security, & regular ones for more bandwidth.
6.) Block known phisher links embedded in email.
7.) Block trackers
8.) Block spammers.
9.) Get back bandwidth paid for by blocking out adbanners + hardcoding in your favorite sites (faster than remote dns resolution).
10.) Reliability (vs. downed or misdirect/poisoned DNS servers - since most are NOT patched vs. the Kaminsky flaw).
11.) "Anonymity" (to an extent, vs. DNS request logs).
12.) Ability to bypass DNSBL's
13.) More screen "real estate" (no adbanners appear onscreen eating up cpu, ram, & other forms of I/O too - bonus!).
14.) Universal Protection (even smartphones has a bsd ip stack).
15.) Faster more efficient operation vs. browser plugins ("layered on" over usermode browsers & are generally written in slower interpreted languages (e.g. AdBlock = python/perl/javascript) - hosts operates in kernelmode of operation (far faster) as a filter for the IP stack itself which is written in C & Asm (run directly @ Operating System start + IP stack making browser/usermode advertiser owned 'solutions' like requestpolicy redundant)).
16.) Custom hosts work on all webbound apps (plugins don't).
17.) Custom hosts = completely controlled by end users

?

No, but custom hosts, can (from 1 file only)!

APK

P.S.=> APK Hosts File Engine 9.0++ 32/64-bit:

http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74

Can RequestPolicy do ALL this? No

1.) Block malware/malscripted sites.
2.) Block Known sites-servers/hosts-domains that are known to serve up malware (especially "fastflux" types, the predominant design that uses host-domain names vs. IP addresses (far easier to 'kill' in the latter is why)).
3.) Block bogus dns servers malware makers use (via fastflux + rogue dns servers).
4.) Block botnet C&C servers.
5.) Block adbanners that are full of malicious script content for security, & regular ones for more bandwidth.
6.) Block known phisher links embedded in email.
7.) Block trackers
8.) Block spammers.
9.) Get back bandwidth paid for by blocking out adbanners + hardcoding in your favorite sites (faster than remote dns resolution).
10.) Reliability (vs. downed or misdirect/poisoned DNS servers - since most are NOT patched vs. the Kaminsky flaw).
11.) "Anonymity" (to an extent, vs. DNS request logs).
12.) Ability to bypass DNSBL's
13.) More screen "real estate" (no adbanners appear onscreen eating up cpu, ram, & other forms of I/O too - bonus!).
14.) Universal Protection (even smartphones has a bsd ip stack).
15.) Faster more efficient operation vs. browser plugins ("layered on" over slower usermode browsers & are generally written in slower interpreted languages (e.g. AdBlock = python/perl/javascript) - hosts operates in kernelmode of operation (far faster) as a filter for the IP stack itself which is written in C & Asm (run directly @ Operating System start + IP stack making browser/usermode advertiser owned 'solutions' like requestpolicy redundant)).
16.) Custom hosts work on all webbound apps (plugins don't).
17.) Custom hosts = completely controlled by end users

"?"

No it can't: However - Custom Hosts files can (from 1 file only)!

APK

P.S.=> APK Hosts File Engine 9.0++ 32/64-bit:

http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74

Ok troll

Same challenge to "the likes of you" (low troll) -> http://yro.slashdot.org/comments.pl?sid=4127345&cid=44676733

APK

Re:Ok troll

Begone, foul creature! No brain sucking! Bad puppy!

Ok - on "better"? What does more?? apk

"But the point is that you claimed that host files are better than RequestPolicy. Which they are not because they simply offer different functionality. " -

Ok then, on that note - Let's compare (enlighten me, here):

http://yro.slashdot.org/comments.pl?sid=4127345&cid=44684319

* When you can show me that Request Policy does MORE than custom hosts do (with less moving parts room for breakdown as well)? Then, you're correct...

(See you there)

---

"And blocking embedded videos from third-party sites (and especially YouTube) is one thing I use RequestPolicy for." - by maxwell demon (590494) on Wednesday August 28, 2013 @03:57PM (#44699585)

Again: WTF would I block YouTube vids for, on ANY site, for Pete's sake? Video's superior to other forms of learning imo @ least, for 1 thing...

IF that's your "only 'advantage'" (using the latter word LOOSELY)? You're in deep doo-doo in that link above with your response...

---

Lastly:

"And BTW, you seem to have the misconception that ring 0 code runs faster than ring 3 code. That is wrong." - by maxwell demon (590494) on Wednesday August 28, 2013 @03:57PM (#44699585)

WTF? LMAO - you don't UNDERSTAND: The result of my app is a custom HOSTS file - what uses it? The IP stack itself, with over 45++ yrs. of optimization in it... that's why I can claim that vs. your "layered over" complexity lag add using browser addons that slow browsers even MORE than running in usermode does (vs. IP stack in kernelmode).

APK

P.S.=> Took you long enough - how many DAYS did you delay answering? That's ok though: We'll see "what's-what" in that link above, when you respond to it (IF you do, that is)... apk

Re:Ok - on "better"? What does more?? apk

[maxwell+demon]

Again: WTF would I block YouTube vids for, on ANY site, for Pete's sake?

I already wrote that. But why am I not surprised that you didn't (or pretend you didn't) notice it?

As I said in my other reply to you today

"I didn't "run from this"" - by maxwell demon (590494) on Wednesday August 28, 2013 @04:00PM (#44699625)

See subject & link (FINALLY you reply, albeit 2 days later) -> http://yro.slashdot.org/comments.pl?sid=4127345&cid=44684319

* See you there - then, we'll SEE, "what's-what" in a features/benefits comparison - as to what is better or not...

(Good luck - you'll NEED it!)

APK

P.S.=> Your other reply today? "DUSTED", completely 'point-by-point' as is my style, here -> http://yro.slashdot.org/comments.pl?sid=4127345&cid=44699697 (I.E.-> you messed up on how hosts work, where, & why (technical error on YOUR part). However - funniest part is, BY YOUR OWN WORDS, lol (IP stack native resolver (tcpip.sys) IS PnP designed driver in kernelmode - it uses hosts, the result of my app, there, as a filtering resolver - tightly integrated))... apk

You ADMIT RequestPolicy does less

"hosts files also do not do all of that." - by maxwell demon (590494) on Wednesday August 28, 2013 @05:03PM (#44700445)

Question: WHAT IN MY LIST CAN'T HOSTS DO?

---

"RequestPolicy doesn't do all from the list (but most)" - by maxwell demon (590494) on Wednesday August 28, 2013 @05:03PM (#44700445)

See subject-line: Hosts do more (than RequestPolicy) for less = good (better) engineering - Tightly integrated to the IP stack itself.

Your 'solution' = layering MORE over ALREADY SLOWER layers (slowing browsers down even more, & adding complexity/room for breakdown + added message passing etc.!)

---

"The premise is, quite simple: Take something designed by nature & reprogram it to make it work FOR the body, rather than against it..." - Dr. Alice Krippen "I AM LEGEND"

---

Who's uses a SIMILARLY efficient idea? These guys (albeit on spam, but I cover THAT too via hosts (vs. malicious links)) for TWITTER -> http://www.scmagazine.com.au/News/355048,heres-how-you-can-catch-phish-like-twitter.aspx

* What I've essentially done, is "fire up" & reinforce an 'acquired immunity system' via hosts!

Via efficient tightly integrated hosts + kernelmode IP stack for all of those things in MY list - For more speed, security, reliability, & even anonymity - which RequestPolicy clearly, cannot even scratch for overall functional value (vs. custom hosts).

APK

P.S.=> Sorry but MORE bad news for you: IF I want to say, block videos on 1 site, but allow them on another? Again - LESS "MOVING PARTS COMPLEXITY/ROOM FOR BREAKDOWN" YET AGAIN HERE:

I use Opera 12.16 64-bit (last TRUE Opera, not "Chopera") - Clue - it has a "By Site Preferences" option, so I can do that too, turning off/on Javascript/Plugins/IFrames/Cookies & more for sites individually (I set most off by default, & make exceptions as needed, on demand only too)! MINUS ANY ADDONS like RequestPolicy - I do it, "natively/tightly integrated" + less parts/room for breakdown (like hosts)...

... apk

Noticed your blunder on HOSTS & IP Stack

In my post you replied to http://yro.slashdot.org/comments.pl?sid=4127345&cid=44699697

Additionally:

I notice you admit hosts do more than RequestPolicy does -> http://yro.slashdot.org/comments.pl?sid=4127345&cid=44701775

?

(Yes, you did & ADMITTED it there in the link above - That's ALL I need to know...)

APK

P.S.=> Lastly - For what RequestPolicy does per your claim on YouTube stuff?

Again - I need no more "moving parts added slow-me-down-complexity" as you do, inefficiently - I use Opera 12.16 64-bit, & it does what you say RequestPolicy does, NATIVELY built-in (like hosts vs. RequestPolicy)... apk

Answer?

Definitely NOT (straight from the horses mouth) -> http://yro.slashdot.org/comments.pl?sid=4127345&cid=44701775

Answer?

Definitely NOT (straight from the horses mouth) -> http://yro.slashdot.org/comments.pl?sid=4127345&cid=44701775

Answer?

Definitely NOT (straight from the horses mouth) -> http://yro.slashdot.org/comments.pl?sid=4127345&cid=447017

Old news is old

[allo]

My Blogpost in 2007 (sorry, its german):
http://blog.laxu.de/2007/09/23/browser-raten-und-e-tag-cookies/