Cookieless Web Tracking Using HTTP's ETag

An anonymous reader writes "There is a growing interest in who tracks us, and many folks are restricting the use of web cookies and Flash to cut down how advertisers (and others) can track them. Those things are fine as far as they go, but some sites are using the ETag header as an identifier: Attentive readers might have noticed already how you can use this to track people: the browser sends the information back to the server that it previously received (the ETag). That sounds an awful lot like cookies, doesn't it? The server can simply give each browser an unique ETag, and when they connect again it can look it up in its database. Neither JavaScript, nor any other plugin, has to be enabled for this to work either, and changing your IP is useless as well. The only usable workaround seems to be clearing one's cache, or using private browsing with HTTPS on sites where you don't want to be tracked. The Firefox add-on SecretAgent also does ETag overwriting."

Nothing new

[deanrock0]

Did they just invent ETag or what? This "feature" is known for a few years and there are existing implementation, including this one: http://samy.pl/evercookie/ from 2010.

Re:Nothing new

Did they just invent ETag or what? This "feature" is known for a few years and there are existing implementation, including this one: http://samy.pl/evercookie/ from 2010.

The wikipedia article on ETag links to a page from 2003 discussing ETag's usability for tracking.

Tracking $$$$

[Ed+The+Meek]

Tracking information is worth billions of dollars. With that much money on the line - we'll be tracked like escaped inmates - one way or another.

Secret Agent addon

The addon's homepage appears to be this:
https://www.dephormation.org.uk/?page=81

Re:Firefox makes cache clearing difficult

[Ambiguous+Puzuma]

Or you can press Ctrl+Shift+Del. One of the options (which should already be checked if you used it last time) is to clear the cache. A three-key combination and a button click and you're done, with no plugins needed.

Re:Another Job for RequestPolicy

I use RequestPolicy, and it definitely isn't for most people. It increases the amount of effort needed to browse the web by a factor of ten.

Every other site I go to is actually served from about two dozen separate locations. CSS comes from one domain, images come from as many as 6 domains, javascript comes from as many as 3 domains, and it isn't unheard of to see twenty different sets of trackers and widgets getting bolted on, not including the addidional baggage that they bring.

It's fucking ridiculous.

Oddly enough, sites hosting their own tracking will make RequestPolicy fail miserably, since it only deals with cross site refs. Such sites are the exception, though.

Re:Secret Agent

[KiloByte]

Or will it disable ETags across all sites and thus slow down browsing by effectively turning caching off?

ETags are only one of many methods to achieve caching. Getting rid of them shouldn't have a big effect on caching.

Other methods typically have privacy holes as well, but it's easier to deal with them, for example by rounding timestamps down to the last midnight. ETags on the other hand store an arbitrary attacker-provided string, which is an outright security vulnerability.

ETag leaks between Incognito mode and regular mode

[ThatsMyNick]

It also seems to leak info between regular windows and incognito mode in chromium. I assume the cache is shared between the modes, and they need separate caches.