Cookieless Web Tracking Using HTTP's ETag

← Back to Stories (view on slashdot.org)

Cookieless Web Tracking Using HTTP's ETag

Posted by timothy on Sunday August 25, 2013 @03:30AM from the ah-there-you-are-again dept.

An anonymous reader writes "There is a growing interest in who tracks us, and many folks are restricting the use of web cookies and Flash to cut down how advertisers (and others) can track them. Those things are fine as far as they go, but some sites are using the ETag header as an identifier: Attentive readers might have noticed already how you can use this to track people: the browser sends the information back to the server that it previously received (the ETag). That sounds an awful lot like cookies, doesn't it? The server can simply give each browser an unique ETag, and when they connect again it can look it up in its database. Neither JavaScript, nor any other plugin, has to be enabled for this to work either, and changing your IP is useless as well. The only usable workaround seems to be clearing one's cache, or using private browsing with HTTPS on sites where you don't want to be tracked. The Firefox add-on SecretAgent also does ETag overwriting."

18 of 212 comments (clear)

Min score:

Reason:

Sort:

Secret Agent by Jeremiah+Cornelius · 2013-08-25 03:32 · Score: 5, Interesting

Here we come. :-)
Add this feature to a chaff-creating plugin, to crapflood servers with fake tags.

--
"Flyin' in just a sweet place,
Never been known to fail..."
1. Re:Secret Agent by kasperd · 2013-08-25 04:09 · Score: 3, Interesting
  
  Can SecretAgent detect tracking through ETags? Or will it disable ETags across all sites and thus slow down browsing by effectively turning caching off?
  
  The way I'd detect it would be with some extra background probes after a page has been loaded. The background probes start once the browser has finished loading and has become idle. Then the browser could open another connection and request the same resources again without sending any information, that could be tracked. If it receives a different ETag or different content this time around, it empties the cache for that domain and disables caching for that domain for a few hours.
  
  --
  
  Do you care about the security of your wireless mouse?
2. Re:Secret Agent by KiloByte · 2013-08-25 04:37 · Score: 5, Informative
  
  Or will it disable ETags across all sites and thus slow down browsing by effectively turning caching off?
  ETags are only one of many methods to achieve caching. Getting rid of them shouldn't have a big effect on caching.
  Other methods typically have privacy holes as well, but it's easier to deal with them, for example by rounding timestamps down to the last midnight. ETags on the other hand store an arbitrary attacker-provided string, which is an outright security vulnerability.
  
  --
  The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
Nothing new by deanrock0 · 2013-08-25 03:36 · Score: 5, Informative

Did they just invent ETag or what? This "feature" is known for a few years and there are existing implementation, including this one: http://samy.pl/evercookie/ from 2010.
1. Re:Nothing new by Anonymous Coward · 2013-08-25 03:56 · Score: 3, Informative
  
  Did they just invent ETag or what? This "feature" is known for a few years and there are existing implementation, including this one: http://samy.pl/evercookie/ from 2010.
  The wikipedia article on ETag links to a page from 2003 discussing ETag's usability for tracking.
Tracking $$$$ by Ed+The+Meek · 2013-08-25 03:36 · Score: 3, Informative

Tracking information is worth billions of dollars. With that much money on the line - we'll be tracked like escaped inmates - one way or another.
1. Re:Tracking $$$$ by Ixokai · 2013-08-25 08:32 · Score: 4, Insightful
  
  The thing is, you're wrong.
  Very, very little of what Obama wants or has done is even close to what the progressives of the left actually want. Health care reform? He enacted the model proposed by the Republicans and devised by a right wing think-tank to create a market-based approach to near-universal healthcare: if you think the left is happy with Obamacare, you're not paying attention.
  Its simply *better*, and so we will stick with it. What the left wanted was a single-payer really universal healthcare, but we compromised and were willing to go along with the ACA as long as we'd get a single-payer *option*. Then that got dropped, but most of the left decided to support the ACA anyways because really, it was better then what we have now.
  Obama is a centrist; center-right in most issues, occasionally center-left. There is nothing even remotely radical about anything he's done, there's been no great pull to the left. The left has gone a bit farther left then we were a decade or so ago, but that's been in response to the monumental shift the right has gone.
  There's a wholesale assault on reproductive and fundamental voting rights going on from the right these days, which is just stunning in that these are things that *only* the most extreme of the right's base want.
  On civil rights, surveillance, foreign policy, environment, business regulation, ... and on and on, Obama is not at all in line with what the left wants. He's just not as bad as what the crazy people on the far right want.
  Yes, there are some narrow places where the far left and the libertarian wing of the far right actually agree, and its weird when it happens: but those are on very specific and very narrow issues. The problem with that libertarian wing is then they fall flat on their face in when the social conservative bloc of the far right has to be dealt with in primaries, and suddenly small government meets bedroom and private health, and oops.
Re:Firefox makes cache clearing difficult by Ambiguous+Puzuma · 2013-08-25 03:46 · Score: 5, Informative

Or you can press Ctrl+Shift+Del. One of the options (which should already be checked if you used it last time) is to clear the cache. A three-key combination and a button click and you're done, with no plugins needed.
Just clear the cache... by AliasMarlowe · 2013-08-25 04:08 · Score: 3, Interesting

On all of our PCs, Opera and Firefox are set to clear their caches and delete all cookies etc. every time they exit.
Also, I occasionally clear all private data while browsing in Opera, including the cache, cookies, history, and so forth (passwords are never saved by the browser). Obviously, I have to log in again the next time I visit slashdot.

--
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
1. Re:Just clear the cache... by aliquis · 2013-08-25 04:26 · Score: 3, Interesting
  
  delete all cookies etc. every time they exit.
  
  I have to log in again the next time I visit slashdot.
  Too much work. Well, except if I'd never quit the browser but then it wouldn't make any difference.
They just don't seem to get the message by Somebody+Is+Using+My · 2013-08-25 04:17 · Score: 4, Interesting

I always imagine the webserver as having an internal conversation that goes sort of like this...

Hey, a new visitor to the website? I wonder who he is?
Well, I'll just drop a cookie on there to keep track of him... and, hmm, it seems he's blocking cookies.
Oh well, let me just insert this bit of Javascript; that'll work just as well.
Dear oh dear, it seems Javascript isn't working.
No worries, I'll just insert a little 0-byte web-bug graphic and... wait? That's prevented as well?
Damn it, Flash-cookie! That'll get him! WHAT?!?!? Disabled as well?
E-Tag! That has to work, right?
ARGH!!!!!
Gee... I wonder if he's trying to tell me something like, oh I don't know, "I don't like being tracked".
Nah, who doesn't like being pushed, filed, stamped, indexed, briefed, debriefed, or numbered? I wonder if there's some other way I can use...

You might think at this point that companies and advertisers start getting the message. Instead, they just keep finding more and sleazier ways. All these technologies have valid uses but have been so abused by corporations and marketing that people increasingly don't trust it anywhere. It just further antagonizes the very people they are trying to connect with. And then they wonder why they lose the respect and trust of their customers, resulting in an ever-more aggressive relationship between the two.
Some days I dream about what the Internet might have been like had Canter and Siegel been definitively smacked down back in '94, setting an inviolable precedent that the 'Net was not a platform welcoming /any/ advertising. What repercussions might that have had on the world as a whole?
1. Re:They just don't seem to get the message by bbn · 2013-08-25 05:00 · Score: 4, Funny
  
  E-Tag! That has to work, right?
  ARGH!!!!!
  Gee... I wonder if he's trying to tell me something like, oh I don't know, "I don't like being tracked".
  By this point you are being tracked as the guy that blocked everything else. There is only going to be one of you.
2. Re:They just don't seem to get the message by mopower70 · 2013-08-25 06:09 · Score: 3, Interesting
  
  You might think at this point that companies and advertisers start getting the message. Instead, they just keep finding more and sleazier ways. All these technologies have valid uses but have been so abused by corporations and marketing that people increasingly don't trust it anywhere.
  I'm honestly curious here. Advertising isn't going away. It's what keeps the Internet "free". So you're saying you'd rather have completely irrelevant advertising than stuff you may actually be interested in? When I'm in the market for any kind of product, I actively seek out sources of advertising to survey what's available. Being flooded with irrelevant information and advertisements (like happens on the radio and television) is personally unnecessary but financially necessary noise to provide the content I want. I'll take trackers any day over having to pay for every single site I visit.
3. Re:They just don't seem to get the message by Anonymous Coward · 2013-08-25 07:03 · Score: 3, Interesting
  
  Yes, that's what I'm saying. I don't want these people to know what I want. They have proven that they will take advantage of that, and try to make me impulse-buy things when I'm at my most vulnerable to targeted ads.
  Ads are not a good way to form a worthwhile opinion on what product is the best for you, the consumer. They're designed to drown out the competition and are practically worthless for making a judgement call, unless you happen to notice it's something you already wanted that has a special-offer.
  Without competition, ads are no more relevant than they were without being targeted. I've seen no evidence of more competition with more targeted ads. I just get the same products over and over, from whomever can afford the most ads. It's not a healthy situation for commerce.
  Plus, if it's something I'm going to buy, I'll buy it. I don't need an ad asking me to click on it while I'm doing other things. I'd rather the business model was revamped than the customer's privacy model.
  If ads can sustain the web as-is, then I don't see a need to "upgrade" them. And if they can't, then it's just another reason to revamp the business model instead of desperately clinging to it.
Panopticlick is another method by danceswithtrees · 2013-08-25 04:24 · Score: 5, Interesting

The ETag method is a clever solution to cookieless tracking. I find this method I stumbled upon a couple of weeks ago a bit startling. I had no idea the amount of information routinely sent from my browser/computer to web servers-- information about plug-ins, time zone, screen resolution, accepted headers, etc WITHOUT letting me know. It is enough to give more than 21 bits of identifying information and uniquely identifies me among the 3M visits.
https://panopticlick.eff.org/
Re:Another Job for RequestPolicy by Anonymous Coward · 2013-08-25 04:29 · Score: 4, Informative

I use RequestPolicy, and it definitely isn't for most people. It increases the amount of effort needed to browse the web by a factor of ten.
Every other site I go to is actually served from about two dozen separate locations. CSS comes from one domain, images come from as many as 6 domains, javascript comes from as many as 3 domains, and it isn't unheard of to see twenty different sets of trackers and widgets getting bolted on, not including the addidional baggage that they bring.
It's fucking ridiculous.
Oddly enough, sites hosting their own tracking will make RequestPolicy fail miserably, since it only deals with cross site refs. Such sites are the exception, though.
Re:Firefox makes cache clearing difficult by seyyah · 2013-08-25 04:49 · Score: 5, Funny

Or you can press Ctrl+Shift+Del. One of the options (which should already be checked if you used it last time) is to clear the cache. A three-key combination and a button click and you're done, with no plugins needed.
I also like the Ctrl+Alt+Del option. I've yet to see a website that can track me after that.
ETag leaks between Incognito mode and regular mode by ThatsMyNick · 2013-08-25 06:34 · Score: 4, Informative

It also seems to leak info between regular windows and incognito mode in chromium. I assume the cache is shared between the modes, and they need separate caches.