Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cookieless Web Tracking Using HTTP's ETag

Posted by timothy on from the ah-there-you-are-again dept.

An anonymous reader writes "There is a growing interest in who tracks us, and many folks are restricting the use of web cookies and Flash to cut down how advertisers (and others) can track them. Those things are fine as far as they go, but some sites are using the ETag header as an identifier: Attentive readers might have noticed already how you can use this to track people: the browser sends the information back to the server that it previously received (the ETag). That sounds an awful lot like cookies, doesn't it? The server can simply give each browser an unique ETag, and when they connect again it can look it up in its database. Neither JavaScript, nor any other plugin, has to be enabled for this to work either, and changing your IP is useless as well. The only usable workaround seems to be clearing one's cache, or using private browsing with HTTPS on sites where you don't want to be tracked. The Firefox add-on SecretAgent also does ETag overwriting."

6 of 212 comments (clear)

  1. Secret Agent by Jeremiah+Cornelius · · Score: 5, Interesting

    Here we come. :-)

    Add this feature to a chaff-creating plugin, to crapflood servers with fake tags.

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."
    1. Re:Secret Agent by KiloByte · · Score: 5, Informative

      Or will it disable ETags across all sites and thus slow down browsing by effectively turning caching off?

      ETags are only one of many methods to achieve caching. Getting rid of them shouldn't have a big effect on caching.

      Other methods typically have privacy holes as well, but it's easier to deal with them, for example by rounding timestamps down to the last midnight. ETags on the other hand store an arbitrary attacker-provided string, which is an outright security vulnerability.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
  2. Nothing new by deanrock0 · · Score: 5, Informative

    Did they just invent ETag or what? This "feature" is known for a few years and there are existing implementation, including this one: http://samy.pl/evercookie/ from 2010.

  3. Re:Firefox makes cache clearing difficult by Ambiguous+Puzuma · · Score: 5, Informative

    Or you can press Ctrl+Shift+Del. One of the options (which should already be checked if you used it last time) is to clear the cache. A three-key combination and a button click and you're done, with no plugins needed.

  4. Panopticlick is another method by danceswithtrees · · Score: 5, Interesting

    The ETag method is a clever solution to cookieless tracking. I find this method I stumbled upon a couple of weeks ago a bit startling. I had no idea the amount of information routinely sent from my browser/computer to web servers-- information about plug-ins, time zone, screen resolution, accepted headers, etc WITHOUT letting me know. It is enough to give more than 21 bits of identifying information and uniquely identifies me among the 3M visits.

    https://panopticlick.eff.org/

  5. Re:Firefox makes cache clearing difficult by seyyah · · Score: 5, Funny

    Or you can press Ctrl+Shift+Del. One of the options (which should already be checked if you used it last time) is to clear the cache. A three-key combination and a button click and you're done, with no plugins needed.

    I also like the Ctrl+Alt+Del option. I've yet to see a website that can track me after that.