
1MB+ of HTTP overhead due to TowerData cookies - dsr12
http://bigqueri.es/t/1mb-of-http-overhead-due-to-towerdata-cookies/479
======
kcorbitt
I assume this would be another problem solved by disabling 3rd-party cookies?

[https://support.mozilla.org/en-US/kb/disable-third-party-
coo...](https://support.mozilla.org/en-US/kb/disable-third-party-cookies)

~~~
thirsteh
This would be the only problem it solves, then, since blocking 3rd party
cookies does almost nothing to stop tracking.

~~~
millstone
Why is that?

~~~
thirsteh
Take a look at the results on
[http://www.areweprivateyet.com/](http://www.areweprivateyet.com/)

The methodology is described here:
[https://cyberlaw.stanford.edu/blog/2011/09/tracking-
trackers...](https://cyberlaw.stanford.edu/blog/2011/09/tracking-trackers-
self-help-tools)

Even the DNT header, which is widely recognized as a failure since it relies
on the perpetrators to regulate themselves, protects you better against
tracking than blocking third-party cookies. It's just too easy to track people
by other means, and the companies that aren't already doing it will certainly
start if a meaningful number of people suddenly block third-party cookies.

The only pragmatic and effective way to avoid being tracked today is to use
something like uBlock (more efficient ABP + noscript) with the third-party
script and frame blocking features enabled (whitelisting third-party
scripts/frames only on those sites that break something you want to see at the
cost of possibly being tracked by something the block lists don't catch.)

~~~
erglkjahlkh
Thank you for good links. What is also somewhat scary is font enumeration. It
is somewhat uncommon to find two computer with the exactly same set of
installed fonts. I have noticed that especially on Windows platform many
applications bundle their own fonts, and the resulting sets are very good for
fingerprinting systems.

~~~
thirsteh
Indeed. Some interesting research is being done on this:
[https://github.com/ghostwords/chameleon](https://github.com/ghostwords/chameleon)

------
jgalt212
Not all fingerprinting is for consumer unfriendly purposes. It can be used for
security to make sure client accounts are being accessed by known machines, or
it can be used to monitor license sharing (for paid subscription services).

Oracle, and others have paid services that do this for the security conscious.

A nice open source implementation can be found here:

[https://github.com/Valve/fingerprintjs](https://github.com/Valve/fingerprintjs)

------
beernutz
Would it make sense to just blackhole the rlcdn.com domain?

in hosts file: 127.0.0.1 rlcdn.com

Or is there a way for pfsense to filter that traffic maybe?

------
Animats
Ghostery can help block this. (Not DoNotTrackMe; they sold out and put spyware
in their add-on.)

~~~
sa1
Elaborate on the DoNotTrackMe part?

~~~
Animats
See "[http://www.areweprivateyet.com/"](http://www.areweprivateyet.com/")

[https://news.ycombinator.com/item?id=7234463](https://news.ycombinator.com/item?id=7234463)

Look at the source code for DoNotTrackMe. It sends detailed info on what pages
you've visited back to Abine.

~~~
sa1
Link to the source code? (iirc, it isn't open source, but probably the
extension code can still be examined)

The comment(by a competitor) says that DNTMe sends back data, but neither the
comment nor the areweprivateyet.com website backs up that claim. The latter
just says that DNTMe is not very effective at blocking.

Since you mention that they sold out, I hope to know if there's more history
on the subject, if things changed in the extension, or with Abine, and when
that happened.

~~~
Animats
Actually, it _is_ open source, because Abine copied GPL code into their add-
on, making them subject to the GPL. They're using some of Moxie Marlinspike's
code.

Download the DNTM add-on source. Do this with Chrome; Firefox will try to
install it into the browser. Change the suffix from .xpi to .zip and unpack
the file. Now you have the source.

Take a look at "components/common.js". ("Copyright (c) 2010 Moxie Marlinspike;
This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software
Foundation; either version 2 of the License, or (at your option) any later
version.") Towards the end of that file, there's additional code from Abine.
To read it clearly, put it through a JavaScript beautifier.

Now take a look at the code around "parseIdentity", which involves creating a
unique identity for the user and sending it to Abine via XMLHttpRequest.
Notice the places where it builds up JSON items and sends them somewhere. Also
look at "protocol.js", which implements the "Abine protocol". There's more,
but that's all I have time for right now. I looked at a previous version in
more detail, but this one has so much new stuff it's going to be hard to
figure out what it's doing.

------
imaginenore
That's why we need HTTPS everywhere.

I really hope letsencrypt.org takes off.

~~~
revscat
HTTPS is transport later security. It does not solve the problem of tracking.

~~~
imaginenore
HttpOnly, and, as far as I know, HTTP-only cookies can't be injected if you
use HTTPS.

* HttpOnly restricts all access to document.cookie in IE7, Firefox 3, and Opera 9.5 (unsure about Safari)

* HttpOnly removes cookie information from the response headers in XMLHttpObject.getAllResponseHeaders() in IE7. It should do the same thing in Firefox, but it doesn't, because there's a bug.

* XMLHttpObjects may only be submitted to the domain they originated from, so there is no cross-domain posting of the cookies.

