
Ask HN: How does the Washington Post paywall get around Chrome's incognito mode? - hn_throwaway_99
I&#x27;ve noticed that relatively recently (I think last 6 months or so, not sure) that the Washington Post paywall has been able to block access after multiple article reads, <i>even if</i> I&#x27;m using new Chrome incognito windows for each article read.<p>To do this, WP must be recording state from somewhere, even though (theoretically) incognito mode should prevent this. Anyone have any idea what they&#x27;re doing? If I switch to a private window in Safari things work, so WP isn&#x27;t just recording IP addresses, so my best guess was some combination of device fingerprinting with IP. If that&#x27;s the case, that means incognito mode should really offer some sort of fingerprinting-thwarter that makes this leaked state more difficult to access.
======
phillipseamore
I tested opening up incognito, clicked random articles until I hit the limit
then closing the incognito window.

Did this three times and always had a fresh start and could navigate until I
hit the limit.

So I can't reproduce your claims.

------
grizzles
You might be part a special cohort with early access to this 'feature'.

There are a couple ways to do it. For example, you can track incog users by
abusing cert pinning with HPKP report URIs. Expect-CT (the successor to HPKP)
would also be vulnerable to this attack.

------
samcgraw
I cannot repro either. Could it be that you have another minimized / hidden
incognito window on your desktop? The two windows could share client state.

------
taf2
You probably still have an incognito window open. Incognito in chrome is a
special user profile that does not write anything to disk.

------
farseer
If WAPO gets only sporadic traffic from your particular IP, there aren't any
other readers behind that NAT and hence your access can be limited.

BTW Bezos now owns them, so they can also access that state from a multitude
of other Amazon services.

------
Andaith
Could you have some extensions running in incognito mode that are leaking
state?

------
cphrmky__
Check the URL for parameters. If you’re coming from a Google search or similar
there are generally a boat load of analytics/tracking parameters in the URL.
You can eliminate those and you’ll still get the same article.

I’ve seen this too (don’t recall if the was WaPo) I’ve had success with
eliminating the obvious analytics junk from the URL and trying again in a
fresh incognito session.

It’d be pretty easy to keep a short lived cache server-side of any analytics
bearing URL that gets paywalled and use that to paywall any additional request
from the same IP that match exactly and comes within a minute or two (even if
the browser is cookieless) I’m figuring this is probably what they do, I know
it’s how I’d do it if I was tasked with defending against the incognito
technique.

~~~
joewee
This sounds likely, and I wouldn’t be surprised if google had deals with
publishers to send additional data, like your computer’s internal IP via
webrtc.

Alternatively WaPo could be using WebRTC to pull your internal IP and caching
with your external IP along and other data to create a unique identifier.

