
Undeletable Cookies - wicknicks
http://www.schneier.com/blog/archives/2011/08/new_undeletable.html
======
wingo
Very interesting, and evil: abusing the ETag mechanism for user tracking. (If
a user requests some sort of unchanging resource without an etag, you give
them a fresh one; and if they request a resource with an etag, you give it to
them, with the supplied etag, and record the user.)

Even if Hulu turned off cookie respawning via etags, you can still track users
this way, on the server side. I guess the tricky thing is to correlate the
etag of the tracker resource with the rest of the requests that a user makes
on a site.

~~~
apgwoz
> Even if Hulu turned off cookie respawning via etags, you can still track
> users this way, on the server side. I guess the tricky thing is to correlate
> the etag of the tracker resource with the rest of the requests that a user
> makes on a site.

The important distinction is that the ETag is literally no different than a
cookie, when used this way. Turning off caching is the new turning off
cookies.

~~~
wingo
There is a difference: cookies get sent on requests to any resource in a
domain, whereas etags get sent only to specific resources.

------
hammock
From wikipedia:

 _ETags may be flushable by clearing the browser cache (but browser
implementations may vary).

In 2007, two Mozilla Firefox add-ons were made to prevent the usage of ETags
for tracking.[5][6]_

[5]<https://addons.mozilla.org/en-US/firefox/addon/safecache/>
[6]<https://addons.mozilla.org/en-US/firefox/addon/safehistory/>

~~~
jim_h
The safehistory plugin doesn't seem to work for the newer versions based on
the comments on their page.

------
route66
Schneier does not tell so much here, instead he links to this article giving
more details:

<http://ashkansoltani.org/docs/respawn_redux.html>

------
ynniv
ETag and cache based cookies are old news. I assume that Schneier didn't
notice these components last time he reported on evercookie.

[ <http://google.com/search?q=evercookie> ]

~~~
nikcub
It is a lot older than evercookie. I remember porn affiliate scripts that were
using ETag back in 01-02. It is a well known method, as is using Last-
Modified.

------
gmac
I wonder how this will be treated under the EU's Directive on cookies...

Edit: sorry, not found an answer yet, but the top Google result for 'EU
cookies' is rather fun: [http://www.davidnaylor.co.uk/eu-cookies-directive-
interactiv...](http://www.davidnaylor.co.uk/eu-cookies-directive-interactive-
guide-to-25th-may-and-what-it-means-for-you.html)

------
nbpoole
See also: <http://news.ycombinator.com/item?id=2844321>

------
icode
Not undeletable. Just not deleted via the browsers "delete cookies" function.

~~~
davidu
I would not advise that argument as a legal defense strategy.

------
ck2
Reminds me to write a firefox plugin to strip etags and "if-none-match" -
pretty sure most pages can function just fine without them and use last-
modified, etc instead. Kind of surprised to not find anything yet on
addons.mozilla.org

~~~
CGamesPlay
You do that, and I'll just assign a unique UNIX timestamp to each visitor.

~~~
ck2
That's a good point and this would not be practical in a regular browser
session but if someone chooses private browsing, an extension could be sure to
strip "last-modified" as well as "if-none-match".

Would hurt the server a little and reduce speed because there would not be any
caching but still helps guarantee no tracking.

~~~
ars
On a properly written server you could "fuzz" the date of "if-none-match".
Then it would still work for caching, but would not uniquely identify you.

The trouble is that most servers are not written properly, the date is not
parsed, rather it's string compared with the file date.

For example if the server sends the timezone as EST vs +0400 the browser will
send it back exactly as it gets it, when normally you would think that should
not matter.

------
driverdan
I don't understand why this keeps getting press. It's nothing new, this method
has been around for at least 4 years. Schneier should be well aware of it.

~~~
woodall
You blog to make OTHERS aware.

------
mtogo
This is not news. Evercookie has been doing this for _years_ , and it's just
as easy to defeat as it was years ago.

<http://samy.pl/evercookie/>

------
NiekvdMaas
We created a PoC a while ago showing ETag + browser fingerprinting to replace
cookies/client-side storage: <http://www.adperium.com/tracking>

It works in all major (desktop) browsers, but not in some mobile browsers.

I think the cookie debate (in the EU) is not in the best interest of users:
with cookies, the user has full control of the data stored, can easily purge
cookies, etc. With user-tagging technology moving server-side, this gets a lot
more complicated.

------
praptak
What it really boils down to is this: you cannot have both caching and
privacy.

For the cache to work your browser must reveal to the server what it has
already downloaded, this way or another. And the browser cannot really tell
which of the downloaded pieces of data were specially generated to track this
particular user.

A possible workaround is to create an intermediate cache to share it with
multiple other people, but this creates other privacy concerns.

------
yaix
Even better is the paper (written 2003) linked in the comments of the article:

<http://www.arctic.org/~dean/tracking-without-cookies.html>

------
nodata
Obligatory link to Panopticlick: <http://panopticlick.eff.org/>

------
nirvana
I believe Google is doing this with its google voice product. We're unable to
access our google voice accounts outside the USA, despite disabling flash,
deleting all cookies, etc. The ironic thing is, of course, that this is when
we need it the most, as we miss more calls being in a radically different time
zone.

~~~
dchest
I'd say they disable access by IP, but I can access my account from two
countries that are far outside the US.

~~~
nirvana
Well, I'm using different IPs than the "home" IP we used when we signed up.
Any attempts to get into google voice for me, though, say that it is not
allowed outside the USA.

~~~
kahawe
Yep, so they just filter by whatever IP you are connecting from from outside
the US and that's it. Countless websites and services have been doing that for
a looong time - just as evil but should not have anything to do with cookies
because then you should be able to sign in just fine on a different machine
and use voice.

------
youngtaff
The potential of etags as a way of tracking has been known about for a
while...

To put the other side of this argument Kiss Metrics put up a pretty strong
denial that they were using etags for tracking <http://bit.ly/r5lPbx>

Guess it might need a bit more research

~~~
RyanGWU82
Well, they said that they "made the following changes" -- one of which is not
using eTags. So I guess they stopped that.

(That said, they never aggregated this data across multiple websites, so I
really don't get what the whole fuss was about.)

~~~
mtogo
They tried to make their cookies undeletable. Why would they do something like
that? The fuss is that it's a bad, dishonest, skeezy thing to do. Kissmetrics
has shown that they are not an honest company, they're a dishonest one that
will disregard the privacy concerns of their user's visitors.

~~~
coderdude
RyanGWU82 makes a good point though. People only whined about the "evercookie"
method of tracking because of the potential for abuse (across multiple Web
properties). Why on Earth would you care if someblog.com knows for sure that
you've been to their site five times? I don't think the problem here is that
you can be tracked using multiple methods that were not originally intended
for use in tracking. I think the problem is that people always had a false
sense of privacy (i.e., there was ignorance about what can and cannot be used
to track your client).

You're accessing a remote server. There will always be a way for sites to
track your visits. _There is a necessity for those sites to track your
visits._ Don't care about their necessity to track you? Stop going to those
sites.

