Hacker News new | past | comments | ask | show | jobs | submit login
Cookieless cookies (lucb1e.com)
353 points by lucb1e on Aug 18, 2013 | hide | past | web | favorite | 86 comments



So this is the old E-tag trick? It's not new at all, but perhaps it hasn't been as widely published. This can also be done with the Date / If-Last-Modified header, manufacturing a cookie "date".


Last-Modified doesn't even have to be a valid date string:

http://www.nikcub.com/posts/persistant-and-unblockable-cooki...

As an update to that post from 2011, I never did get the browsers to update their parsers.

This E-Tag bug has been known for over a decade. As part of my post I tried to find the earliest written record of it and found a post in 2003:

http://www.arctic.org/~dean/tracking-without-cookies.html

It seems to get 'rediscovered' at least a couple of times a year.


<https://bugzilla.mozilla.org/show_bug.cgi?id=114508> is Gecko bug for this; can't find one for Chromium, and CORE-40723 for the privileged few with Zombie-Presto bug-tracker access.


You should use valid Last-Modified value with some randomness and join it with browser fingerprint:

https://panopticlick.eff.org


I never claimed it was new :). But I never heard about it until recently, while it works frighteningly similar to cookies and I generally know most common things related to website security.


Your tone is definitely one pushing it as a new and ominous discovery.

Another criticism "It has already being used by numerous websites but few people know of it" without any more information. If you know of which websites, you should state so, if you don't, you should at least say why you know "numerous websites" use it. Also the "few people know of it" bit, a bit presumptive if you were referring to the engineering community, and flatout meaningless if you were referring to everyday people, of which many don't even know what a browser is.

I did like the working example, but maybe tone down the hyperbole and more informative claims when the claims are also accusations.


Thank you for the constructive criticism, that's often rare these days.

> Your tone is definitely one pushing it as a new and ominous discovery.

I'm sorry if the tone gave a wrong impression, that wasn't my intention (English isn't my native language). It was quite a discovery to me though, perhaps that's why I made it sound like that without really meaning to.

> Another criticism "It has already being used by numerous websites but few people know of it" without any more information

Oh that's right! I had a source link elsewhere but forgot to move it when rearranging text. I'll add this again now.

> Also the "few people know of it" bit, a bit presumptive if you were referring to the engineering community

This was mostly my personal experience. I don't know anybody knowing about these etags being used for tracking, while I know that many friends and classmates could give me details on how cookies work or how localstorage works.

Edit: Why are people downvoting the person I replied to?


Using ETags was well known on HN years ago as one technique in the "Evercookie" arsenal: https://news.ycombinator.com/item?id=1714446


> Edit: Why are people downvoting the person I replied to?

Two options:

    * Someone's grumpy and/or a jerk and/or an idiot
    * Someone's reading HN on a touch device, wanted to
      upvote, touched the wrong icon.


In this case, I think we can agree he was both grumpy and a jerk ?


Just 2 years ago there was a massive backlash against KISSmetrics, Hulu and a few others for using this very trick.

Can't find the HN story now, but it was a recurring story for a few days as people argued back and forth whether it was ethical.


There are some pretty neat tricks one can pull by enumerating the contents of browser cache and/or history.

Zalewski's "I know which sites you visit" asteroids clone is probably from the funkier end: http://lcamtuf.blogspot.fi/2013/05/some-harmless-old-fashion...


It's also known as supercookies. KISSmetrics used to use this technique for tracking/analytics and got a bunch of their clients sued[1].

[1] http://en.wikipedia.org/wiki/HTTP_ETag#Tracking_using_ETags


Does anybody know why they got sued? I'm curious as to why they'd get sued for Etags but not cookies. Did they just not have any opt-out measure?


Because they operate outside of the users privacy controls in the browser. You are accessing the users data without permission, a violation of Electronic Communications Privacy Act.

That is a simple summary, you can find more in the complain.

I just uploaded a copy of it here:

https://docs.google.com/file/d/0Bx25s45t4-d_bDBDRjFDOUlFOUU/...

KissMetrics settled and paid $500,000. They also let users opt out and were better about disclosing the practice on their website.


Much more massive demonstration can be seen at evercookie where ETag is just one method among others.

http://samy.pl/evercookie/


In Europe there are laws that restrict the usage of cookies (opt-out in some countries, opt-in in others (like the Netherlands)). This website proves how stupid that is. Letting politicians mess with technology is dangerous, at least they should be advised better. I understand everyone is worried about their privacy, but just outlawing cookies is NOT going to fix anything.

Edit: I just looked up the Belgian "Telecommunication law" and article 129 talks about "The storage of information or accessing information that's already stored in the device of a user" [1] (Loose translation). So I guess it's very broad.

[1] http://bit.ly/18DLvov


i found a uk govt page describing this: "Regulation 6 covers the use of electronic communications networks to store information, eg using cookies, or gain access to information stored in the terminal equipment of a subscriber or user."

which is more general than just cookies and would cover caching too.

http://www.ico.org.uk/for_organisations/privacy_and_electron...


Indeed, this caching technique would be covered by "the cookie law". However cookies can be audited, but many images contain legitimate ETags. It's more difficult to detect when websites use this to track users, and I don't think any government agency is capable enough to check whether companies comply to the law.


The ICO states the following:

"When considering alternatives to cookies it is important to look at the broader privacy context. Focusing solely on cookies is missing the point."

Source (page 25): http://www.ico.org.uk/for_organisations/privacy_and_electron...

Personally I think the world would have been better served if they just put the law on browser makers and get them to provide a clear and consistent interface to whether a web site is tracking the user.


It works even if you use incognito mode in Chrome. So incognito is not as incognito as we thought.

Edit: not really, the article explains it but I hadn't finish reading it.


The incognito mode is designed to be incognito from the moment you open the window. When you close it and re-open the window, the cache will be thrown away (along with any cookies, localstorage, etc.). During your incognito session, cache and cookies and everything is stored. If they didn't do this, websites would not function properly.

I believe the incognito mode has more potential than it's currently being used as. For example multiple parallel sessions would be not only nice and handy, if people learned to use it, the isolation would also enhance browser security. As I mentioned on the page, it single-handedly eliminates a number of https attacks and tracking methods.

Edit: Oh you mean that bug in this demonstration? Yes that's a local issue here. In practice the two sessions could not be linked, as you can see when you press f5 in the incognito window. Sorry about that, it's mostly meant as a tech demo where people can understand and learn from the code, not a finished product!


> I believe the incognito mode has more potential than it's currently being used as. For example multiple parallel sessions[...].

Chrome actually got this feature recently. Check Settings > Users.


The two sessions could not be linked, but after I close incognito, the counter and the stored text in normal Chrome are reset. Why does that happen?


This is because I use a static etag instead of generating a new one for each session. From the page:

> When you visit a page where you don't have an ETag (like incognito mode), your session will be emptied.

This unfortunately also throws away your other browser session at the same time. In practice a website would probably issue a new etag for the incognito session, and your existing browser session will simply continue.


I see, the normal Chrome session is not reset, but rather linked to the new ETag in incognito mode, at least in this example.

You could probably have submitted a bug to the Chrome team and get a bounty for this thing. It kind of allows to track the incognito session linking it to a normal session.


alright but can you explain how that works? I didn't quite understand from your article. what I'm doing is this:

1) in plain non-incognito window, enter text, hit "Store"

2) open incognito window, go to same URL, the text is there!

that means the sessions can be linked now. where does this info come from? does Chrome (and Opera, which I also tested) share ETags between non-incognito and incognito windows?


I'm behind a VPN. Is that why it doesn't work in my case? I'm using Chrome (not even incognito).


Shouldn't make a difference, unless your VPN does its own caching or strips ETags.


That's interesting, it should work! What browser are you using?


Chrome Version 28.0.1500.95 m


what vpn? (thanks)


I don't think incognito modes were ever designed for that kind of privacy.


I already knew about this but completely forgot, thank you for refreshing my memory :) I have this problem with people registering in one forum with multiple identities and I have been fighting it with cookies to track them, but they got smarter and delete the cookies now.. so it's useful to know I can try something new.


I understand the implications and the underhanded nature of this sort of tracking. However, could it prove more efficient that traditional, legitimate analytics? (eg: google analytics via cookies)

For example, could there be less bandwidth consumption using this method vs cookies?


Cookies are absurdly long nowadays, if they were shortened lots of bandwidth could be saved. Especially Google's analytics cookies are long and sometimes even contain referring domains or something. I don't really understand why they do this, but it probably has some use that lessens the burden on their database infrastructure at the cost of user bandwidth.

Also this is more of a hack and sneaky tracking method than a legitimate way of identifying users. Whenever someone's cache is full or gets cleaned, the "cookie" (etag) will be lost.


There's a new version of Google Analytics that uses a single a very shorter cookie. Doing most processing server side. This is called Universal Analytics.


How to you define absurdly long? How does the size of the cookies compare to the size of the image in an add banner, or even just the *.html file?


Well, considering that you can easily identify every person on the planet uniquely with 5 bytes (256^5=1 000 000 000 000), I'd say these 200 byte+ cookies are much longer than needed. It suddenly starts making good sense that Google's spdy protocol compresses headers...


Bear in mind that the cookie is included in the request, so it has to be uploaded by the user, unlike the ad banners or HTML. Upstream bandwidth is often slower than downstream.


Couldn't the same be said for cookies (clearing cache vs clearing cookies)? I was just wondering if there were technical advantages.


Hmm, I'm not sure I understand what you're asking or trying to achieve. Cookies are cleared when they expire; cache can be cleared at random.


I suppose you're right,


Can you disable ETag-based caching but allow If-Modified-Since? A quick check of a few popular sites shows that they're using If-Modified-Since instead of ETags, probably for this reason?

While we're on the topic of browser caches, do any browsers let you easily store your cache in RAM instead of disk? Without resorting to other 'hacks' like setting the cache path to a ramdisk, that is.


It's very unlikely that popular sites are choosing not to use ETags in order to protect privacy. If they want to track you, they just use cookies. There is no privacy risk in a site using ETags as intended; it's only when the server abuses them to act as a unique identifies. And you can actually do the same thing with if-modified-since and the date, you just get fewer bits of data to work with.


why do we assume automatically that this is a bad thing? it all depends how it is used. I for one see many positive uses for something like this.


Can you give an example of a positive use for this, that is better than a cookie?


It saves bandwidth and leads to faster website loading. A cookie is transported with every request. This is why sites use cookie free domains for static content. If etags were used instead a separate domain wouldn't be necessary.

It's more secure. If identifying session data is not accessible to JavaScript, it makes a site more secure from XSS attacks.


> It's more secure. If identifying session data is not accessible to JavaScript, it makes a site more secure from XSS attacks.

HTTPOnly should take care of this.


It depends, HTTPOnly cookies are still accessible to JavaScript in some conditions, like those using an Android browser:

https://www.owasp.org/index.php/HttpOnly#Browsers_Supporting...


I have been working on a two-factor authentication system. It needs a cookie to keep the user from re-authenticating every time. For one particular user on Chrome, this cookie is getting cleared everyday and they're not sure how to fix it on their side. This could help restore the cookie without requiring needlessly a second factor.


affiliate tracking, analytics, etc.


Instead of clearing the cache, one could stop using If-Match and instead do a HEAD request and see if the ETag is the same. This increases latency by one RTT, if the resource has in fact changed. Also, it could be implemented outside the browser, in a proxy (albeit the proxy won't be standard-compliant and obviously won't work on HTTPS sites).


>One thing I would strongly recommend you to do anytime you visit a page where you want a little more security, is opening a private navigation window and using https exclusively. Doing this single-handedly eliminates attacks like BREACH (the latest https hack).

As far as I'm aware, it would not mitigate BREACH. Can anyone shed any light on why it would?


You can't do arbitrary requests, which is required for that attack (and CRIME) to work. This is normally done by injecting traffic in http pages, but if you are using incognito mode for https exclusively then this can't be done. In fact the same goes for normal browsing mode, but it's so inconvenient to have to close all other tabs just to do a wire transfer or something. And incognito mode has the additional advantage of also disabling tracking cookies and the like. My bank actually uses Google analytics on their website...


Look carefully at the source code. Its bogus. Not the etags trick, but the demo itself.

The demo is actually just identifying users by hashing the REMOTE_ADDR and USER_AGENT, HTTP headers.

So it appear to work, when it doesn't really. Users with dynamic-ip or via proxies etc will often fail.

This is why it appears to work cross incognito windows. Chrome sends the same useragent incognito or not.

----

The etag trick is real. But DO need to use Javascript in the browser to extract the etag from the headers of the cached image. It doesnt really have to be an image. Just a request that can be made via XMLHttpRequest.

... or could set the etag on the page itself, and use the fact that the browser will send a If-None-Match on the next request. But only works for the one single uri, not all pages on the domain. The code appears it COULD be used to do that. But it never sets ETag http header on itself.


Oh, dear. reading the article again it does note the demo is not real.

/me wanders off to wipe egg off my face.



Interestingly, popping open a new Firefox private window showed my tracked data, but after closing the window it was all reset (even though I had the tab open in a normal window the whole time). I'm guessing closing the private window erases any 'dirtied' cached files?


I figured this out yesterday while working on a client's site. Apparently FF private mode still uses existing cache. If you had files from the site cached before opening the site in private mode it will still use them.

This seems like a pretty big issue to me. It defeats private mode.


Same here. This is definitely not ok.

EDIT 1: I also checked "Clear history when Firefox closes" and included "Cache" in the definition of "history". And the tracking is still happening. So either the site uses another tracking method in addition to the etag method or there is a big f#ck-up in FF.

EDIT 2: The tracking even continues when I check "Always use private browsing mode" and then close the browser and open it again.

EDIT 3: Even a complete removal and a clean install of FF (without any add-ons which may interfere) lets the tacking happen, for both the case of "EDIT 1" and "EDIT 2".

So this pretty certainly seems to be a bug.


The only way I've found to ensure this doesn't happen is to set about:config -> network.http.use_cache = false.

Private browsing keeps it for at least one restart (with clear everything set in options), even though I can't see tracker.jpg in about:cache anywhere. Other weird thing is tracker.jpg isn't showing up in a filesystem search anywhere. Wondering if there's something stored in the sqllite files.


That works, thanks!


EDIT 4: Even having set about:config -> browser.cache.disk.enable -> false, I have to close/open the browser twice in order for the cache (and tracking) to disappear.


Private browsing-modes "forks" the current state of the browser instead of creating a new "blank" state. And it's this way by design.


If that were true, why am I not logged into sites when I start a new private window?

If it is true, then that's hugely non-obvious, given the behavior (being logged out). That's bad design, plain and simple.


If he can only associate my previous page view with my current requests, then how does he know it's me again? I mean, the image request is separate from the page request, and in any case only comes later.

So he would need to store a mapping from something he already knows (from the headers of my request for his html page, or my IP) to my ETag "cookie" to know what my previous ETag was.

Wouldn't that require using some of the features he wasn't going to use (like user agent) to work?

What am I missing?


As it turns out, he simply uses your IP and User Agent string. See https://github.com/lucb1e/cookielesscookies/blob/master/inde...

No E-Tag tracking is taking place, since the E-Tag is never send to the server for the index.php request (only for the image request). In theory he could update the session after your IP changed, but he does not seem to do that (the image requests hold on to the old E-Tag).

So, basically, to me it seems like the whole point/post is invalid. Please correct me if I'm wrong.


You're wrong. That line of code is just to create something random, he could have used rand() if he wanted to, but it's not as "random".

And if you take a look in the .htaccess file, you'll notice that the images request also goes to index.php.


I saw the .htaccess, but that still doesn't link the request of index.php to the request of index.php?tracker.

I just tested it by changing my IP while staying in the same browser session. After an IP change the page only displays '1' for the number of visits, exactly as you would expect when reading the code (since the E-Tag for the image is kept (and the image request updates the counter), but the index.php uses your IP+UA combo to determine the session). This code is flawed and doesn't do a thing.


This is new knowledge to me. The article is wonderful and informative. And as mentioned in the comments, incognito mode doesn't prevent it.


As the OP suggested...

Private browsing, as well as connecting through Tor, and the tracking didn't work.

My text is lost on refresh.

Thanks for reminding me.


While you are at it, you can check to see if your browser properly shields you from this and other similar techniques: http://www.canyoutrackme.com/

edit: shortened and clarified.


As usual, advertisers rely on assumptions about what they think users will or will not do. When users deviate from the assumed patterns, tracking fails.

Three ways to easily defeat this "cookieless tracking" come to mind:

1. Turn off automatic image loading.

2. Use your HOSTS file to block/redirect the domain name to which the tracking info is sent.

3. On devices that hide the HOSTS file, use your own localhost DNS server to block/redirect the domain name to which tracking info is sent.

The common theme here is the user takes more control over what connections her computer may initiate.

Under current usage patterns a user types a domain name in an address bar of a browser (usually a browser written by some entity that pays its developers through revenues from the sale of advertising) or she types something into a search bar/box and then selects a search result. The user thereby initiates a connection to some other computer addressed by a. the domain name she types (assuming she types the name correctly; otherwise she may end up at a page of sponsored search results) or b. the result she selects.

This level of navigation is within the user's control. She intends to connect to a computer addressed by a domain name that she can type or select. Does she also intend to connect to other unspecified computers at the same time?

Due to the way these browsers are configured, many more connections to other unspecified computers may be initiated without any input from the user. Increasingly, these are computers that serve the user no useful content. They are devoted to tracking. Go figure.

Does the user want her computer to connect to other unspecified computers whose sole purpose is to track her? Under current assumptions, this is to be decided outside of the user's control (and awareness).

By exercising more control over what browsers do and over domain name lookups, the user can retain more power to specifically choose the other computers to which her computer connects.


Node.js example code for ETag cookies: https://github.com/RobFox/nodejs-etag-cookie



It's really lame to claim that etag is checksum. That clearly tells that the author doesn't have a clue what it's all about. Btw. Who said that there would be any cache stored when you browse in private mode. Etag didn't even work. Panopticlick is much more advanced than this lameness. It usually works, unless you use something like anonymity hardened virtual machine, which of course isn't unique.


You know you can point all that out without having to come across as rude, right?

You are right, of course -- ETag tracking is both not that exciting, and not new, but I think that some here would've have come across it.

Also, I know that older versions of Firefox and Chrome _did_ cache things, even in Private Browsing mode, but I think that that cache only existed for that session.


Yes, not using cache at all would make everything very slow. I'm now of course talking about using in session memory cache. If it's too small you can reconfigure it using browser.cache.memory.capacity parameter with Firefox. With fiber I never use caching. But yes, with 512kbit/s connection I unfortunately had to use disk caching too, to avoid re-downloading anything I simply could. But of course in that kind of situation and configurate you're really aware that you're not destroying all data between sessions. For privacy virtual machine with hardened configuration + tor is good idea. Otherwise there's no reasonable expectation of privacy anyway, as they're saying. In technical terms, there are so many ways to track users who do not harden those, that there's no reason to expect any privacy. As we have seen with all these NSA discussions, all technical options were pre-known already. You don't know if sites use some techniques or not, but it's reasonable to expect that they do use at least all publicly known techniques. And possibly some unknown. So making attack (or tracking) surface as small as possible, when looking for privacy is reasonable. Maintaining any data between sessions is just stupid if you're looking for privacy. Always boot clean virtual machine, which is similar to other virtual machines, is best approach. Otherwise there are tons of things they can do to track you.

Btw. even if browser keeps cache, you can always clear storage paths.

One of things that doesn't seem to be known to many users is that many databases contain deleted data (marked free) for long time. They just don't think about it. Just go through all files stored by browser, you'll end up finding stuff that you woulnd't expect to be there, if you're naive. Right attitude is to expect everything to be stored always, and take proper care to destroy data when it's required. This is just like the issue with SSD drives. If you write something on drive, you wan't to destroy. There's no sure way to destroy the data from drive, without totally physically destroying the drive. You simply don't know, if the controller has written data to cell XYZ, and then re-mapped XYZ to somewhere else. Just overwrite it approach does not work in this case. And you can't even guarantee that the manufacturer tool could properly erase that cell.

Just final words. Etag doesn't have anything to do with "images", it's not tied to content-type at all. Next week I could release "css" tracking exploit, which uses etags, which is kind of css checksum. Uh...

In these days, privacy and security is hard, it's very hard. Even if you think you're doing things right, there still might be several things that you're not doing right. Even if you have used serveral years to learn how to do things right. Even after that, there's still possibility of bad luck.

But all this stuff is generally known and properly documented, so there's nothing new.


"Yes, not using cache at all would make everything very slow"

That suggests you've not tried it. I have. I've been running with disk and memory cache disabled in Firefox for a couple of years now on my laptop, and it's not anywhere near as slow as you think it would be. It's barely noticable at all.

On my work machine I have the cache enabled, so I even have something to compare against. My laptop is usually sat on an 8Mbit Internet connection. If you're on a much slower Internet connection it would make a bigger difference, but I don't think 8Mbit is particularly fast nowadays.


about:config -> browser.cache.disk.enable -> false


that is the best way to solve the problem - always off by default is better than being required to remember that one must disable something unwanted.


that is the worst way to solve the problem - just use incognito mode.


I disabled the disk and memory cache in Firefox a couple of years ago. Don't knock it until you've tried it. It has much less of a performance impact than you would imagine. I have an 8Mbit internet connection, YMMV.


Dammit now I'm hungry.


Apparentl xlearing yo cahs awn dandroit do.3 dant defeat das casche. Sew glaugle!




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: