×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Cookieless Web Tracking Using HTTP's ETag

timothy posted about 8 months ago | from the ah-there-you-are-again dept.

Privacy 212

An anonymous reader writes "There is a growing interest in who tracks us, and many folks are restricting the use of web cookies and Flash to cut down how advertisers (and others) can track them. Those things are fine as far as they go, but some sites are using the ETag header as an identifier: Attentive readers might have noticed already how you can use this to track people: the browser sends the information back to the server that it previously received (the ETag). That sounds an awful lot like cookies, doesn't it? The server can simply give each browser an unique ETag, and when they connect again it can look it up in its database. Neither JavaScript, nor any other plugin, has to be enabled for this to work either, and changing your IP is useless as well. The only usable workaround seems to be clearing one's cache, or using private browsing with HTTPS on sites where you don't want to be tracked. The Firefox add-on SecretAgent also does ETag overwriting."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

212 comments

Secret Agent (5, Interesting)

Jeremiah Cornelius (137) | about 8 months ago | (#44669473)

Here we come. :-)

Add this feature to a chaff-creating plugin, to crapflood servers with fake tags.

Just clear the cache... (3, Interesting)

AliasMarlowe (1042386) | about 8 months ago | (#44669691)

On all of our PCs, Opera and Firefox are set to clear their caches and delete all cookies etc. every time they exit.
Also, I occasionally clear all private data while browsing in Opera, including the cache, cookies, history, and so forth (passwords are never saved by the browser). Obviously, I have to log in again the next time I visit slashdot.

Re:Just clear the cache... (3, Interesting)

aliquis (678370) | about 8 months ago | (#44669829)

delete all cookies etc. every time they exit.

I have to log in again the next time I visit slashdot.

Too much work. Well, except if I'd never quit the browser but then it wouldn't make any difference.

Re:Just clear the cache... (0)

Anonymous Coward | about 8 months ago | (#44670527)

Keepass. You press a hotkey and are logged in. Wow, that was a lot of work.

Re:Secret Agent (3, Interesting)

kasperd (592156) | about 8 months ago | (#44669701)

Can SecretAgent detect tracking through ETags? Or will it disable ETags across all sites and thus slow down browsing by effectively turning caching off?

The way I'd detect it would be with some extra background probes after a page has been loaded. The background probes start once the browser has finished loading and has become idle. Then the browser could open another connection and request the same resources again without sending any information, that could be tracked. If it receives a different ETag or different content this time around, it empties the cache for that domain and disables caching for that domain for a few hours.

Re:Secret Agent (5, Informative)

KiloByte (825081) | about 8 months ago | (#44669915)

Or will it disable ETags across all sites and thus slow down browsing by effectively turning caching off?

ETags are only one of many methods to achieve caching. Getting rid of them shouldn't have a big effect on caching.

Other methods typically have privacy holes as well, but it's easier to deal with them, for example by rounding timestamps down to the last midnight. ETags on the other hand store an arbitrary attacker-provided string, which is an outright security vulnerability.

Unleash the Botnet (0)

Anonymous Coward | about 8 months ago | (#44670155)

That sounds like old school good times.

Firefox makes cache clearing difficult (1)

Anonymous Coward | about 8 months ago | (#44669489)

Changes were made in the past few years to make it much more difficult to clear the cache frequently and easily.

You must jump through various menus and dropdowns. The team argued that this was progress, and it helped prevent inadvertant cache clearing. Their argument was very weak.

It forces me to hassle with yet another plugin to make my very frequent cache clearing quicker. But at least it is now an icon on the toolbar, with no prompting.

Re:Firefox makes cache clearing difficult (5, Informative)

Ambiguous Puzuma (1134017) | about 8 months ago | (#44669563)

Or you can press Ctrl+Shift+Del. One of the options (which should already be checked if you used it last time) is to clear the cache. A three-key combination and a button click and you're done, with no plugins needed.

Re:Firefox makes cache clearing difficult (5, Funny)

seyyah (986027) | about 8 months ago | (#44670005)

Or you can press Ctrl+Shift+Del. One of the options (which should already be checked if you used it last time) is to clear the cache. A three-key combination and a button click and you're done, with no plugins needed.

I also like the Ctrl+Alt+Del option. I've yet to see a website that can track me after that.

Re:Firefox makes cache clearing difficult (0)

Anonymous Coward | about 8 months ago | (#44671181)

Here, let me give it a try. Nope nothing yet that I c

<NO CARRIER>

Re:Firefox makes cache clearing difficult (1)

realityimpaired (1668397) | about 8 months ago | (#44669867)

Lack of ability to clear the cache at all is why I stopped using Firefox on my tablet, actually... Still haven't found a browser that has as much privacy as I would like, but at least Dolphin lets me turn off cookies entirely and clear history/cache on exit.

Re:Firefox makes cache clearing difficult (1)

ChrisMaple (607946) | about 8 months ago | (#44670081)

rm -r /<your_home_directory>/.mozilla/firefox/<some_peculiar_directory_name>/Cache/* in Linux.

Re:Firefox makes cache clearing difficult (0)

Anonymous Coward | about 8 months ago | (#44670491)

"Settings > Clear private data", or always use private tabs.

Re:Firefox makes cache clearing difficult (1)

TheGratefulNet (143330) | about 8 months ago | (#44671421)

see 'prefbar' plugin for firefox. turn off animation, flash, cookies, clear-cache, etc. configurable. been using prefbar for years and my installs always include this plugin.

Re:Firefox makes cache clearing difficult (2)

Mike Frett (2811077) | about 8 months ago | (#44670703)

Edit>Preferences>Privacy Tab> Check 'Clear History When Firefox Closes' and click Settings to select what to clear on Exit. How is that difficult? Note: This is for the Linux version, I dunno about Mac/Win.

Re:Firefox makes cache clearing difficult (1)

Agent ME (1411269) | about 8 months ago | (#44671305)

History -> Clear Recent History -> checkmark the cache box

How much easier do you want it?

Nothing new (5, Informative)

deanrock0 (2977511) | about 8 months ago | (#44669503)

Did they just invent ETag or what? This "feature" is known for a few years and there are existing implementation, including this one: http://samy.pl/evercookie/ [samy.pl] from 2010.

Re:Nothing new (0)

Anonymous Coward | about 8 months ago | (#44670007)

It isn't new. It's just a reminder the lengths at which marketers go to track you online (and by extension the NSA, since they can request those records at any time).

Tracking $$$$ (3, Informative)

Ed The Meek (3026569) | about 8 months ago | (#44669505)

Tracking information is worth billions of dollars. With that much money on the line - we'll be tracked like escaped inmates - one way or another.

Re:Tracking $$$$ (0, Troll)

hedwards (940851) | about 8 months ago | (#44669535)

Or we could actually have the legislature make doing so in any form without the expressed written permission of the person being tracked, illegal. Unfortunately, getting the conservatives to allow an up or down vote on that in the Senate is rather unlikely. Because ZOMG TEH BIG GUBMINT GUNNA HURTZ TEH BIZNISS.

Re: Tracking $$$$ (2)

Ed The Meek (3026569) | about 8 months ago | (#44669589)

Well, that sounds good in theory, but I doubt that any laws would be written in such a way as to actually cure the problem. Usually too many loopholes in the laws. Like the "established business relationship" in telemarketing laws. Oh, and there's always the NSA....

Re: Tracking $$$$ (2)

grantspassalan (2531078) | about 8 months ago | (#44670147)

Is there a law that states that browser makers, such as Microsoft, Apple and others MUST include all that extraneous information that their browsers send to Web servers without the user's permission? Why must there be *any* information sent to a Web server other than the actual request for data? Why must a Web server know any information at all about what kind of an OS, sites last visited or whether or not a user has visited a site before? If these companies that make browsers really cared about privacy, they would enable their users to select which, if any, of this data to send out on the Internet. Perhaps somebody might get rich making a browser that allows users to return off the sending of all that extra information.

Re: Tracking $$$$ (1)

maxwell demon (590494) | about 8 months ago | (#44670755)

Why must a Web server know any information at all about what kind of an OS, sites last visited or whether or not a user has visited a site before?

You have a point about the OS and half a point about "site visited before" (but that's one thing I don't care about; if I visit a site I expect the site to know that), however the browser does not by default send a list of sites last visited. That's only revealed by tricks using features which were certainly not intended for that .

Re:Tracking $$$$ (0, Offtopic)

Anonymous Coward | about 8 months ago | (#44669591)

Ah, I hate to break it to you, but leftists have plenty of reasons to want to track us too.. It's hard to to grow a state bureaucracy and overstepping government without surveillance.

Re:Tracking $$$$ (0)

hedwards (940851) | about 8 months ago | (#44669697)

There are very few leftists in the US government. I know that you right wingers like to pretend like Obama is a leftist, but the fact of the matter is that he's a conservative, it's just that you folks have gone so far to the right, that you can't tell the difference between a moderate and a lefty.

Re:Tracking $$$$ (1)

Moridineas (213502) | about 8 months ago | (#44669865)

I agree that beyond a few hot button primarily social issues (the issues that are at best paid lip service by the parties, but gets the blindeyed partisans really riled up--abortion, gay marriage, immigration, taxes, etc) there's little difference between the parties in overall philosophy. Neither pants wants a small--or even a smaller--government, they just want it big in different ways.

It's long been noted that despite their intense mutual loathing, many of the complaints of the Tea Party and Occupy are the same. Many of (Ron/Rand) Paul's and Dennis Kucinich's complaints are the same. One would never accuse Tea Party, Occupy, Pauls, or Kucinich of being moderates or on the same end of the spectrum, yet they share a lot in common.

However, your statement is patently silly. Beyond the implicitly nebulous nature of left/right (and of course you will trot out the tired "but in Europe Democrats/Republicans would be..." trope. Europe is only one, relatively small example of the spectrum of left/right politics worldwide), many--if not most--of Obama's plank platforms are not in the slightest rightwing. Maybe, just to toss this out there, it's just that the Democrats have gone so far left (and the big government Republicans have followed), that you can't tell the difference either!

Re:Tracking $$$$ (1)

hedwards (940851) | about 8 months ago | (#44670819)

It's not silly. It is somewhat arbitrary which side you label as being left and which is right. However, the spectrum is the same no matter where you live in the world. In no part of the world is Hitler a moderate, nor Stalin for that matter.

Obama's policies are roughly in the middle between the two extremes in general. Sure on things like security, he's on the right, but for the most part, his policies are in the middle.

Re:Tracking $$$$ (0)

Anonymous Coward | about 8 months ago | (#44669901)

oh, you're right of course.. I forgot that the 'real' leftists, ie lenin, stalin, hitler, pol pot, kim il sung, et al are the real leftists then? Trust me, today's USA 'liberal' is not that far away..

Re:Tracking $$$$ (2)

Concerned Onlooker (473481) | about 8 months ago | (#44670057)

I guess the corollary is that todays USA "conservative" is not that far away from Franco or Mussolini. (By the way, Hitler was not a leftist).

Ease up on the hyperbole, eh?

Re:Tracking $$$$ (0)

Anonymous Coward | about 8 months ago | (#44670223)

1. yes, hitler was a socialist.. nazi = national socialist.
2. you are telling me that USA democrats are not true 'socialists' (no true scotsman fallacy), yet, the neocons are one step away from mussolini, and you want me to ease up? My hyperbole was a tongue-in-cheek response to his. I really dont care how far left Europe is.. Those countries have a very different sense of what liberty means..and they're welcome to it. I just wish they'd cut the smarmy "USA has no leftwing" routine. I don't want my country to be like western europe, as those cultures have become way too passive aggressive and feelings driven for my taste... of course, today, american culture is pretty far gone at this point anyway.
3. BOTH parties are becoming more extreme in their ideology as they push it harder and harder as the solutions for problems they caused in the first place. Just to be clear, I want them both gone.

Re:Tracking $$$$ (1)

Anonymous Coward | about 8 months ago | (#44670321)

hitler called himself a socialist that doesn't mean he actually was one

as usual with politicians: ignore the retoric and watch what they actually do

Re:Tracking $$$$ (-1, Flamebait)

ChrisMaple (607946) | about 8 months ago | (#44670109)

Your repeated claim that Obama is conservative is both dishonest and boring. Obama is a thieving leftist limited only by his incompetence and what he can get away with.

Re:Tracking $$$$ (1, Offtopic)

the eric conspiracy (20178) | about 8 months ago | (#44670595)

Only in the US does Obama get called leftist. He is either centrist or moderate rightist.

http://www.theamericanconservative.com/dreher/the-conservative-obama/ [theamerica...vative.com]

Compare his policies to Ronald Reagan and you will find very little difference. For example both ran huge deficits in order to stimulate job growth.

http://www.thedailybeast.com/newsweek/2009/11/20/channeling-the-gipper.html [thedailybeast.com]

The fact of the matter is that the right wing of American politics has become really extreme over the past 10 years.

Re:Tracking $$$$ (1)

hedwards (940851) | about 8 months ago | (#44670795)

In case anybody is wondering why I'm so mean to conservatives, this kind of dribble is precisely why.

Considering that the GOP Presidents spent $10tn of the national debt, mostly during good times, it's hilarious that you're singling out Obama for being a thief. What's more, the largest transfer of wealth in US history happened because the Federal Reserve decided that inflation is a good thing and then set the inflation rate higher than the interest rates. Basically adding more paper to ensure that the rate of inflation would be higher than the interbank loan rates.

Re:Tracking $$$$ (1)

Anonymous Coward | about 8 months ago | (#44671329)

In case anybody is wondering why I'm so mean to conservatives,

No, you are mean because you think the purpose of the government is to punish people you don't like, not to do good things for the people. You get a thrill up your leg every time a tax increase is mentioned because for some reason you think it will apply to other people and not you. You get excited when you hear about new regulations because you think it will destroy companies you don't like and you don't give a crap about how many people will lose thier jobs when that happens, just as long as the three people at the top are "taught a lesson"

What you fail to see is government abuse hurts everyone, including you. You are just another moronic idiot voting for more opporession on yourself because you think being a good little DNC voter will make you immune to such things.

Re:Tracking $$$$ (0)

Anonymous Coward | about 8 months ago | (#44670141)

oh, and one other thing.. extremism isn't necessarily wrong as it's just a measure of relative distance to popular opinion. Things like heliocentricity were once considered 'extreme' too, but it's still the truth, and that's all that matters. You're basically making an argument from consensus. Extreme or not, it is true that the USA democrats are moving further and further left as time goes on, becoming more and more like the socialist dictators of old.. None of the shit they've been pushing over the last 8 years would've flown, even as late as the mid 90s.. Americans have just gotten too jaded.. It's too bad, really, to watch this country spiral down into 3rd world, socially feral, entitlement zones like much of the rest of the world.

Wake up, there are other answers besides the old democrat/neocon battleground.

Re:Tracking $$$$ (0)

Anonymous Coward | about 8 months ago | (#44670997)

Go and try to deceive your wife, children, parents, relatives, and friends with that puke, but don't ever think that such a lie will ever have any effect upon a wise conservative. You are nothing more than a pathological liar and deceiver!

Re:Tracking $$$$ (0)

Anonymous Coward | about 8 months ago | (#44669787)

"but leftists have plenty of reasons to want to track us too.." I hate to break it to YOU, but you're a paranoid moron.

Re:Tracking $$$$ (0)

Anonymous Coward | about 8 months ago | (#44669935)

Uh no.. I'm not. I'm telling the truth. Most of that shit the neocons passed over the last decade couldn't have happened without democrat support. Power is power, buddy. I don't care what ideological boilerplate you slap on it. You need to get a clue. Both parties routinely shit on the constitution and what it represents.

Re:Tracking $$$$ (0)

Anonymous Coward | about 8 months ago | (#44670425)

Interesting assumption, too bad there aren't any leftists in the US to begin with.

Re:Tracking $$$$ (0)

Anonymous Coward | about 8 months ago | (#44669663)

LOL Yeah, cause [sarcasm] gubmint does SUCH A BANGUP job with telemarketers, finance area, etc [/sarcasm]. Oh wait...

Re:Tracking $$$$ (1)

hedwards (940851) | about 8 months ago | (#44669685)

You do realize that this is the result of the legislation being watered down to permit that behavior, right? Causing problems so that you can be antigovernment is not a strategy for better governance. It's a strategy to ensure that the government never functions well.

Re:Tracking $$$$ (0)

Anonymous Coward | about 8 months ago | (#44669827)

Even if a law didn't have loopholes, it wouldn't matter because face it, tracking on the Internet is not a high priority for any police or regulatory body. Maybe the FTC would like handing out fines or letting people sue for easy damages, but that doesn't matter when most people don't care.

This is one of those cases where the technical solution is better. You can't trust everybody to follow the law on the Internet and let's not forget any law can only be enforced in it's jurisdiction.

Re:Tracking $$$$ (0)

Anonymous Coward | about 8 months ago | (#44669687)

The economy is spiraling out of control, every TLA is spying illegally on hundreds of millions of americans, we have Obamacare which is spiking the costs of health insurance to unafforadable levels, and the problem with all of it according to you? We need MORE government.

You are a total tool.

Ahh, Progress (0)

Anonymous Coward | about 8 months ago | (#44669525)

It's amazing how no one sees these issues during the development of these new 'features', or if they do no one listens to them about the pitfalls.

Progress, it's not just for the user experience. At least it's less painful than a dart with a tracking device attached.

Re:Ahh, Progress (0)

Anonymous Coward | about 8 months ago | (#44670889)

People knew caching could be used to track people way back when it was created.
The thing is you can't realistically fix it, either. Fixing it would mean breaking a huge optimization feature and make costs rise for everyone.

It isn't some feature like javascript alert loops (which only got fixed a few years back where everyone agreed to add "ignore any other alerts" option on alert boxes if there are enough of them popping up. I think Chrome is 3 alerts), or creating window loops, or locking the keyboard out from accessing the system. (still an unfixed problem)
Development got much better when WHATWG came around.
All these new features being added have huge safeguards in them, such as requesting by default on things that could give out information such as geolocation, or the new mouse-window-locking feature and so on.
Some other things are also being fixed from the mess of the W3C age, even iframes getting some TLC since they were neglected for so long.
Nothing wrong with iframes, but the implementation is what was lacking, sandboxing, some basic security and that.
For example, being able to render a sandboxed iframe that flows with the document, that would have been a glorious feature. But XHR and element creation took over.

Caching is something that likely won't get any fix.
More than anything, there will likely be a push for better cache-clearing so you can clear on a per-site basis, or even per-item.
I'd be for the former, but the latter would empower people even more.
I guess we wait for the cache-clearing war in the coming year.
I can SO clear my cache better than you. I can flip bits with cosmic rays in my browser. Does your browser have that? Checkmate.
Also, asking to allow a site to cache content on the computer in question would become so annoying people would enable or disable outright since caching is used everywhere.
Talk about being between a supernova and a blackhole.

Secret Agent addon (2, Informative)

Anonymous Coward | about 8 months ago | (#44669543)

The addon's homepage appears to be this:
https://www.dephormation.org.uk/?page=81

SecretAgent - Not Found Firefox 23.0.1 (0)

Anonymous Coward | about 8 months ago | (#44669695)

Sorry, but I couldn't find the add-on mentioned in the article. Tried a few different terms other than "SecretAgent" as well. Anyone have the equivalent for Firefox v23+
?

Thanks.

Re:SecretAgent - Not Found Firefox 23.0.1 (0)

Anonymous Coward | about 8 months ago | (#44669981)

https://www.dephormation.org.uk/?page=81

Old News is So Exciting! (0)

Anonymous Coward | about 8 months ago | (#44669733)

Several big sites, including Hulu, were discovered using this technique back in 2011 [extremetech.com].

Slashdot probably reported on it then, but I doubt any of the editors understood what they were reading.

Another Job for RequestPolicy (2)

Jah-Wren Ryel (80510) | about 8 months ago | (#44669753)

The RequestPolicy add-on [requestpolicy.com] should handle this too. RequestPolicy blocks cross-site references by default and lets you whitelist individual cases. If you don't even talk to the tracker websites then they can't track you.

If the main website you access tracks you via etags the risk is limited to tracking your actions on that website which you'd have problems avoiding anyway since they can track you via ip address or if you have an account on that website.

Re:Another Job for RequestPolicy (4, Informative)

Anonymous Coward | about 8 months ago | (#44669853)

I use RequestPolicy, and it definitely isn't for most people. It increases the amount of effort needed to browse the web by a factor of ten.

Every other site I go to is actually served from about two dozen separate locations. CSS comes from one domain, images come from as many as 6 domains, javascript comes from as many as 3 domains, and it isn't unheard of to see twenty different sets of trackers and widgets getting bolted on, not including the addidional baggage that they bring.

It's fucking ridiculous.

Oddly enough, sites hosting their own tracking will make RequestPolicy fail miserably, since it only deals with cross site refs. Such sites are the exception, though.

Re:Another Job for RequestPolicy (2)

Jah-Wren Ryel (80510) | about 8 months ago | (#44669925)

I find that about half the sites I go to don't require any whitelisting at all, another ~30% are good enough with white-listing only a couple of other sites (usually CDNs). But it does take a while to get the hang of guessing which are the required sites and which are just fluff and/or trackers.

They just don't seem to get the message (4, Interesting)

Somebody Is Using My (985418) | about 8 months ago | (#44669759)

I always imagine the webserver as having an internal conversation that goes sort of like this...

Hey, a new visitor to the website? I wonder who he is?
Well, I'll just drop a cookie on there to keep track of him... and, hmm, it seems he's blocking cookies.
Oh well, let me just insert this bit of Javascript; that'll work just as well.
Dear oh dear, it seems Javascript isn't working.
No worries, I'll just insert a little 0-byte web-bug graphic and... wait? That's prevented as well?
Damn it, Flash-cookie! That'll get him! WHAT?!?!? Disabled as well?
E-Tag! That has to work, right?
ARGH!!!!!

Gee... I wonder if he's trying to tell me something like, oh I don't know, "I don't like being tracked".

Nah, who doesn't like being pushed, filed, stamped, indexed, briefed, debriefed, or numbered? I wonder if there's some other way I can use...

You might think at this point that companies and advertisers start getting the message. Instead, they just keep finding more and sleazier ways. All these technologies have valid uses but have been so abused by corporations and marketing that people increasingly don't trust it anywhere. It just further antagonizes the very people they are trying to connect with. And then they wonder why they lose the respect and trust of their customers, resulting in an ever-more aggressive relationship between the two.

Some days I dream about what the Internet might have been like had Canter and Siegel been definitively smacked down back in '94, setting an inviolable precedent that the 'Net was not a platform welcoming /any/ advertising. What repercussions might that have had on the world as a whole?

Re:They just don't seem to get the message (1)

Anonymous Coward | about 8 months ago | (#44669823)

Some days I dream about what the Internet might have been like had Canter and Siegel been definitively smacked down back in '94, setting an inviolable precedent that the 'Net was not a platform welcoming /any/ advertising. What repercussions might that have had on the world as a whole?

Well the advertising giant Google would cease to exist, for one....

Re:They just don't seem to get the message (1)

dotancohen (1015143) | about 8 months ago | (#44669843)

You might think at this point that companies and advertisers start getting the message. Instead, they just keep finding more and sleazier ways.

Which companies? You do realize that this is a browser feature, right? Mozilla et. al. introduced this into the browser, not some third-party. Go look up the Bugzilla page and commit for this feature for the guy's name and contact info.

Re:They just don't seem to get the message (0)

Anonymous Coward | about 8 months ago | (#44669903)

unintended consequences are not intended, you would think that was obvious.

Re:They just don't seem to get the message (1)

dotancohen (1015143) | about 8 months ago | (#44670143)

unintended consequences are not intended, you would think that was obvious.

What do you suppose the intended consequences were, then? Keep in mind that cookies already exist, and did so when this feature was added.

Re:They just don't seem to get the message (2)

CRCulver (715279) | about 8 months ago | (#44669897)

Some days I dream about what the Internet might have been like had Canter and Siegel been definitively smacked down back in '94, setting an inviolable precedent that the 'Net was not a platform welcoming /any/ advertising.

The global economy would be smaller and internet access would be less available worldwide. Once the model of advertising-supported services arose, people in the third world could have nice things like e-mail and entertainment in spite of their countries' lack of means or an infrastructure where individuals could pay for whatever they used themselves.

It's easy for someone in the West to say, "They should just bill you $20 a month for your usage of service x, and get rid of advertising", but try to be considerate of the rest of the world.

Re:They just don't seem to get the message (1)

Ksevio (865461) | about 8 months ago | (#44669917)

Part of the issue is browsers/programs that portray cookies in a bad light. When malware scanners flag cookies as "harmful to your computer", people get nervous about all cookies and want them gone (then wonder why they have to keep logging in).

Re:They just don't seem to get the message (2)

mcgrew (92797) | about 8 months ago | (#44670101)

Some of us don't like being stalked by the government or the corporations that own it.

Re:They just don't seem to get the message (0)

Anonymous Coward | about 8 months ago | (#44670483)

Cookies make great sense on a website where I have an account and need to log in.
They are of no use to me on the other 99% of the web.

Re:They just don't seem to get the message (0)

Anonymous Coward | about 8 months ago | (#44670069)

Some days I dream about what the Internet might have been like had Canter and Siegel been definitively smacked down back in '94, setting an inviolable precedent that the 'Net was not a platform welcoming /any/ advertising. What repercussions might that have had on the world as a whole?

That day ended when Napster went viral, and an entire generation became manifesto'd with the idea that "Everyone's digital stuff should be free as in beer, for now on I only pay for devices and (some) services." The record industry managed to shut down Napster but not the manifesto.

Google encouraged that kind of thinking because it fit their business model perfectly. Businesses will find ways to make large profits for their shareholders.

Re:They just don't seem to get the message (4, Funny)

bbn (172659) | about 8 months ago | (#44670075)

E-Tag! That has to work, right?
ARGH!!!!!

Gee... I wonder if he's trying to tell me something like, oh I don't know, "I don't like being tracked".

By this point you are being tracked as the guy that blocked everything else. There is only going to be one of you.

Re:They just don't seem to get the message (3, Interesting)

mopower70 (250015) | about 8 months ago | (#44670565)

You might think at this point that companies and advertisers start getting the message. Instead, they just keep finding more and sleazier ways. All these technologies have valid uses but have been so abused by corporations and marketing that people increasingly don't trust it anywhere.

I'm honestly curious here. Advertising isn't going away. It's what keeps the Internet "free". So you're saying you'd rather have completely irrelevant advertising than stuff you may actually be interested in? When I'm in the market for any kind of product, I actively seek out sources of advertising to survey what's available. Being flooded with irrelevant information and advertisements (like happens on the radio and television) is personally unnecessary but financially necessary noise to provide the content I want. I'll take trackers any day over having to pay for every single site I visit.

Re:They just don't seem to get the message (3, Interesting)

Anonymous Coward | about 8 months ago | (#44671011)

Yes, that's what I'm saying. I don't want these people to know what I want. They have proven that they will take advantage of that, and try to make me impulse-buy things when I'm at my most vulnerable to targeted ads.

Ads are not a good way to form a worthwhile opinion on what product is the best for you, the consumer. They're designed to drown out the competition and are practically worthless for making a judgement call, unless you happen to notice it's something you already wanted that has a special-offer.

Without competition, ads are no more relevant than they were without being targeted. I've seen no evidence of more competition with more targeted ads. I just get the same products over and over, from whomever can afford the most ads. It's not a healthy situation for commerce.

Plus, if it's something I'm going to buy, I'll buy it. I don't need an ad asking me to click on it while I'm doing other things. I'd rather the business model was revamped than the customer's privacy model.

If ads can sustain the web as-is, then I don't see a need to "upgrade" them. And if they can't, then it's just another reason to revamp the business model instead of desperately clinging to it.

Panopticlick is another method (5, Interesting)

danceswithtrees (968154) | about 8 months ago | (#44669811)

The ETag method is a clever solution to cookieless tracking. I find this method I stumbled upon a couple of weeks ago a bit startling. I had no idea the amount of information routinely sent from my browser/computer to web servers-- information about plug-ins, time zone, screen resolution, accepted headers, etc WITHOUT letting me know. It is enough to give more than 21 bits of identifying information and uniquely identifies me among the 3M visits.

https://panopticlick.eff.org/ [eff.org]

Re:Panopticlick is another method (0)

Anonymous Coward | about 8 months ago | (#44670033)

Thanks! I reconfigured my browser a bit.

Re:Panopticlick is another method (1)

flyingfsck (986395) | about 8 months ago | (#44670299)

You cannot win. If you don't respond with anything, then that still identifies you uniquely, since nobody else does that.

Re:Panopticlick is another method (0)

Anonymous Coward | about 8 months ago | (#44670521)

I'm not responding with nothing. I'm responding with more general data.

Re:Panopticlick is another method (0)

Anonymous Coward | about 8 months ago | (#44671007)

where can I get info about what is the most popular "panoptical" data today?
I mean what is the the most used user agent string and all the rest, so I can set my browser to pretend to be the most used "general" setup.

I assume it is some english version of explorer or firefox (or chrome today?) on Windows XP, and I'm totally fine with that, I don't care a tiny bit about helping statistics about what browser is most "popular". the webservers around the world don't need to know I'm using firefox3.6.x on linux. What "marketshare" a browser or operatingsystem have, is data the world can do without (except right now then when I want to copy the most popular hehehe). There is also the rest with http_accept headers, plugins-list, and pretended screen size, timezone and that stuff I don't want to tell webservers either. what is the most used data?

(btw why at all do firefox tell websites this: "gecko-mediaplayer ; {a href=\"http://kdekorte.googlepages.com/gecko-mediaplayer\"}Gecko Media Player{/a} {br}{br}Video Player Plug-in for QuickTime, RealPlayer and Windows Media Player streams using {a href=\"http://mplayerhq.hu\"}MPlayer{/a};" a couple of times in plugin list?)

Re:Panopticlick is another method (0)

Anonymous Coward | about 8 months ago | (#44670235)

I think I just "leaked" I use noscript or similar ;).

Re:Panopticlick is another method (1)

Anonymous Coward | about 8 months ago | (#44670241)

The ETag method is a clever solution to keep the ammount of re-retrievals of unchanged data to a minimum.
It gets abused by certain people for cookieless tracking

There, fixed it for you. :-)

I've been wondering for quite some time (IIRC years, in which I've simply blocked all of them) why ETags has not been getting more publicity as another "store am unique ID on the users machine" method.

It looks like that both the security-hole researchers and browser-builders are not as clever as they want us to believe (or maybe something bad is going on ...)

Re:Panopticlick is another method (1)

Anonymous Coward | about 8 months ago | (#44670603)

We just assumed that it was already long common knowledge that etags were used for tracking?

Re:Panopticlick is another method (1)

VortexCortex (1117377) | about 8 months ago | (#44670329)

And With PRISM's power's combined, welcome to the Panopticon. [wikipedia.org] -- Panopticlick's namesake. TADA: The world is now a giant prison.

Bentham himself described the Panopticon as "a new mode of obtaining power of mind over mind, in a quantity hitherto without example."

Indeed.

Panopticlick is another method-Squid knows. (0)

Anonymous Coward | about 8 months ago | (#44670579)

People who used Squid already knew a lot of this.

Re:Panopticlick is another method (0)

Anonymous Coward | about 8 months ago | (#44671105)

It if of interest to note that the EFF PDF notes javascript/AJAX of being of major beneifit to their gathering of "unigue identifiers" in this little research project of theirs. These same things that Slashdot is basically broken without for some time now, those not logged in can not access the "Classic" view and therefore are limited to what they can read here after the posts get to a certain extent. So it comes down to "identify yourself" and choose the classic view, enable scripting and increase the number of identifiers possibe, or leave scripting off and not be able to read greater then xxx comments here. Wonder why that is? Wonder why they refuse to re-enable the "Classic" view for non-members? AC's "preferences"? Please, don't be so rudely absurd. What is wrong with just defaulting to "Classic" when scripting is disabled?

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System [slashdot.org] in your preferences instead.

Re:Panopticlick is another method (2)

nmb3000 (741169) | about 8 months ago | (#44671193)

The ETag method is a clever solution to cookieless tracking. I find this method I stumbled upon a couple of weeks ago a bit startling. I had no idea the amount of information routinely sent from my browser/computer to web servers-- information about plug-ins, time zone, screen resolution, accepted headers, etc WITHOUT letting me know. It is enough to give more than 21 bits of identifying information and uniquely identifies me among the 3M visits.

https://panopticlick.eff.org/ [eff.org]

Yep. It's absurd, and unfortunately many "privacy-enhancing" tools (for example, anything that alters the user agent) can actually make a browser more unique rather than less-so.

NoScript is an exception, and one that works very well. I know it's parroted on Slashdot a lot, but if you care about privacy and security on the web there isn't a single better option. Using Panopticlick on my browser as an example:

Without NoScript: Your browser fingerprint appears to be unique among the 3,316,576 tested so far. Currently, we estimate that your browser has a fingerprint that conveys at least 21.66 bits of identifying information.

With NoScript: Within our dataset of several million visitors, only one in 2,433 browsers have the same fingerprint as yours. Currently, we estimate that your browser has a fingerprint that conveys 11.25 bits of identifying information.

Still not great, but a lot better than unique. It's quite unfortunate that the web evolved with the assumption that arbitrary code may be executed in the browser. If we had started out instead with an opt-in approach to Javascript, I think things would be quite a bit better now in terms of privacy and security than they currently are.

I don't get it (0)

Anonymous Coward | about 8 months ago | (#44670209)

let's assume 50 computers behind a NATed gateway.
they all have cookies and cache and javascript disabled.
they all visit the same website at the same time.
the website(server) thus sees 50 connections coming from one (the NATed) IP.
the website allows one to, say ..uhhmm, upload pictures.
so one client goes to website to the page where one would insert the image.jpg.
BUT the client forgot where the picture is on the local 1TB harddisk.
thus s/he spends 10 minutes looking for it.
what happens now is that the tcp/ip from local.port (>1024) to server port.80 times out. syn-ack-fin stuff.
the client in the mean time found the funny.cat picture. posts the image into the upload box (which is still open)
and clicks SUBMIT.
HOW in hell shoud the server now know WHICH of the 50 NATed clients (all coming from the same ip and
with timed out syn-ack-fin stuff) wants to upload the funny.cat picture?
seriously ... abit of tracking (or state keeping) is required, non?
FEAR! FEAR! and MEOR(sic) FEAR!
-
methinks this is another play to push fear into ETAGS and make javascript look good.
me? i'd rather have etags and no javascript for interactive (web2.0) websites thank you very much.
'cause with both disabled, forget interactivity.
the more interactive websites work WITHOUT javascript the better!
-
just delete the cookies and cache after each browser session?

Re:I don't get it (1)

maxwell demon (590494) | about 8 months ago | (#44670823)

HOW in hell shoud the server now know WHICH of the 50 NATed clients (all coming from the same ip and
with timed out syn-ack-fin stuff) wants to upload the funny.cat picture?

Session cookies.

Re: I don't get it (0)

Anonymous Coward | about 8 months ago | (#44670929)

Uploading cat pictures, or more generally uploading files, has been solved so many times and in so much better ways than through HTTP, it's just a shame that we're still trying to make this bizarre misapplication work, instead of educating users that you use an FTP client to upload a picture, and working on the inter-application communication to make it easy to launch your FTP app of choice from your web browser.

Gaming the trackers (1)

Anonymous Coward | about 8 months ago | (#44670249)

Want to get back at the folks tracking? Blocking or changing the communications with thigns like Ghostery or SecretAgent is great. However, if there was software that connected to the tracking servers but never completed the TCP connection, thus leaving the tracker with a bunch of half open TCP connections, then one could effectively ddos the trackers. There are several other techniques along these lines that can be employed. What good is a tracking system that is clogged up with connections that never complete or fail in various unfriendly ways?

Captcha: capacity

Re:Gaming the trackers (1)

viperidaenz (2515578) | about 8 months ago | (#44671197)

How do you know which URL is the tracking one? What if its that CDN one that delivers actual content your browser needs to render the page? Like some CSS or Javascript resource.

Can't talk to trackers? (0)

Anonymous Coward | about 8 months ago | (#44670485)

You're ok via custom hosts files courtesy:

---

APK Hosts File Engine 9.0++ 32/64-bit:

http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74 [start64.com]

(Details +benefits hosts files provide are in link above)

I.E.-> Hosts do FAR more w/ less (1 file) @ a FAR faster level (ring 0/rpl0) vs redundant browser addons that slow up already slower ring 3/rpl 3 browsers as a filter for the IP stack (coded in C & load w/ OS + 1st net request & 1st resolver queried w\ 45++ yrs.of optimization): Especially cached in RAM (w/ large hosts via kernelmode diskcache subsystem or w\ small ones via native faulty w\ larger hosts files dns OS cache service (usermode slower) - saves CPU & I/O (bonus)). Hosts files yield more speed (blocks ads & hardcodes fav sites - faster than remote DNS), security (vs. malicious hosts-domains serving mal-content + block spam/phish links), reliability (vs. downed DNS http://tech.slashdot.org/comments.pl?sid=3985079&cid=44310431 [slashdot.org] or vs. Kaminsky vulnerable DNS, 99% = unpatched vs. it & worst @ ISP level + weak vs FastFlux + DynDNS botnets), & anonymity (vs. dns request logs + DNSBL's).

---

* "Less is more" = GOOD engineering, UNLIKE Request Policy http://yro.slashdot.org/comments.pl?sid=4127345&cid=44669753 [slashdot.org] OR Secret Agent https://dephormation.org.uk/?page=81 [dephormation.org.uk] that changes user-agent dynamically - Except hosts do it with less + via faster levels from the IP stack itself w/ less parts + ANY BROWSER (& doesn't slow your browser down but speeds it up)

APK

P.S.=> Bottom-Line: "The premise is, quite simple: Take something designed by nature & reprogram it to make it work FOR the body, rather than against it..." - Dr. Alice Krippen "I AM LEGEND"

.... apk

Re:Can't talk to trackers? (1)

maxwell demon (590494) | about 8 months ago | (#44670699)

OK, then please tell me how host files can at the same time stop third-party requests to a site (like embedded YouTube videos, or Facebook like buttons) and at the same time allow explicit access of the very same site (that is, when you explicitly go to Youtube or Facebook).

With RequestPolicy that's trivial (indeed, it's the default, you don't even need to know the third party site to be sure that it is blocked, let alone explicitly deny it).

Using YOUR example? (0)

Anonymous Coward | about 8 months ago | (#44671259)

I don't see YouTube ads. Hosts work for it apparently, & yet certainly do more than any 1 browser addon from faster levels of operations by many orders of magnitude (kernelmode vs usermode) by blocking out access to 3rd party cookies servers (like hosts do for ads). Proof's "in the pudding" results I get!

I.E.-> If the cookies are served up from diff. servers, like ads are, then there's your answer. YouTube, of all things you used, PROVES it for me so far - as I am a AVID user of YouTube!

Determining those servers = Easy with any WinPCap using tool (e.g. - WireShark &/or NetWork Latency Viewer -> http://www.nirsoft.net/utils/network_latency_view.html [nirsoft.net] )

(Glad you chose that example in fact... Why? Well, I had a pal who couldn't understand WHY he saw ads on my connection, yet I didn't, on YouTube on the SAME video we both watched for a test! He uses IE10, I use Opera 12.16 (last "real" Opera)).

* By way of comparson - You're putting on more redundant layers that = unnecessary in browser addons (that for a fact also slowdown webbrowsers too).

APK

P.S.=> There ya go - It works for me, & perfectly on YouTube no less (the very example you used)! Yes, I have JavaScript active on YouTube too (Via Opera 12.16's "by site" preferences as an "exception site", rest have it, plugins, & frames/iframes blocked by default, globally - this is a "native" no addons necessary feature of Opera by the way - again: NO extra "moving parts" needed in addons that slow browsers down)... apk

Re:Can't talk to trackers? (2)

nmb3000 (741169) | about 8 months ago | (#44671255)

I know, replying to APK about magical hosts files is pointless, but here we go anyway:

Can you answer these two questions:

How many domains and subdomains does Facebook operate?
Please make sure to include those added in the last 4 hours!

Can you enumerate every domain used to host advertising and/or malware on the planet?
Please make sure to account for dynamically changing and the infinite number of wildcard domains!

If you cannot give me exact answers, then your hosts file method is useless and obsolete. Please wake up and stop peddling your crap here.

can I set firefox to not send back etags at all? (0)

Anonymous Coward | about 8 months ago | (#44670541)

is it impossible to set the web browser to never use etags?
(without clearing the cache but never store any etags it gets)

and if I have a picture in the cache, why would I want to send a request for that picture again? When I start my web browser I do want it to show all the hundred tabs from yesterday just as they where when I left them, not a changed version. When I open a new webpage I would like the newest version but I don't think it is much time saved by webserver generating the webpage, then calculate a checksum or whatever (I mean for pages not using etags for tracking...), and then compare it to the etag the webbrowser sent, and then if equal reply they are equal - instead if just sending the page it generated! it is just a html file, shouldn't be that many kb.

Re:can I set firefox to not send back etags at all (1)

maxwell demon (590494) | about 8 months ago | (#44670913)

It's not the loading of the HTML file which is avoided with ETags, but the loading of the image. Basically, if the image today is still the same as the image last week, and the image from last week is still in the cache, then it makes sense not to load the image again.

Re:can I set firefox to not send back etags at all (0)

Anonymous Coward | about 8 months ago | (#44671343)

what websites changes the content of their images (instead of letting the web page point to a new image url) ?

I can't think of one case when an image would be updated...
"lets have our newspapers first image always be called img1.jpg regardless what todays top news article is about" nahhh... :-D

I think 'if I have an image in the cache - then don't download the image again' would be enough. No need need to check with the server if an image of some strange reason have changed. (unless the user press F5 to reload the page to always reload everything)

ETag leaks between Incognito mode and regular mode (4, Informative)

ThatsMyNick (2004126) | about 8 months ago | (#44670775)

It also seems to leak info between regular windows and incognito mode in chromium. I assume the cache is shared between the modes, and they need separate caches.

My browser passed the test (1)

Skapare (16644) | about 8 months ago | (#44670817)

My browser passed because of the way I start it. A whole new user/home environment is dynamically created every time I start a browser. I originally did this so that as I browse hundreds of sites, I don't end up with extreme memory waste. This was done back in an older version that was quite memory leaky. It would build up too much in-process memory as I visited sites, and eventually crash. So I ended up with multiple browsers running (separate processes). At first that might seem to have used even more memory. But that was at the OS level where I did have more, including swap space. But it was at least finite since when I left some website, its browser actually exited, rather than just unlink fragmented virtual pages. Today I just haven't changed it now more because of the tracking breakage it creates. I can still be tracked within a site like Slashdot. Slashdot know what articles I read and what articles I ignore. Slashdot know what I post. But I am logged in, so "duh". No, it's not perfect at all, as the Slashdot advertisers can see my repeat appearances, too. But at least they can't so easily figure out what other sites I visit, besides the IP address (which I plan to work on some day).

Not new, apparently (1)

wonkey_monkey (2592601) | about 8 months ago | (#44671409)

http://en.wikipedia.org/wiki/HTTP_ETag [wikipedia.org]

ETags can be used to track unique users,[2] as HTTP cookies are increasingly deleted by privacy-aware users. In July 2011, Ashkan Soltani and a team of researchers at UC Berkeley reported that a number of websites, including Hulu.com, were using ETags for tracking purposes.[3] Hulu and KISSmetrics have both ceased "respawning" as of 29 July 2011,[4] as KISSmetrics and over 20 of its clients are facing a class-action lawsuit over the use of "undeletable" tracking cookies partially involving the use of ETags.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...