Cookieless Web Tracking Using HTTP's ETag

An anonymous reader writes "There is a growing interest in who tracks us, and many folks are restricting the use of web cookies and Flash to cut down how advertisers (and others) can track them. Those things are fine as far as they go, but some sites are using the ETag header as an identifier: Attentive readers might have noticed already how you can use this to track people: the browser sends the information back to the server that it previously received (the ETag). That sounds an awful lot like cookies, doesn't it? The server can simply give each browser an unique ETag, and when they connect again it can look it up in its database. Neither JavaScript, nor any other plugin, has to be enabled for this to work either, and changing your IP is useless as well. The only usable workaround seems to be clearing one's cache, or using private browsing with HTTPS on sites where you don't want to be tracked. The Firefox add-on SecretAgent also does ETag overwriting."

Secret Agent

[Jeremiah Cornelius]

Here we come. :-)

Add this feature to a chaff-creating plugin, to crapflood servers with fake tags.

Just clear the cache...

[AliasMarlowe]

On all of our PCs, Opera and Firefox are set to clear their caches and delete all cookies etc. every time they exit.
Also, I occasionally clear all private data while browsing in Opera, including the cache, cookies, history, and so forth (passwords are never saved by the browser). Obviously, I have to log in again the next time I visit slashdot.

Re:

[aliquis]

delete all cookies etc. every time they exit.

I have to log in again the next time I visit slashdot.

Too much work. Well, except if I'd never quit the browser but then it wouldn't make any difference.

Re:

[SGT CAPSLOCK]

Security is a trade-off. It's always going to take more work to set up and maintain security for yourself than it would to, say, remain traceable and insecure.

If you're lazy, then you're certainly the best kind of target.

Re:Secret Agent

[kasperd]

Can SecretAgent detect tracking through ETags? Or will it disable ETags across all sites and thus slow down browsing by effectively turning caching off?

The way I'd detect it would be with some extra background probes after a page has been loaded. The background probes start once the browser has finished loading and has become idle. Then the browser could open another connection and request the same resources again without sending any information, that could be tracked. If it receives a different ETag or different content this time around, it empties the cache for that domain and disables caching for that domain for a few hours.

Re:Secret Agent

[KiloByte]

Or will it disable ETags across all sites and thus slow down browsing by effectively turning caching off?

ETags are only one of many methods to achieve caching. Getting rid of them shouldn't have a big effect on caching.

Other methods typically have privacy holes as well, but it's easier to deal with them, for example by rounding timestamps down to the last midnight. ETags on the other hand store an arbitrary attacker-provided string, which is an outright security vulnerability.

Re:

[Wrath0fb0b]

ETags on the other hand store an arbitrary attacker-provided string, which is an outright security vulnerability.

I hate to break it to you, but the entire browser is nothing but a device for storing (and then parsing!) arbitrary attacker-provided strings. It's even got a perverse sort of link-chaining mechanism where, after receiving one such string, it will go out and fetch (and parse!) another one at the attacker's choice of address.

This is not a security vulnerability, it's the design of the system in wh

Re:

[psydeshow]

ETags on the other hand store an arbitrary attacker-provided string, which is an outright security vulnerability.

I hate to break it to you, but the entire browser is nothing but a device for storing (and then parsing!) arbitrary attacker-provided strings....

This is not a security vulnerability, it's the design of the system in which there was never a requirement to ensure that a client could visit a server multiple times without the server knowing (or inferring) that it was the same client.

Yep. Bingo.

Safest solution is to write your own "browser" in PHP or something and keep the request headers limited to just GET and Host:, and don't download any linked stylesheets, scripts, images, favicons, objects, or embeds. Have fun with that!

It *would* be nice if there was a paranoid mode in Firefox or Chrome that prevented cross-domain resources from being loaded. But that would break a bunch of sites, too, where some yokels bought the argument that speed is everything and spread their frontends over

Re:

[allo]

Of course, you could use cache times and checking which images were loaded to store information as well. But one image has 1 bit of information, while one single e-tag (i.e. on one imagE) has many bits.

Re:

[kasperd]

If you get a new etag with new content that's the normal and expected use of etags. They could be tracking, or they could simply have updated their content since you first loaded it.

True, but since the secondary background probing would be started immediately after page loading has completed, there is only a very short period during which this could happen. So it would only happen in rare cases. The possibility that it could happen is why I would only disable caching for that site temporarily.

There can b

Firefox makes cache clearing difficult

[Anonymous Coward]

Changes were made in the past few years to make it much more difficult to clear the cache frequently and easily.

You must jump through various menus and dropdowns. The team argued that this was progress, and it helped prevent inadvertant cache clearing. Their argument was very weak.

It forces me to hassle with yet another plugin to make my very frequent cache clearing quicker. But at least it is now an icon on the toolbar, with no prompting.

Re:Firefox makes cache clearing difficult

[Ambiguous Puzuma]

Or you can press Ctrl+Shift+Del. One of the options (which should already be checked if you used it last time) is to clear the cache. A three-key combination and a button click and you're done, with no plugins needed.

Re:Firefox makes cache clearing difficult

[seyyah]

Or you can press Ctrl+Shift+Del. One of the options (which should already be checked if you used it last time) is to clear the cache. A three-key combination and a button click and you're done, with no plugins needed.

I also like the Ctrl+Alt+Del option. I've yet to see a website that can track me after that.

Re:

[psydeshow]

Or you can press Ctrl+Shift+Del. One of the options (which should already be checked if you used it last time) is to clear the cache. A three-key combination and a button click and you're done, with no plugins needed.

Cmd-Shift-Delete on a Mac.

Nice shortcut, thanks!

Re:

[realityimpaired]

Lack of ability to clear the cache at all is why I stopped using Firefox on my tablet, actually... Still haven't found a browser that has as much privacy as I would like, but at least Dolphin lets me turn off cookies entirely and clear history/cache on exit.

Re:

[ChrisMaple]

rm -r /<your_home_directory>/.mozilla/firefox/<some_peculiar_directory_name>/Cache/* in Linux.

Re:

[zippthorne]

If you're messing with fstab, why not just mount it to its own tmpfs?

Re:

[TheGratefulNet]

see 'prefbar' plugin for firefox. turn off animation, flash, cookies, clear-cache, etc. configurable. been using prefbar for years and my installs always include this plugin.

Re:

[Mike Frett]

Edit>Preferences>Privacy Tab> Check 'Clear History When Firefox Closes' and click Settings to select what to clear on Exit. How is that difficult? Note: This is for the Linux version, I dunno about Mac/Win.

Re:

[Agent ME]

History -> Clear Recent History -> checkmark the cache box

How much easier do you want it?

Re:

[allo]

The most annoying problem: Firefox caches redirects. You cannot easily clear the cache, and it will redirect you, even when the url does not redirect anymore.

Nothing new

[deanrock0]

Did they just invent ETag or what? This "feature" is known for a few years and there are existing implementation, including this one: http://samy.pl/evercookie/ [samy.pl] from 2010.

Re:

[Anonymous Coward]

Did they just invent ETag or what? This "feature" is known for a few years and there are existing implementation, including this one: http://samy.pl/evercookie/ [samy.pl] from 2010.

The wikipedia article on ETag [wikipedia.org] links to a page from 2003 [arctic.org] discussing ETag's usability for tracking.

Re:

[maxwell demon]

One more reason to use RequestPolicy. A request that isn't even made cannot reveal any information.

Tracking $$$$

[Ed The Meek]

Tracking information is worth billions of dollars. With that much money on the line - we'll be tracked like escaped inmates - one way or another.

Re:

[dave420]

If we remove the ability for those people to track us, doesn't that mean that those Sagans of dollars need to be put back in to the industry in order for our current "internet experience" to remain as it is? I'm not saying where we're currently at is great or all, but if it is that large amount of money, we'll notice the difference if it leaves.

Re: Tracking $$$$

[Ed The Meek]

Well, that sounds good in theory, but I doubt that any laws would be written in such a way as to actually cure the problem. Usually too many loopholes in the laws. Like the "established business relationship" in telemarketing laws. Oh, and there's always the NSA....

Re:

[grantspassalan]

Is there a law that states that browser makers, such as Microsoft, Apple and others MUST include all that extraneous information that their browsers send to Web servers without the user's permission? Why must there be *any* information sent to a Web server other than the actual request for data? Why must a Web server know any information at all about what kind of an OS, sites last visited or whether or not a user has visited a site before? If these companies that make browsers really cared about privacy, th

Re:

[maxwell demon]

Why must a Web server know any information at all about what kind of an OS, sites last visited or whether or not a user has visited a site before?

You have a point about the OS and half a point about "site visited before" (but that's one thing I don't care about; if I visit a site I expect the site to know that), however the browser does not by default send a list of sites last visited. That's only revealed by tricks using features which were certainly not intended for that .

Re:

[hedwards]

You do realize that this is the result of the legislation being watered down to permit that behavior, right? Causing problems so that you can be antigovernment is not a strategy for better governance. It's a strategy to ensure that the government never functions well.

Re:

[hedwards]

There are very few leftists in the US government. I know that you right wingers like to pretend like Obama is a leftist, but the fact of the matter is that he's a conservative, it's just that you folks have gone so far to the right, that you can't tell the difference between a moderate and a lefty.

Re:

[Moridineas]

I agree that beyond a few hot button primarily social issues (the issues that are at best paid lip service by the parties, but gets the blindeyed partisans really riled up--abortion, gay marriage, immigration, taxes, etc) there's little difference between the parties in overall philosophy. Neither pants wants a small--or even a smaller--government, they just want it big in different ways.

It's long been noted that despite their intense mutual loathing, many of the complaints of the Tea Party and Occupy are t

Re:

[hedwards]

It's not silly. It is somewhat arbitrary which side you label as being left and which is right. However, the spectrum is the same no matter where you live in the world. In no part of the world is Hitler a moderate, nor Stalin for that matter.

Obama's policies are roughly in the middle between the two extremes in general. Sure on things like security, he's on the right, but for the most part, his policies are in the middle.

Re:Tracking $$$$

[Ixokai]

The thing is, you're wrong.

Very, very little of what Obama wants or has done is even close to what the progressives of the left actually want. Health care reform? He enacted the model proposed by the Republicans and devised by a right wing think-tank to create a market-based approach to near-universal healthcare: if you think the left is happy with Obamacare, you're not paying attention.

Its simply *better*, and so we will stick with it. What the left wanted was a single-payer really universal healthcare, but we compromised and were willing to go along with the ACA as long as we'd get a single-payer *option*. Then that got dropped, but most of the left decided to support the ACA anyways because really, it was better then what we have now.

Obama is a centrist; center-right in most issues, occasionally center-left. There is nothing even remotely radical about anything he's done, there's been no great pull to the left. The left has gone a bit farther left then we were a decade or so ago, but that's been in response to the monumental shift the right has gone.

There's a wholesale assault on reproductive and fundamental voting rights going on from the right these days, which is just stunning in that these are things that *only* the most extreme of the right's base want.

On civil rights, surveillance, foreign policy, environment, business regulation, ... and on and on, Obama is not at all in line with what the left wants. He's just not as bad as what the crazy people on the far right want.

Yes, there are some narrow places where the far left and the libertarian wing of the far right actually agree, and its weird when it happens: but those are on very specific and very narrow issues. The problem with that libertarian wing is then they fall flat on their face in when the social conservative bloc of the far right has to be dealt with in primaries, and suddenly small government meets bedroom and private health, and oops.

Re:

[Concerned Onlooker]

I guess the corollary is that todays USA "conservative" is not that far away from Franco or Mussolini. (By the way, Hitler was not a leftist).

Ease up on the hyperbole, eh?

Re:

[Anonymous Coward]

hitler called himself a socialist that doesn't mean he actually was one

as usual with politicians: ignore the retoric and watch what they actually do

Re:

[the eric conspiracy]

Only in the US does Obama get called leftist. He is either centrist or moderate rightist.

http://www.theamericanconservative.com/dreher/the-conservative-obama/ [theamerica...vative.com]

Compare his policies to Ronald Reagan and you will find very little difference. For example both ran huge deficits in order to stimulate job growth.

http://www.thedailybeast.com/newsweek/2009/11/20/channeling-the-gipper.html [thedailybeast.com]

The fact of the matter is that the right wing of American politics has become really extreme over the past 10 years.

Re:

[hedwards]

In case anybody is wondering why I'm so mean to conservatives, this kind of dribble is precisely why.

Considering that the GOP Presidents spent $10tn of the national debt, mostly during good times, it's hilarious that you're singling out Obama for being a thief. What's more, the largest transfer of wealth in US history happened because the Federal Reserve decided that inflation is a good thing and then set the inflation rate higher than the interest rates. Basically adding more paper to ensure that the rate

Re:

[Anonymous Coward]

In case anybody is wondering why I'm so mean to conservatives,

No, you are mean because you think the purpose of the government is to punish people you don't like, not to do good things for the people. You get a thrill up your leg every time a tax increase is mentioned because for some reason you think it will apply to other people and not you. You get excited when you hear about new regulations because you think it will destroy companies you don't like and you don't give a crap about how many people will lose thier jobs when that happens, just as long as the three p

Secret Agent addon

[Anonymous Coward]

The addon's homepage appears to be this:
https://www.dephormation.org.uk/?page=81

Another Job for RequestPolicy

[Jah-Wren Ryel]

The RequestPolicy add-on [requestpolicy.com] should handle this too. RequestPolicy blocks cross-site references by default and lets you whitelist individual cases. If you don't even talk to the tracker websites then they can't track you.

If the main website you access tracks you via etags the risk is limited to tracking your actions on that website which you'd have problems avoiding anyway since they can track you via ip address or if you have an account on that website.

Re:Another Job for RequestPolicy

[Anonymous Coward]

I use RequestPolicy, and it definitely isn't for most people. It increases the amount of effort needed to browse the web by a factor of ten.

Every other site I go to is actually served from about two dozen separate locations. CSS comes from one domain, images come from as many as 6 domains, javascript comes from as many as 3 domains, and it isn't unheard of to see twenty different sets of trackers and widgets getting bolted on, not including the addidional baggage that they bring.

It's fucking ridiculous.

Oddly enough, sites hosting their own tracking will make RequestPolicy fail miserably, since it only deals with cross site refs. Such sites are the exception, though.

Re:

[Jah-Wren Ryel]

I find that about half the sites I go to don't require any whitelisting at all, another ~30% are good enough with white-listing only a couple of other sites (usually CDNs). But it does take a while to get the hang of guessing which are the required sites and which are just fluff and/or trackers.

Re:

[TCM]

Yeah, it must be immensely hard to have a domain foobar.org and just create a cdn.foobar.org subdomain. Instead, every hipster startup goes to register fbrcdn.org instead. It's as if noone understands DNS anymore - every purpose gets a new domain instead of having a good structure.

Re:

[allo]

hosting you own tracking isn't bad at all. You know what i'm doing at your site, anyway. Because you have the httpd-logs. But services like google analytics provide the page owner very limited information, but have themself detailed information where the user was, because many many sites are using it, and it can track the user across all these sites.

They just don't seem to get the message

[Somebody Is Using My]

I always imagine the webserver as having an internal conversation that goes sort of like this...

Hey, a new visitor to the website? I wonder who he is?
Well, I'll just drop a cookie on there to keep track of him... and, hmm, it seems he's blocking cookies.
Oh well, let me just insert this bit of Javascript; that'll work just as well.
Dear oh dear, it seems Javascript isn't working.
No worries, I'll just insert a little 0-byte web-bug graphic and... wait? That's prevented as well?
Damn it, Flash-cookie! That'll get him! WHAT?!?!? Disabled as well?
E-Tag! That has to work, right?
ARGH!!!!!

Gee... I wonder if he's trying to tell me something like, oh I don't know, "I don't like being tracked".

Nah, who doesn't like being pushed, filed, stamped, indexed, briefed, debriefed, or numbered? I wonder if there's some other way I can use...

You might think at this point that companies and advertisers start getting the message. Instead, they just keep finding more and sleazier ways. All these technologies have valid uses but have been so abused by corporations and marketing that people increasingly don't trust it anywhere. It just further antagonizes the very people they are trying to connect with. And then they wonder why they lose the respect and trust of their customers, resulting in an ever-more aggressive relationship between the two.

Some days I dream about what the Internet might have been like had Canter and Siegel been definitively smacked down back in '94, setting an inviolable precedent that the 'Net was not a platform welcoming /any/ advertising. What repercussions might that have had on the world as a whole?

Re:

[Anonymous Coward]

Some days I dream about what the Internet might have been like had Canter and Siegel been definitively smacked down back in '94, setting an inviolable precedent that the 'Net was not a platform welcoming /any/ advertising. What repercussions might that have had on the world as a whole?

Well the advertising giant Google would cease to exist, for one....

Re:

[dotancohen]

You might think at this point that companies and advertisers start getting the message. Instead, they just keep finding more and sleazier ways.

Which companies? You do realize that this is a browser feature, right? Mozilla et. al. introduced this into the browser, not some third-party. Go look up the Bugzilla page and commit for this feature for the guy's name and contact info.

Re:

[BenoitRen]

You do realize that this is a browser feature, right?

*WHOOSH*

Re:

[dotancohen]

unintended consequences are not intended, you would think that was obvious.

What do you suppose the intended consequences were, then? Keep in mind that cookies already exist, and did so when this feature was added.

Re:

[maxwell demon]

What do you suppose the intended consequences were, then?

Less network traffic.

Re:

[dotancohen]

In what sense? As opposed to a cookie, how much less network traffic is sent? What percentage of the average page size does that represent?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[dotancohen]

All those images that you mention should have a long-term cache set on them.

In my limited experience writing web applications, I've have files that I would long-term cache (1 year, such as .png images) and no cache (actual dynamic pages). The site homepage I might set to cache for 1 hour or so. Also, the client client could set the "If-Modified-Since" header. This is a solved problem, with many solutions for different use cases. Also, the 'store data on the client' idea is also a solved problem with cookies

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Jah-Wren Ryel]

Once the model of advertising-supported services arose, people in the third world could have nice things like e-mail and entertainment in spite of their countries' lack of means or an infrastructure where individuals could pay for whatever they used themselves.

You know that is only true because advertising is imprecise, right? Those people have no money to buy crap anyway so advertising is completely wasted on them. If the advertising people could figure out a way to avoid paying for ads targeting people like that they would and that would quickly mean that the service providers would drop them too. Kind of like how streaming video sites use geo-location to block them now.

So it isn't really a benefit so much as an accident that may be corrected at any time. W

Re:

[Ksevio]

Part of the issue is browsers/programs that portray cookies in a bad light. When malware scanners flag cookies as "harmful to your computer", people get nervous about all cookies and want them gone (then wonder why they have to keep logging in).

Re:

[mcgrew]

Some of us don't like being stalked by the government or the corporations that own it.

Re:

[Ksevio]

And we're the ones that understand what we're doing when we disable cookies or tracking for certain sites.

Re:They just don't seem to get the message

[bbn]

E-Tag! That has to work, right?
ARGH!!!!!

Gee... I wonder if he's trying to tell me something like, oh I don't know, "I don't like being tracked".

By this point you are being tracked as the guy that blocked everything else. There is only going to be one of you.

Re:

[dltaylor]

Hardly; still isn't known to be using an anonymizer.

Re:They just don't seem to get the message

[mopower70]

You might think at this point that companies and advertisers start getting the message. Instead, they just keep finding more and sleazier ways. All these technologies have valid uses but have been so abused by corporations and marketing that people increasingly don't trust it anywhere.

I'm honestly curious here. Advertising isn't going away. It's what keeps the Internet "free". So you're saying you'd rather have completely irrelevant advertising than stuff you may actually be interested in? When I'm in the market for any kind of product, I actively seek out sources of advertising to survey what's available. Being flooded with irrelevant information and advertisements (like happens on the radio and television) is personally unnecessary but financially necessary noise to provide the content I want. I'll take trackers any day over having to pay for every single site I visit.

Re:

[Anonymous Coward]

Yes, that's what I'm saying. I don't want these people to know what I want. They have proven that they will take advantage of that, and try to make me impulse-buy things when I'm at my most vulnerable to targeted ads.

Ads are not a good way to form a worthwhile opinion on what product is the best for you, the consumer. They're designed to drown out the competition and are practically worthless for making a judgement call, unless you happen to notice it's something you already wanted that has a special-offer.

Re:

[Arrogant-Bastard]

You know, we had a "free" Internet long before the advertising filth showed up and began polluting it. They are expendable, although they would certainly like you to believe that they're not. "Oh noooes the free sites could go away with advertising!!"

Yes, they could. So what?

Newcomers (anyone who didn't have an address ending in .ARPA is new) are directed to study the history of the 'net. Those of adequate perception will quickly realize that it was flourishing WITHOUT the hordes of imbeciles, WI

Panopticlick is another method

[danceswithtrees]

The ETag method is a clever solution to cookieless tracking. I find this method I stumbled upon a couple of weeks ago a bit startling. I had no idea the amount of information routinely sent from my browser/computer to web servers-- information about plug-ins, time zone, screen resolution, accepted headers, etc WITHOUT letting me know. It is enough to give more than 21 bits of identifying information and uniquely identifies me among the 3M visits.

https://panopticlick.eff.org/ [eff.org]

Re:

[Anonymous Coward]

The ETag method is a clever solution to keep the ammount of re-retrievals of unchanged data to a minimum.
It gets abused by certain people for cookieless tracking

There, fixed it for you. :-)

I've been wondering for quite some time (IIRC years, in which I've simply blocked all of them) why ETags has not been getting more publicity as another "store am unique ID on the users machine" method.

It looks like that both the security-hole researchers and browser-builders are not as clever as they want us to believe

Re:

[Anonymous Coward]

We just assumed that it was already long common knowledge that etags were used for tracking?

Re:

[VortexCortex]

And With PRISM's power's combined, welcome to the Panopticon. [wikipedia.org] -- Panopticlick's namesake. TADA: The world is now a giant prison.

Bentham himself described the Panopticon as "a new mode of obtaining power of mind over mind, in a quantity hitherto without example."

Indeed.

Re:

[nmb3000]

The ETag method is a clever solution to cookieless tracking. I find this method I stumbled upon a couple of weeks ago a bit startling. I had no idea the amount of information routinely sent from my browser/computer to web servers-- information about plug-ins, time zone, screen resolution, accepted headers, etc WITHOUT letting me know. It is enough to give more than 21 bits of identifying information and uniquely identifies me among the 3M visits.

https://panopticlick.eff.org/ [eff.org]

Yep. It's absurd, and unfortunately many "privacy-enhancing" tools (for example, anything that alters the user agent) can actually make a browser more unique rather than less-so.

NoScript is an exception, and one that works very well. I know it's parroted on Slashdot a lot, but if you care about privacy and security on the web there isn't a single better option. Using Panopticlick on my browser as an example:

Without NoScript: Your browser fingerprint appears to be unique among the 3,316,576 tested so far.

Re:

[kermidge]

Well, I'm screwed. From panopticlick: "Your browser fingerprint appears to be unique among the 3,319,469 tested so far."
And later, "21.66 bits of identifying information". Turns out much of it comes from the fonts at 18.69, but the plugins kill it, with the full 21.66.

I like being an individual when I'm at home, so to speak, but when out and about on the 'Net I'd prefer being an anonymous face in the crowd. I have ghostery to prevent tracking via cookies and web bugs, but have no idea about these etag t

Re:

[allo]

yes and no.

They are proud, they can extract that much information. Yes, this is bad. BUT, if you consider, that much of this information is unstable (think of installing a new font), the fingerprinting gets more complicated and you need some machine learning to extract the relevant data and/or match changed fingerprints, to correlate them to the same user. This is possible, but then a fingerprint is not an 100% unique thing, even when panopticlick believes it, because matching two slightly changed fingerpri

Re:

[flyingfsck]

You cannot win. If you don't respond with anything, then that still identifies you uniquely, since nobody else does that.

Gaming the trackers

[Anonymous Coward]

Want to get back at the folks tracking? Blocking or changing the communications with thigns like Ghostery or SecretAgent is great. However, if there was software that connected to the tracking servers but never completed the TCP connection, thus leaving the tracker with a bunch of half open TCP connections, then one could effectively ddos the trackers. There are several other techniques along these lines that can be employed. What good is a tracking system that is clogged up with connections that never

Re:

[viperidaenz]

How do you know which URL is the tracking one? What if its that CDN one that delivers actual content your browser needs to render the page? Like some CSS or Javascript resource.

Re:

[xelah]

Umm.....so someone uses an ETag legitimately on their dynamic site, and you respond by DDoSing them? That's sort of the problem.....you have no idea if they're tracking you or not, and a great deal of wanted legitimate content will come with ETags.

ETag leaks between Incognito mode and regular mode

[ThatsMyNick]

It also seems to leak info between regular windows and incognito mode in chromium. I assume the cache is shared between the modes, and they need separate caches.

Re:

[complete loony]

Incognito modes have never been about being anonymous to the web sites you visit. It's all about leaving no trace on the local machine.

My browser passed the test

[Skapare]

My browser passed because of the way I start it. A whole new user/home environment is dynamically created every time I start a browser. I originally did this so that as I browse hundreds of sites, I don't end up with extreme memory waste. This was done back in an older version that was quite memory leaky. It would build up too much in-process memory as I visited sites, and eventually crash. So I ended up with multiple browsers running (separate processes). At first that might seem to have used even mo

Its nowhere near as good as a cookie

[viperidaenz]

You can't correlate access across multiple URLs, since every URL has a different ETag.

Re:

[wonkey_monkey]

So you just put the same image on each page.

Re:

[viperidaenz]

But then you need to rely on the Referer header to find out where the user came from. You still have no idea who they are unless the HTML URL gives away the identity of the user. All you can tell is anonymous user A went to pages X Y and Z.

Common "internet security" software packages blank out referer headers.
Browsers won't send the referer header if the HTML page came from an HTTPS location and the other resource is not HTTPS

Re:

[null etc.]

But then you need to rely on the Referer header to find out where the user came from

There's this web technology called "query string parameters" that can be appended to any request for a resource on the web. A query string parameter containing a site identifier is more than enough to correlate with an etag identifier.

Re:

[viperidaenz]

But you need to deliver the query string in the HTML page on a different URL, and any change you make to the query string, results in the browser treating it as a different resource and will not send the ETag value. So when you append the 'site identifier' the browser treats it as a different URL. The same base URL with a different query string will not resend the same ETag.

Let me spell it out for you again: A URL includes the query string. If you change the query string, you've changed the URL.
The browser

Re:

[wonkey_monkey]

The best thing that can be done is a website can associate a browser with their a users session after they have logged out and cleared their cookies

So, kind of (exactly) like a cookie, then? What am I missing?

Okay, the server can't immediately identify you if all you do is fetch index.html, for example*, but it's pretty trivial for a server to correlate the user who fetches index.html with the user who fetches an image in index.html milliseconds later. HTTP requests don't exist in total isolation by any means.

*assuming it's not tagged, itself

Not new, apparently

[wonkey_monkey]

http://en.wikipedia.org/wiki/HTTP_ETag [wikipedia.org]

ETags can be used to track unique users,[2] as HTTP cookies are increasingly deleted by privacy-aware users. In July 2011, Ashkan Soltani and a team of researchers at UC Berkeley reported that a number of websites, including Hulu.com, were using ETags for tracking purposes.[3] Hulu and KISSmetrics have both ceased "respawning" as of 29 July 2011,[4] as KISSmetrics and over 20 of its clients are facing a class-action lawsuit over the use of "undeletable" tracking cookies partially involving the use of ETags.

How about...

[guruevi]

Simply not allowing 3rd party URL's on any website. Sure it might break some ancient things but you shouldn't really be including iframe's, cookies, JavaScript or anything else from a 3rd party domain anyway.

NY Times

[careysb]

OK, so how does the NY Times track me. I'm running Firefox on Win 7, I've cleared my cache, I've cleared my cookies, I've cleared the Flash cookies, no luck.

SecretAgent Extension Conflicts with PrefBar

[DERoss]

For Mozilla-based browsers such as Firefox and SeaMonkey, the SecretAgent extension conflicts with the PrefBar User Agent menulist.

Because some Web sites I visit are sensitive to what user agent they see, I unchecked (disabled) the "Rotate User Agent" checkbox in SecretAgent. Then, if I used the PrefBar User Agent menulist to spoof some other browser, it kept resetting to my actual user agent. Since I consider the PrefBar capability to be very important, I removed SecretAgent. The PrefBar capability was

The 'E' is for...

[thoughtlover]

Evil. Seriously, this shit is getting messed up.

Old news is old

[allo]

My Blogpost in 2007 (sorry, its german):
http://blog.laxu.de/2007/09/23/browser-raten-und-e-tag-cookies/ [blog.laxu.de]

Re:

[maxwell demon]

OK, then please tell me how host files can at the same time stop third-party requests to a site (like embedded YouTube videos, or Facebook like buttons) and at the same time allow explicit access of the very same site (that is, when you explicitly go to Youtube or Facebook).

With RequestPolicy that's trivial (indeed, it's the default, you don't even need to know the third party site to be sure that it is blocked, let alone explicitly deny it).

Re:

[maxwell demon]

I don't see YouTube ads.

I'm not speaking about ads served on YouTube (actually I didn't remember that those actually exist, having seen none for quite some time). I'm speaking about YouTube embedded videos on non-YouTube sites.

Hosts work for it apparently

I know for sure that those embedded videos, when they come from YouTube, are loaded directly from youtube.com (or one of the other common YouTube domains, like youtube.de). I know that because every one and then, I decide that I want to see the embedded vi

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[nmb3000]

I know, replying to APK about magical hosts files is pointless, but here we go anyway:

Can you answer these two questions:

How many domains and subdomains does Facebook operate?
Please make sure to include those added in the last 4 hours!

Can you enumerate every domain used to host advertising and/or malware on the planet?
Please make sure to account for dynamically changing and the infinite number of wildcard domains!

If you cannot give me exact answers, then your hosts file method is useless and obsolete. Plea

Re:

[maxwell demon]

HOW in hell shoud the server now know WHICH of the 50 NATed clients (all coming from the same ip and
with timed out syn-ack-fin stuff) wants to upload the funny.cat picture?

Session cookies.

Re:

[Phroggy]

No need to wait for a TCP connection to time out. As soon as the page has finished loading, all connections are closed. HTTP is a stateless protocol; just because you have a web page open in front of you doesn't mean there's any connection to the server right now.

If you're not using cookies, you can use query strings to track state. For every link on the page, you add a query string to the URL containing a session ID number, so when the user clicks any link, the session ID is passed in the query string.

Re:

[Phroggy]

FTP is a stupid protocol and needs to die. Please use something else (such as SFTP).

Re:

[Zan Lynx]

Except that on a LAN FTP is almost the only protocol I can rely on to get high speed data transfers. SFTP blocks at about 30 MB/s when FTP can easily get 90.

If the Linux distros would be reasonable and enable the "none" crypto on SSH it would be a good thing. If I explicitly ask for no crypto then why are they making it hard for me to get what I want?

Yes, I know I can recompile OpenSSH for "none" crypto but it is easier to set up FTP, or even use tar and netcat.

Re:

[maxwell demon]

It's not the loading of the HTML file which is avoided with ETags, but the loading of the image. Basically, if the image today is still the same as the image last week, and the image from last week is still in the cache, then it makes sense not to load the image again.