httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jacob Schroeder>
Subject Re: the Twun (progress)
Date Sun, 04 Apr 1999 18:15:15 GMT

On Sat, Apr 03, 1999 at 11:58:39PM -0100, tser wrote:
> "Roy T. Fielding" wrote:
> > 
> > >The First test i have done seems to reveal what i thought, it _is_
> > >posible to track
> > >a user without using cookies by using the cache mechanism based on the
> > >etag.
> > 
> > No it isn't.  The only thing you can track with that is the closest
> > cache that uses etags for validation of a single entity.  That could
> > be half a million users behind a single AOL proxy, and is a lame excuse
> > for cache busting.
Hmmm, I'm not sure about that. If I include a
  Cache-Control: must-revalidate,max-age=0
in the response, the proxy-cache is forced to do revalidation. Which
etag will the proxy use for the revalidation? The one from its cache entry or 
the one from the new request? I suspect the latter one, but maybe I've missed 
something in the actual HTTP/1.1-draft. In this case it seems to me that the 
trick will work.

Etags are specific to resources, so only the same resource will get that 
etag back, but one can cover a set of web-sites by including a single
image reference. And this will bypass the defence walls that have been
built against cookies :( And the user won't even notice it.


> Countless users have direct connections, and above all it is walking
> very likely through proxy's also!
> - Users Requests Server the URL and gives if-none-match
> - Proxy Compares if-none-match, and querries Upfront Server.
> - Upfront server gets the if-none-match from the proxy
> - Add's 1 to the visited counter, and hand's it back in the etag
> - Proxy get's new etag
> - Proxy sends document, including e-tag to the user.
> And Bamn... User traced.
> I'm Happy i found out a way to let it really work, but an the other hand
> i'm concerend about the fact it is possible. The CyberMouse Knows how
> many sites already are doing this kind of funy stuff. It's about as
> deadly as sending a UA-CPU identifying with something like Intel
> 23123-123-1-23123 in the header. 
> It's a way of silently Tracking somebody, and with knowledge of Dhtml,
> You could track a users on multiple sites, without setting time after
> time cookies, but just questioning his Twun. 
> Adsites might be doing this already, using there referer technology.

View raw message