httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From tser <>
Subject Re: the Twun (progress)
Date Sun, 04 Apr 1999 00:58:39 GMT

"Roy T. Fielding" wrote:
> >The First test i have done seems to reveal what i thought, it _is_
> >posible to track
> >a user without using cookies by using the cache mechanism based on the
> >etag.
> No it isn't.  The only thing you can track with that is the closest
> cache that uses etags for validation of a single entity.  That could
> be half a million users behind a single AOL proxy, and is a lame excuse
> for cache busting.

Countless users have direct connections, and above all it is walking
very likely through proxy's also!

- Users Requests Server the URL and gives if-none-match
- Proxy Compares if-none-match, and querries Upfront Server.
- Upfront server gets the if-none-match from the proxy
- Add's 1 to the visited counter, and hand's it back in the etag
- Proxy get's new etag
- Proxy sends document, including e-tag to the user.
And Bamn... User traced.

I'm Happy i found out a way to let it really work, but an the other hand
i'm concerend about the fact it is possible. The CyberMouse Knows how
many sites already are doing this kind of funy stuff. It's about as
deadly as sending a UA-CPU identifying with something like Intel
23123-123-1-23123 in the header. 

It's a way of silently Tracking somebody, and with knowledge of Dhtml,
You could track a users on multiple sites, without setting time after
time cookies, but just questioning his Twun. 

Adsites might be doing this already, using there referer technology.

			- Reinder Kraaij,

Btw, Twunning can be Done by Etagging, Or cooking, either way.

View raw message