Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Tracking with etags
From: Georgi Guninski <guninski () guninski com>
Date: Wed, 15 Feb 2006 14:45:37 +0200

iirc very similar problem was made public several years ago and there 
was online demo.

a solution may be to disable browser cache - stops at least the 
privacy problem between sessions.

-- 
where do you want bill gates to go today?

On Tue, Feb 14, 2006 at 08:23:35AM -0800, Adam Gleave wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

First, sorry if this has been mentioned before. I've searched and
haven't found any mention, but it seems too obvious to have not
already been reported.

Basically, client gets etag from server, client sends etag to server
next time it connects, server can associate client.

Might not sound significant, but if Gmail - for instance - gives
people Etag's, they - and anyone listening in on the connection - can
associate unanonnimized accounts with anonymized accounts.

I tested this on tor + privoxy and it worked.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (OpenBSD)

iQIVAwUBQ/IDmsLXg8DOh72JAQK94hAAhCS1r7b6R1xJa9QuGD2MNJLZbNPuZxbc
4d9R/5wV2Xa2/UDbGwjAoX2kZNsje9X+tLwIcprSp1sUavXnYZZZC2GJblvmc3j7
UDAVo3Ge44U4GFTP03l86DPWD18d6PmkYkrdUkOJfCiaGDSnhlsOjvywFUqOIvDq
cLuDrKXYn2XCu1wEG5BUPVKQSRdIvyK4lsIEGUlUgVCsp5H0ComeVIOANcNUxwrW
GGnvh7X+6lzbpLAsb89QME3I8+2CcHhGjkbGr47R/eBcjU1zGKObbVS+4McYgJaY
VL5hNnTUgst4a+m3mm6dPSm+n/MDurnXVq+AvWOf0YA6yjZO+ve6vUQsfrfujN2d
3p+4xj5cNWS1AMpF9/0lcSFwOr43hfOG4xePbdyXOppMeSTMDGf2ApuPvpjn4jKg
nGhDqq4Ho2DZDnoMYhYtdeW6dB7QGxluChmC0Mflnaar1EBJyUrqppPfDPPK8OLG
/8ZVgJo3qR+ruKGpfzC7pKP43Q8gMRUWu6YuPg92SIojgd2mJXfR2zlRQkgZeg71
CO+use+wCeuFMw0ICA64dfwIJrl7EoAaNTTAaKgoy8Wiklh4y8jN3xclSPqv1QWv
kKqTA5ZeTlzxZyM1lLHJ05ruBk1WUBQ7TKijEX67hrQrkBFPw3yB1clHbwLotVjV
ls51uf4YtAM=
=pvn0
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]