[Full-disclosure] Tracking with etags
guninski at guninski.com
Wed Feb 15 12:45:37 GMT 2006
iirc very similar problem was made public several years ago and there
was online demo.
a solution may be to disable browser cache - stops at least the
privacy problem between sessions.
where do you want bill gates to go today?
On Tue, Feb 14, 2006 at 08:23:35AM -0800, Adam Gleave wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> First, sorry if this has been mentioned before. I've searched and
> haven't found any mention, but it seems too obvious to have not
> already been reported.
> Basically, client gets etag from server, client sends etag to server
> next time it connects, server can associate client.
> Might not sound significant, but if Gmail - for instance - gives
> people Etag's, they - and anyone listening in on the connection - can
> associate unanonnimized accounts with anonymized accounts.
> I tested this on tor + privoxy and it worked.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.0 (OpenBSD)
> -----END PGP SIGNATURE-----
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Full-Disclosure is hosted and sponsored by Secunia.