Cookieless cookies (2013)

149 点作者 dedalus将近 6 年前

21 条评论

lucb1e将近 6 年前

That's a surprise to see pop up again! Author here. Now I wish I had improved the demo in the past years... It still generates the etag from a few static parameters to make it work without JavaScript (as the page notes near the bottom), a real implementation doesn't have that limitation because they don't care to echo data (such as your note and visit count) back to you before the image with etag even loaded. I should have switched it to display the data in the image, so it works more accurately.

评论 #20396003 未加载

评论 #20394408 未加载

i_v将近 6 年前

I was surprised to see that this tracking works across both regular and private browsing in Firefox (67.0.4 on macOS). I can see the number of visits increment and whatever message I've saved on either side is displayed to both.

评论 #20396225 未加载

评论 #20392235 未加载

评论 #20391689 未加载

评论 #20394740 未加载

评论 #20391620 未加载

评论 #20391671 未加载

评论 #20391908 未加载

评论 #20392462 未加载

评论 #20392999 未加载

dalore将近 6 年前

Wikipedia has a list of websites known to use this technique already: <a href="https://en.wikipedia.org/wiki/HTTP_ETag#Tracking_using_ETags" rel="nofollow">https://en.wikipedia.org/wiki/HTTP_ETag#Tracking_using_ETags</a>Looks like KISSmetrics are getting sued with a class action lawsuit over using this technique.

评论 #20395211 未加载

dang将近 6 年前

Discussed at the time: <a href="https://news.ycombinator.com/item?id=6231039" rel="nofollow">https://news.ycombinator.com/item?id=6231039</a>

shock将近 6 年前

In Firefox, setting<pre><code> browser.cache.disk.enable browser.cache.memory.enable </code></pre> to false, seems to stop some of this from working. The last visit date still works, but the text storage and number of visits does not.

评论 #20394225 未加载

singularity2001将近 6 年前

I am shocked firefox still has such gaping privacy holes:It's just one of many: <a href="https://samy.pl/evercookie/" rel="nofollow">https://samy.pl/evercookie/</a>In the old discussion (<a href="https://news.ycombinator.com/item?id=6231039" rel="nofollow">https://news.ycombinator.com/item?id=6231039</a>) it was revealed that some parties were sued and settled for $500,000. Relatedly British Airways was just fined £183m. That's a beginning.

pmoriarty将近 6 年前

"Even when you disabled cookies entirely, have Javascript turned off and use a VPN service, this technique will still be able to track you."It doesn't work if you disable image loading.For 90%+ of the web browsing I do, I don't need to see images at all, and browsing using emacs-w3m which I have set up to show only text and not load any images suffices. Occasionally there might be some image I want to see on a website and then I'll usually load it and view that one (or handful of images) manually. Very very rarely, I'll visit a site with an image gallery, where loading and viewing images one at a time is too painful, and then I'll just open it in Firefox, which I have set up to load images.I know not loading images by default is not a solution for most people, but it's worked great for me for many years.Update: A lot of replies are mentioning CSS. Just for the record: emacs-w3m does not process CSS

评论 #20393351 未加载

评论 #20394061 未加载

评论 #20393518 未加载

评论 #20393466 未加载

评论 #20393320 未加载

nine_k将近 6 年前

This is a fundamental property of caching.To avoid an extra fetch, you have to explicitly tell the data source that you already have this piece of data, and sending it is not required.

评论 #20393043 未加载

评论 #20393430 未加载

poorman将近 6 年前

I tried this on the 0.66.99 version of Brave and it works.

lunchables将近 6 年前

I wasn't familiar with etags, so for anyone else curious I'll save you the google search:<a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/ETag" rel="nofollow">https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/ET...</a>>If the resource at a given URL changes, a new Etag value must be generated. Etags are therefore similar to fingerprints and might also be used for tracking purposes by some servers. A comparison of them allows the determination of whether two representations of a resource are the same. They might also be set to persist indefinitely by a tracking server.

nfoz将近 6 年前

<a href="https://en.wikipedia.org/wiki/HTTP_ETag#Tracking_using_ETags" rel="nofollow">https://en.wikipedia.org/wiki/HTTP_ETag#Tracking_using_ETags</a>

kazinator将近 6 年前

Interesting. You can store the data in a regular browser window, and it's still there if you open the URL in a private window.The private mode should have its own cache that is initially empty.Idea: since private sessions are typically short-lived, they never have to validate ETags. Basically just cache resources indefinitely and never ask "is this item still valid". the cache is thrown away when the private session is closed; that's what invalidates it.

megatoaster将近 6 年前

Also read: clear gifs / web beaconsYou may see this in your email to track how many times you open newsletters and other items.

theon144将近 6 年前

Firefox 69.0b3 here, works across refreshes but not when restarting the browser or opening a private window.

arayh将近 6 年前

Of course this can also be applied to all other forms of tracking for extra persistence: <a href="https://news.ycombinator.com/item?id=1714446" rel="nofollow">https://news.ycombinator.com/item?id=1714446</a>

herpderperator将近 6 年前

It's worth noting that when you do a hard refresh, obviously you won't get a 304 Not Modified, which is what this tracking relies on. So, if you wanted to clear the state, that would be one way.

mstade将近 6 年前

Interesting technique, I learned something new about ETags.Probably a dumb question but: any reason this couldn't be reliably used instead of cookies to track sessions, e.g. login status etc.?

评论 #20396057 未加载

pierrefar将近 6 年前

Before anyone thinks this (and similar) approaches are a way around the GDPR's cookie consent tracking crackdown: It's not.The GDPR talks about online identifiers, of which cookies, IP address and fingerprints are examples. If you read any regulator's guidance carefully, you'll see they talk about "cookies and similar technologies", with just "cookies" being used alone for brevity.To rephrase tracking of any kind is the issue, not cookies. Don't mistake the implementation for the activity.Disclosure: Founder of a non-tracking web analytics service because of this exact issue.

评论 #20394835 未加载

tinus_hn将近 6 年前

Clever but as you can’t analyze cross domain images I don’t think you can use this to track people across the web.

评论 #20394087 未加载

saltminer将近 6 年前

On Chrome for Android it does not work with data saver enabled. Disabling it causes it to work for me.

评论 #20393681 未加载

joewee将近 6 年前

Doesn’t appear to work with DuckDuckGo browser on iOS.