[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Tracking with etags

To: Adam Gleave <nard.list@xxxxxxxxx>
Subject: Re: [Full-disclosure] Tracking with etags
From: Georgi Guninski <guninski@xxxxxxxxxxxx>
Date: Wed, 15 Feb 2006 14:45:37 +0200

iirc very similar problem was made public several years ago and there 
was online demo.

a solution may be to disable browser cache - stops at least the 
privacy problem between sessions.

-- 
where do you want bill gates to go today?

On Tue, Feb 14, 2006 at 08:23:35AM -0800, Adam Gleave wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> First, sorry if this has been mentioned before. I've searched and
> haven't found any mention, but it seems too obvious to have not
> already been reported.
> 
> Basically, client gets etag from server, client sends etag to server
> next time it connects, server can associate client.
> 
> Might not sound significant, but if Gmail - for instance - gives
> people Etag's, they - and anyone listening in on the connection - can
> associate unanonnimized accounts with anonymized accounts.
> 
> I tested this on tor + privoxy and it worked.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.0 (OpenBSD)
> 
> iQIVAwUBQ/IDmsLXg8DOh72JAQK94hAAhCS1r7b6R1xJa9QuGD2MNJLZbNPuZxbc
> 4d9R/5wV2Xa2/UDbGwjAoX2kZNsje9X+tLwIcprSp1sUavXnYZZZC2GJblvmc3j7
> UDAVo3Ge44U4GFTP03l86DPWD18d6PmkYkrdUkOJfCiaGDSnhlsOjvywFUqOIvDq
> cLuDrKXYn2XCu1wEG5BUPVKQSRdIvyK4lsIEGUlUgVCsp5H0ComeVIOANcNUxwrW
> GGnvh7X+6lzbpLAsb89QME3I8+2CcHhGjkbGr47R/eBcjU1zGKObbVS+4McYgJaY
> VL5hNnTUgst4a+m3mm6dPSm+n/MDurnXVq+AvWOf0YA6yjZO+ve6vUQsfrfujN2d
> 3p+4xj5cNWS1AMpF9/0lcSFwOr43hfOG4xePbdyXOppMeSTMDGf2ApuPvpjn4jKg
> nGhDqq4Ho2DZDnoMYhYtdeW6dB7QGxluChmC0Mflnaar1EBJyUrqppPfDPPK8OLG
> /8ZVgJo3qR+ruKGpfzC7pKP43Q8gMRUWu6YuPg92SIojgd2mJXfR2zlRQkgZeg71
> CO+use+wCeuFMw0ICA64dfwIJrl7EoAaNTTAaKgoy8Wiklh4y8jN3xclSPqv1QWv
> kKqTA5ZeTlzxZyM1lLHJ05ruBk1WUBQ7TKijEX67hrQrkBFPw3yB1clHbwLotVjV
> ls51uf4YtAM=
> =pvn0
> -----END PGP SIGNATURE-----
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Tracking with etags
  - From: Adam Gleave

Prev by Date: [Full-disclosure] [SECURITY] [DSA 974-1] New gpdf packages fix denial of service
Next by Date: [Full-disclosure] Kadu Remote Denial Of Service Fun
Previous by thread: [Full-disclosure] Tracking with etags
Next by thread: [Full-disclosure] Comment spam: drive-by sites, domains and spyware - analysis, samples and facts
Index(es):
- Date
- Thread