On Tue, 2 Aug 2011 13:39:51 -0700 (PDT), John Hardin wrote:
Folks:
The analysis of the APT techniques used by Kissmetrics (at
http://www.wired.com/epicenter/2011/07/undeletable-cookie/) is
interesting if thin, and suggests one way that Squid might be
leveraged to interfere with such tracking: deleting the "Etag:"
header
from request replies.
I know having the proxy fiddle with HTTP reply headers is against the
HTTP protocol, and that the reply_header_access option only allows
fine-grain manipulation of registered HTTP headers, and that this is
fraught with the potential for devolving into a game of whack-a-mole,
but it seems to me that this should at least be explored, and may be
an argument for opening the reply_header_access option up to
fine-grain manipulation of any arbitrary HTTP header.
I do know that right now I would sure like to be able to do:
reply_header_access Etag deny all
without hacking the Squid sources to add the "Etag" header...
Comments?
Pretty much on-par with what the media considers newsworthy these days.
A pile of FUD and scaremongering misdirection.
Please read up on the details of purpose and use of ETag in RFC 2616.
In the beginning ... every URL was supposed to be unique with exactly
one object on it. But some people decided it would be a good idea to
compress the object to conserve bandwidth, but neglected to add a
compressed tag into the URL. And some other people decided it would be a
good idea to fancy up the pages and present "user-oriented pages" at
some commonly shared URLs rather than use proper URL syntax. So Vary and
ETag were created to tell all these variants/versions apart and avoid
corruption and information disclosure.
Strip either one and you will receive corrupted replies. Alter either
one and at best you slow down the service, at worst you get an
information leak and see versions of pages personalized for other
people.
All they are doing is a server-side browsing session. But unlike
Cookies, ETag are usually shared between many clients simultaneously.
Middleware like Squid is able to reply to them instead of contacting the
origin site. Even creates new ones the origin is not aware of when
compressing on the fly.
Anonymity is an illusion. The identity (contacting M, from Y, no
agent, no Etag). Is just as easily tracked as the identity (contacting
P, from Y, agent T, ETag Z).
Relationships between datum is what trackers do, altering the datum
values is just spitting into the wind.
Amos
