Search squid archive

Re: Squid mitigation of advanced persistent tracking

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 3 Aug 2011, Amos Jeffries wrote:

On Tue, 2 Aug 2011 13:39:51 -0700 (PDT), John Hardin wrote:

 The analysis of the APT techniques used by Kissmetrics (at
 http://www.wired.com/epicenter/2011/07/undeletable-cookie/) is
 interesting if thin, and suggests one way that Squid might be
 leveraged to interfere with such tracking: deleting the "Etag:" header
 from request replies.

/me bows head in shame

 Comments?

All they are doing is a server-side browsing session. But unlike Cookies, ETag are usually shared between many clients simultaneously. Middleware like Squid is able to reply to them instead of contacting the origin site. Even creates new ones the origin is not aware of when compressing on the fly.

Some more details are available in the more-academic paper:

  http://ashkansoltani.org/docs/respawn_redux.html

One example in that paper:

    INITIAL REQUEST HEADER:
      GET /i.js HTTP/1.1
      Host: i.kissmetrics.com

    INITIAL RESPONSE HEADER:
      Etag: "Z9iGGN1n1-zeVqbgzrlKkl39hiY"
      Expires: Sun, 12 Dec 2038 01:19:31 GMT
      Last-Modified: Wed, 27 Jul 2011 00:19:31 GMT
      Set-Cookie: _km_cid=Z9iGGN1n1-zeVqbgzrlKkl39hiY;
                  expires=Sun, 12 Dec 2038 01:19:31  GMT;path=/;

...has the possibly useful signature of the Etag value appearing in a cookie being set. Any comments on the utility of writing an eCAP filter to block _that_ (to either strip the cookie or block the entire response)?

"Give up" isn't helpful. :)

--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhardin@xxxxxxxxxx    FALaholic #11174     pgpk -a jhardin@xxxxxxxxxx
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  USMC Rules of Gunfighting #4: If your shooting stance is good,
  you're probably not moving fast enough nor using cover correctly.
-----------------------------------------------------------------------
 8 days until the 1932nd anniversary of the destruction of Pompeii


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux