On Wed, 3 Aug 2011, Amos Jeffries wrote:
On Tue, 2 Aug 2011 13:39:51 -0700 (PDT), John Hardin wrote:
The analysis of the APT techniques used by Kissmetrics (at
http://www.wired.com/epicenter/2011/07/undeletable-cookie/) is
interesting if thin, and suggests one way that Squid might be
leveraged to interfere with such tracking: deleting the "Etag:" header
from request replies.
/me bows head in shame
Comments?
All they are doing is a server-side browsing session. But unlike Cookies,
ETag are usually shared between many clients simultaneously. Middleware like
Squid is able to reply to them instead of contacting the origin site. Even
creates new ones the origin is not aware of when compressing on the fly.
Some more details are available in the more-academic paper:
http://ashkansoltani.org/docs/respawn_redux.html
One example in that paper:
INITIAL REQUEST HEADER:
GET /i.js HTTP/1.1
Host: i.kissmetrics.com
INITIAL RESPONSE HEADER:
Etag: "Z9iGGN1n1-zeVqbgzrlKkl39hiY"
Expires: Sun, 12 Dec 2038 01:19:31 GMT
Last-Modified: Wed, 27 Jul 2011 00:19:31 GMT
Set-Cookie: _km_cid=Z9iGGN1n1-zeVqbgzrlKkl39hiY;
expires=Sun, 12 Dec 2038 01:19:31 GMT;path=/;
...has the possibly useful signature of the Etag value appearing in a
cookie being set. Any comments on the utility of writing an eCAP filter to
block _that_ (to either strip the cookie or block the entire response)?
"Give up" isn't helpful. :)
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@xxxxxxxxxx FALaholic #11174 pgpk -a jhardin@xxxxxxxxxx
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
USMC Rules of Gunfighting #4: If your shooting stance is good,
you're probably not moving fast enough nor using cover correctly.
-----------------------------------------------------------------------
8 days until the 1932nd anniversary of the destruction of Pompeii
