[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

RE: Tracking with etags



What's the difference between an etag and a cookie?

> -----Original Message-----
> From: owner-or-talk@xxxxxxxxxxxxx
> [mailto:owner-or-talk@xxxxxxxxxxxxx] On Behalf Of Adam Gleave
> Sent: Tuesday, February 14, 2006 8:24 AM
> To: or-talk@xxxxxxxx
> Cc: full-disclosure@xxxxxxxxxxxxxxxxx
> Subject: Tracking with etags
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> First, sorry if this has been mentioned before. I've searched and
> haven't found any mention, but it seems too obvious to have not
> already been reported.
>
> Basically, client gets etag from server, client sends etag to server
> next time it connects, server can associate client.
>
> Might not sound significant, but if Gmail - for instance - gives
> people Etag's, they - and anyone listening in on the connection - can
> associate unanonnimized accounts with anonymized accounts.
>
> I tested this on tor + privoxy and it worked.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.0 (OpenBSD)
>
> iQIVAwUBQ/IDmsLXg8DOh72JAQK94hAAhCS1r7b6R1xJa9QuGD2MNJLZbNPuZxbc
> 4d9R/5wV2Xa2/UDbGwjAoX2kZNsje9X+tLwIcprSp1sUavXnYZZZC2GJblvmc3j7
> UDAVo3Ge44U4GFTP03l86DPWD18d6PmkYkrdUkOJfCiaGDSnhlsOjvywFUqOIvDq
> cLuDrKXYn2XCu1wEG5BUPVKQSRdIvyK4lsIEGUlUgVCsp5H0ComeVIOANcNUxwrW
> GGnvh7X+6lzbpLAsb89QME3I8+2CcHhGjkbGr47R/eBcjU1zGKObbVS+4McYgJaY
> VL5hNnTUgst4a+m3mm6dPSm+n/MDurnXVq+AvWOf0YA6yjZO+ve6vUQsfrfujN2d
> 3p+4xj5cNWS1AMpF9/0lcSFwOr43hfOG4xePbdyXOppMeSTMDGf2ApuPvpjn4jKg
> nGhDqq4Ho2DZDnoMYhYtdeW6dB7QGxluChmC0Mflnaar1EBJyUrqppPfDPPK8OLG
> /8ZVgJo3qR+ruKGpfzC7pKP43Q8gMRUWu6YuPg92SIojgd2mJXfR2zlRQkgZeg71
> CO+use+wCeuFMw0ICA64dfwIJrl7EoAaNTTAaKgoy8Wiklh4y8jN3xclSPqv1QWv
> kKqTA5ZeTlzxZyM1lLHJ05ruBk1WUBQ7TKijEX67hrQrkBFPw3yB1clHbwLotVjV
> ls51uf4YtAM=
> =pvn0
> -----END PGP SIGNATURE-----