There some hot discussions at the moment about how Hulu (and analytics
firm KISSmetrics) are using some quite perversive technics to track
users between sites, including local storage, flash stored object, and
user specific ETags (that one's really vicious. This could extend to
user specific Last-Modified value if ETags were disabled).
See :
http://ashkansoltani.org/docs/respawn_redux.html
http://www.schneier.com/blog/archives/2011/08/new_undeletable.html
Some interesting precisions by Ashkan there in comments : "clearing the
cache AND deleting all other forms of storage (HTML5, Flash, etc) would
technically delete identifiers between sessions [...] However, within
the same session, you're still able to be tracked across domains [...]
services likes these are using practically every known method to
circumvent user attempts to protect their privacy [...] creating a
perpetual game of privacy 'whack-a-mole'"
I think Ashkan Soltani is doing the right thing by filing a lawsuit (
http://ashkansoltani.org/docs/km/hulu_kissmetrics_complaint.pdf ), but
even if it fully succeeds it won't protect against some site trying to
fly under the radar when using this kind of methods.
Also, at the moment it seems that Firefox's private mode doesn't
properly protect against this.
I wonder if the end result could be to disable ETags and replace
Last-Modified with a neutered header, where :
- the browser formats the strings
- only recent requests are precise, older one have a much bigger range
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security