On Wed, 3 Aug 2011, Amos Jeffries wrote:
> On Tue, 2 Aug 2011 13:39:51 -0700 (PDT), John Hardin wrote:
>>
>> The analysis of the APT techniques used by Kissmetrics (at
>> http://www.wired.com/epicenter/2011/07/undeletable-cookie/) is
>> interesting if thin, and suggests one way that Squid might be
>> leveraged to interfere with such tracking: deleting the "Etag:" header
>> from request replies.
/me bows head in shame
>> Comments?
>
> All they are doing is a server-side browsing session. But unlike Cookies,
> ETag are usually shared between many clients simultaneously. Middleware like
> Squid is able to reply to them instead of contacting the origin site. Even
> creates new ones the origin is not aware of when compressing on the fly.
Some more details are available in the more-academic paper:
http://ashkansoltani.org/docs/respawn_redux.html
One example in that paper:
INITIAL REQUEST HEADER:
GET /i.js HTTP/1.1
Host: i.kissmetrics.com
INITIAL RESPONSE HEADER:
Etag: "Z9iGGN1n1-zeVqbgzrlKkl39hiY"
Expires: Sun, 12 Dec 2038 01:19:31 GMT
Last-Modified: Wed, 27 Jul 2011 00:19:31 GMT
Set-Cookie: _km_cid=Z9iGGN1n1-zeVqbgzrlKkl39hiY;
expires=Sun, 12 Dec 2038 01:19:31 GMT;path=/;
...has the possibly useful signature of the Etag value appearing in a
cookie being set. Any comments on the utility of writing an eCAP filter to
block _that_ (to either strip the cookie or block the entire response)?
"Give up" isn't helpful. :)
-- John Hardin KA7OHZ http://www.impsec.org/~jhardin/ jhardin_at_impsec.org FALaholic #11174 pgpk -a jhardin_at_impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- USMC Rules of Gunfighting #4: If your shooting stance is good, you're probably not moving fast enough nor using cover correctly. ----------------------------------------------------------------------- 8 days until the 1932nd anniversary of the destruction of PompeiiReceived on Wed Aug 17 2011 - 01:16:43 MDT
This archive was generated by hypermail 2.2.0 : Wed Aug 17 2011 - 12:00:02 MDT