Re: [squid-users] Squid mitigation of advanced persistent tracking

From: John Hardin <jhardin_at_impsec.org>
Date: Tue, 16 Aug 2011 18:16:38 -0700 (PDT)

On Wed, 3 Aug 2011, Amos Jeffries wrote:

> On Tue, 2 Aug 2011 13:39:51 -0700 (PDT), John Hardin wrote:
>>
>> The analysis of the APT techniques used by Kissmetrics (at
>> http://www.wired.com/epicenter/2011/07/undeletable-cookie/) is
>> interesting if thin, and suggests one way that Squid might be
>> leveraged to interfere with such tracking: deleting the "Etag:" header
>> from request replies.

/me bows head in shame

>> Comments?
>
> All they are doing is a server-side browsing session. But unlike Cookies,
> ETag are usually shared between many clients simultaneously. Middleware like
> Squid is able to reply to them instead of contacting the origin site. Even
> creates new ones the origin is not aware of when compressing on the fly.

Some more details are available in the more-academic paper:

   http://ashkansoltani.org/docs/respawn_redux.html

One example in that paper:

     INITIAL REQUEST HEADER:
       GET /i.js HTTP/1.1
       Host: i.kissmetrics.com

     INITIAL RESPONSE HEADER:
       Etag: "Z9iGGN1n1-zeVqbgzrlKkl39hiY"
       Expires: Sun, 12 Dec 2038 01:19:31 GMT
       Last-Modified: Wed, 27 Jul 2011 00:19:31 GMT
       Set-Cookie: _km_cid=Z9iGGN1n1-zeVqbgzrlKkl39hiY;
                   expires=Sun, 12 Dec 2038 01:19:31 GMT;path=/;

...has the possibly useful signature of the Etag value appearing in a
cookie being set. Any comments on the utility of writing an eCAP filter to
block _that_ (to either strip the cookie or block the entire response)?

"Give up" isn't helpful. :)

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin_at_impsec.org    FALaholic #11174     pgpk -a jhardin_at_impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   USMC Rules of Gunfighting #4: If your shooting stance is good,
   you're probably not moving fast enough nor using cover correctly.
-----------------------------------------------------------------------
  8 days until the 1932nd anniversary of the destruction of Pompeii
Received on Wed Aug 17 2011 - 01:16:43 MDT

This archive was generated by hypermail 2.2.0 : Wed Aug 17 2011 - 12:00:02 MDT