Re: [squid-users] Squid mitigation of advanced persistent tracking

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 03 Aug 2011 11:27:37 +1200

 On Tue, 2 Aug 2011 13:39:51 -0700 (PDT), John Hardin wrote:
> Folks:
>
> The analysis of the APT techniques used by Kissmetrics (at
> http://www.wired.com/epicenter/2011/07/undeletable-cookie/) is
> interesting if thin, and suggests one way that Squid might be
> leveraged to interfere with such tracking: deleting the "Etag:"
> header
> from request replies.
>
> I know having the proxy fiddle with HTTP reply headers is against the
> HTTP protocol, and that the reply_header_access option only allows
> fine-grain manipulation of registered HTTP headers, and that this is
> fraught with the potential for devolving into a game of whack-a-mole,
> but it seems to me that this should at least be explored, and may be
> an argument for opening the reply_header_access option up to
> fine-grain manipulation of any arbitrary HTTP header.
>
> I do know that right now I would sure like to be able to do:
>
> reply_header_access Etag deny all
>
> without hacking the Squid sources to add the "Etag" header...
>
> Comments?

 Pretty much on-par with what the media considers newsworthy these days.
 A pile of FUD and scaremongering misdirection.

 Please read up on the details of purpose and use of ETag in RFC 2616.

 In the beginning ... every URL was supposed to be unique with exactly
 one object on it. But some people decided it would be a good idea to
 compress the object to conserve bandwidth, but neglected to add a
 compressed tag into the URL. And some other people decided it would be a
 good idea to fancy up the pages and present "user-oriented pages" at
 some commonly shared URLs rather than use proper URL syntax. So Vary and
 ETag were created to tell all these variants/versions apart and avoid
 corruption and information disclosure.

 Strip either one and you will receive corrupted replies. Alter either
 one and at best you slow down the service, at worst you get an
 information leak and see versions of pages personalized for other
 people.

 All they are doing is a server-side browsing session. But unlike
 Cookies, ETag are usually shared between many clients simultaneously.
 Middleware like Squid is able to reply to them instead of contacting the
 origin site. Even creates new ones the origin is not aware of when
 compressing on the fly.

 Anonymity is an illusion. The identity (contacting M, from Y, no
 agent, no Etag). Is just as easily tracked as the identity (contacting
 P, from Y, agent T, ETag Z).
  Relationships between datum is what trackers do, altering the datum
 values is just spitting into the wind.

 Amos
Received on Tue Aug 02 2011 - 23:27:41 MDT

This archive was generated by hypermail 2.2.0 : Wed Aug 17 2011 - 12:00:02 MDT