Re: [squid-users] Squid mitigation of advanced persistent tracking

From: John Hardin <>
Date: Tue, 16 Aug 2011 18:16:38 -0700 (PDT)

On Wed, 3 Aug 2011, Amos Jeffries wrote:

> On Tue, 2 Aug 2011 13:39:51 -0700 (PDT), John Hardin wrote:
>> The analysis of the APT techniques used by Kissmetrics (at
>> is
>> interesting if thin, and suggests one way that Squid might be
>> leveraged to interfere with such tracking: deleting the "Etag:" header
>> from request replies.

/me bows head in shame

>> Comments?
> All they are doing is a server-side browsing session. But unlike Cookies,
> ETag are usually shared between many clients simultaneously. Middleware like
> Squid is able to reply to them instead of contacting the origin site. Even
> creates new ones the origin is not aware of when compressing on the fly.

Some more details are available in the more-academic paper:

One example in that paper:

       GET /i.js HTTP/1.1

       Etag: "Z9iGGN1n1-zeVqbgzrlKkl39hiY"
       Expires: Sun, 12 Dec 2038 01:19:31 GMT
       Last-Modified: Wed, 27 Jul 2011 00:19:31 GMT
       Set-Cookie: _km_cid=Z9iGGN1n1-zeVqbgzrlKkl39hiY;
                   expires=Sun, 12 Dec 2038 01:19:31 GMT;path=/;

...has the possibly useful signature of the Etag value appearing in a
cookie being set. Any comments on the utility of writing an eCAP filter to
block _that_ (to either strip the cookie or block the entire response)?

"Give up" isn't helpful. :)

  John Hardin KA7OHZ              FALaholic #11174     pgpk -a
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
   USMC Rules of Gunfighting #4: If your shooting stance is good,
   you're probably not moving fast enough nor using cover correctly.
  8 days until the 1932nd anniversary of the destruction of Pompeii
Received on Wed Aug 17 2011 - 01:16:43 MDT

This archive was generated by hypermail 2.2.0 : Wed Aug 17 2011 - 12:00:02 MDT