Recently in Privacy Category

Thanks to kissmetrics for having killed ETags!

| | TrackBacks (0)
As you know, kissmetrics' tracking algorithm is based on the ETag resource sent along with every document from http servers. Its normal use is to distinguish cached documents from new versions, if the document to be delivered has altered a new ETag is generated. In web caches every cached resource is stored with its ETag.

For a request on a resource stored in the web cache a http header line like

If-None-Match: "H33jh3gggIU§gug3kjhgHhjbkc3"

will be added to the request which means "please send out the document only if its ETag is no longer H33jh3gggIU§gug3kjhgHhjbkc3".

kissmetrics generates ETags as User-IDs to be tracked and every site which uses kissmetrics to analyze web traffic data will include a small kissmetrics.com-request in their web site. The web browser cache will cache this little resource along with its ETag which is NOT its calculated ETag but the kissmetrics "user id". So on every site with a kissmetrics "bug" the request gets done with the

If-None-Match: "your_kissmetrics_user_id"

And voilà, you're tracked. Deleting cookies does not help. You have to clear your cache in your web browser after every site visited. Not very useful.

A possible solution would be to use a web proxy like squid which can easily filter out the "ETag" headers. So web browsers will use the "If-Modified-Since:"-method to make web servers to deliver documents only if they have changed. This will not work on most dynamic web sites however as web application programmers often forget to set and to honor this request header (using the last changed timestamp of the displayed data for example).

August 2011: Monthly Archives

December 2015

Sun Mon Tue Wed Thu Fri Sat
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31    

About

This blog is owned by:

Pascal Gienger
Jägerstrasse 77
8406 Winterthur
Switzerland


Google+: Profile
YouTube Channel: pascalgienger