privacybadger
privacybadger copied to clipboard
EFForg
Detect etag supercookies
Etags can be used as supercookies. Detecting them is not totally trivial, because they are a multi-purpose technology that can be used innocently, but the fact that Nginx and Apache have standard recipes for setting them means that we should in principle be able to detect and act upon their non-standard uses.
Some relevant reading:
- The Nginx etag aglorithm
- An overview of all of the HTTP caching mechanisms and how they interact:
The situation on Apache is more complicated:
- Settings for changing the ingredients of an Apache etag
- It's quite hard to make Apache set etags other than with one of its configurable algorithms.
Questions:
- Does repeatedly measuring the
etagof a known-to-be-static resource like/favicon.ico(ideally from multiple endpoints, but perhaps with clean minimal requests from withing PB) reasonably indicate whether a server is setting dynamic/trackable etags?
See also https://github.com/EFForg/privacybadger/issues/616#issuecomment-160812449
For reference, here's Privacy Possum's implementation: https://github.com/cowlicks/privacypossum/blob/4709d1da72bb142c2a08ec2ca1644e81bd0e808e/src/js/reasons/etag.js
Their approach requires storing etag data after the first observation, so we'd need a pretty big new persistent data structure.
@bcyphers bump! any progress on this? If not, I would like to take a stab at it. Thanks :)
other extensions aside from Privacy Possum that block etags that I've seen in the past: etag stoppa and ClearURLS
https://github.com/claustromaniac/etag-stoppa
https://github.com/KevinRoebert/ClearUrls
Those two extensions just block etags outright, which will cause a very substantial performance impact. It should be possible to come up with a much better algorithm, that allows through etags that are a last modified time and content length.