lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20060215124536.GA7077@sivokote.iziade.m$>
Date: Wed Feb 15 12:45:42 2006
From: guninski at guninski.com (Georgi Guninski)
Subject: Tracking with etags

iirc very similar problem was made public several years ago and there 
was online demo.

a solution may be to disable browser cache - stops at least the 
privacy problem between sessions.

-- 
where do you want bill gates to go today?

On Tue, Feb 14, 2006 at 08:23:35AM -0800, Adam Gleave wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> First, sorry if this has been mentioned before. I've searched and
> haven't found any mention, but it seems too obvious to have not
> already been reported.
> 
> Basically, client gets etag from server, client sends etag to server
> next time it connects, server can associate client.
> 
> Might not sound significant, but if Gmail - for instance - gives
> people Etag's, they - and anyone listening in on the connection - can
> associate unanonnimized accounts with anonymized accounts.
> 
> I tested this on tor + privoxy and it worked.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.0 (OpenBSD)
> 
> iQIVAwUBQ/IDmsLXg8DOh72JAQK94hAAhCS1r7b6R1xJa9QuGD2MNJLZbNPuZxbc
> 4d9R/5wV2Xa2/UDbGwjAoX2kZNsje9X+tLwIcprSp1sUavXnYZZZC2GJblvmc3j7
> UDAVo3Ge44U4GFTP03l86DPWD18d6PmkYkrdUkOJfCiaGDSnhlsOjvywFUqOIvDq
> cLuDrKXYn2XCu1wEG5BUPVKQSRdIvyK4lsIEGUlUgVCsp5H0ComeVIOANcNUxwrW
> GGnvh7X+6lzbpLAsb89QME3I8+2CcHhGjkbGr47R/eBcjU1zGKObbVS+4McYgJaY
> VL5hNnTUgst4a+m3mm6dPSm+n/MDurnXVq+AvWOf0YA6yjZO+ve6vUQsfrfujN2d
> 3p+4xj5cNWS1AMpF9/0lcSFwOr43hfOG4xePbdyXOppMeSTMDGf2ApuPvpjn4jKg
> nGhDqq4Ho2DZDnoMYhYtdeW6dB7QGxluChmC0Mflnaar1EBJyUrqppPfDPPK8OLG
> /8ZVgJo3qR+ruKGpfzC7pKP43Q8gMRUWu6YuPg92SIojgd2mJXfR2zlRQkgZeg71
> CO+use+wCeuFMw0ICA64dfwIJrl7EoAaNTTAaKgoy8Wiklh4y8jN3xclSPqv1QWv
> kKqTA5ZeTlzxZyM1lLHJ05ruBk1WUBQ7TKijEX67hrQrkBFPw3yB1clHbwLotVjV
> ls51uf4YtAM=
> =pvn0
> -----END PGP SIGNATURE-----
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ