Re: Evercookie: Indestructible cookies

Noah Mendelsohn wrote:
> Following up on [1], I note this [2]:
> "    evercookie is a javascript API available that produces
>     extremely persistent cookies in a browser. Its goal
>     is to identify a client even after they've removed standard
>     cookies, Flash cookies (Local Shared Objects or LSOs), and
>     others.
>     evercookie accomplishes this by storing the cookie data in
>     several types of storage mechanisms that are available on
>     the local browser. Additionally, if evercookie has found the
>     user has removed any of the types of cookies in question, it
>     recreates them using each mechanism available.
>     Specifically, when creating a new cookie, it uses the
>     following storage mechanisms when available:
>      - Standard HTTP Cookies
>      - Local Shared Objects (Flash Cookies)
>      - Storing cookies in RGB values of auto-generated, force-cached
>         PNGs using HTML5 Canvas tag to read pixels (cookies) back out
>      - Storing cookies in Web History (seriously. see FAQ)
>      - HTML5 Session Storage
>      - HTML5 Local Storage
>      - HTML5 Global Storage
>      - HTML5 Database Storage via SQLite"

There's an ETag method mentioned as well, which I've seen previously - 
basically a set URI is requested and a custom ETag is given in response 
to each request, then on the next request the ETag sent back in the 
If-Match header and used to re-associate a user with a server side 

To compound this an identifier can be sent in return to that request 
which is then passed back in a GET request to several other domains, 
which of course route to a central system.

Effectively all this means that unless everything is cleared, history, 
caches, local storage, plugins and all for every domain after every 
request then a user can be tracked over time and across different sites :(



Received on Thursday, 23 September 2010 11:47:05 UTC