W3C home > Mailing lists > Public > www-tag@w3.org > September 2010

Re: Evercookie: Indestructible cookies

From: Nathan <nathan@webr3.org>
Date: Thu, 23 Sep 2010 11:46:01 +0100
Message-ID: <4C9B2FE9.2020309@webr3.org>
To: Noah Mendelsohn <nrm@arcanedomain.com>
CC: "www-tag@w3.org" <www-tag@w3.org>, Ashok Malhotra <ashok.malhotra@oracle.com>
Noah Mendelsohn wrote:
> Following up on [1], I note this [2]:
> 
> "    evercookie is a javascript API available that produces
>     extremely persistent cookies in a browser. Its goal
>     is to identify a client even after they've removed standard
>     cookies, Flash cookies (Local Shared Objects or LSOs), and
>     others.
> 
>     evercookie accomplishes this by storing the cookie data in
>     several types of storage mechanisms that are available on
>     the local browser. Additionally, if evercookie has found the
>     user has removed any of the types of cookies in question, it
>     recreates them using each mechanism available.
> 
>     Specifically, when creating a new cookie, it uses the
>     following storage mechanisms when available:
>      - Standard HTTP Cookies
>      - Local Shared Objects (Flash Cookies)
>      - Storing cookies in RGB values of auto-generated, force-cached
>         PNGs using HTML5 Canvas tag to read pixels (cookies) back out
>      - Storing cookies in Web History (seriously. see FAQ)
>      - HTML5 Session Storage
>      - HTML5 Local Storage
>      - HTML5 Global Storage
>      - HTML5 Database Storage via SQLite"

There's an ETag method mentioned as well, which I've seen previously - 
basically a set URI is requested and a custom ETag is given in response 
to each request, then on the next request the ETag sent back in the 
If-Match header and used to re-associate a user with a server side 
identifier.

To compound this an identifier can be sent in return to that request 
which is then passed back in a GET request to several other domains, 
which of course route to a central system.

Effectively all this means that unless everything is cleared, history, 
caches, local storage, plugins and all for every domain after every 
request then a user can be tracked over time and across different sites :(

Best,

Nathan
Received on Thursday, 23 September 2010 11:47:05 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:56:35 UTC