- From: Nathan <nathan@webr3.org>
- Date: Thu, 23 Sep 2010 11:46:01 +0100
- To: Noah Mendelsohn <nrm@arcanedomain.com>
- CC: "www-tag@w3.org" <www-tag@w3.org>, Ashok Malhotra <ashok.malhotra@oracle.com>
Noah Mendelsohn wrote: > Following up on [1], I note this [2]: > > " evercookie is a javascript API available that produces > extremely persistent cookies in a browser. Its goal > is to identify a client even after they've removed standard > cookies, Flash cookies (Local Shared Objects or LSOs), and > others. > > evercookie accomplishes this by storing the cookie data in > several types of storage mechanisms that are available on > the local browser. Additionally, if evercookie has found the > user has removed any of the types of cookies in question, it > recreates them using each mechanism available. > > Specifically, when creating a new cookie, it uses the > following storage mechanisms when available: > - Standard HTTP Cookies > - Local Shared Objects (Flash Cookies) > - Storing cookies in RGB values of auto-generated, force-cached > PNGs using HTML5 Canvas tag to read pixels (cookies) back out > - Storing cookies in Web History (seriously. see FAQ) > - HTML5 Session Storage > - HTML5 Local Storage > - HTML5 Global Storage > - HTML5 Database Storage via SQLite" There's an ETag method mentioned as well, which I've seen previously - basically a set URI is requested and a custom ETag is given in response to each request, then on the next request the ETag sent back in the If-Match header and used to re-associate a user with a server side identifier. To compound this an identifier can be sent in return to that request which is then passed back in a GET request to several other domains, which of course route to a central system. Effectively all this means that unless everything is cleared, history, caches, local storage, plugins and all for every domain after every request then a user can be tracked over time and across different sites :( Best, Nathan
Received on Thursday, 23 September 2010 11:47:05 UTC