Hacker News new | ask | show | jobs
by bolder88 4611 days ago
No, we shouldn't bother trying to plug those leaks.

Current situation:

  * You request website A, which includes 3rd party code from C. C drops a cookie
  * You request website B, which includes 3rd party code from C. C knows you previously visited A.
New situation:

  * You request website A, which includes 3rd party code from C. Website A sends details of your visit via a backchannel to C.
  * You request website B, which includes 3rd party code from C. Websites B sends details of your visit via backchannels, and C knows you previously visited A.
Wouldn't you rather such tracking to be out in the open and easily blocked - stop accepting cookies, rather than them creating backchannels to track you instead?

Yes - You should give up if you think you will able to continue sending websites HTTP requests directly, whilst not being tracked.
3 comments
jrochkind1 4611 days ago
I'm not sure. Those backchannels would be enormously more expensive and technically challenging for the commercial entities to do right.

So, yeah, I see your point, but maybe I _would_ rather make it much more expensive to do that, and much harder for them to do it succesfully rather than messing up a technical detail.

On the other hand, I guess eventually they'd get it right in commodity software that everyone can use. Eventually.

Really, I don't know why anyone that wants to do the kind of tracking we're talking about is using cookies anyway, instead of user-agent fingerprints that have been shown to be pretty much unique anyway. So the cookies is perhaps all a distraction. The browser makers don't need to invent a new cookie-less browser fingerprint tracking system, they've already got it with the over-specialized user-agents.

link
paulgb 4611 days ago
If you block third-party cookies, C has no longer has a reliable way to know that you are the same visitor on both requests. (Unless you're suggesting that C is stuffing a UID in the cache or something?)
link
gcb0 4611 days ago
C can already infer that. Google probably does that on their free CDN stuff.

you have unique combination of IP+UserAgent+extra Headers. That is enough. A and B does not even have to send anything. And this will continue to work even without cookies.

link
icebraining 4611 days ago
Requiring an IP address already eliminates cross-network tracking. For example, lots of people browse both on their PC on a cable/fiber connection and on their phone/tablet on 3G, with different IPs. They also often browse from their work network (yet another IP).

Same with User Agent: not useful if you're using Chrome on your laptop and Safari on your phone.

link
gcb0 4611 days ago
This move is to prevent you from being tracked against website A and B will.

For example, google provides jquery CDN. website A and B uses that to save some cents on bandwidth. Google now knows you visited which pages on website A and B. and if A was a backpack store and B was a pressure cooker review, expect the NSA :D

link