by Karl Denninger, Market Ticker:
Folks, cut the crap ok?
I know what you’re thinking — I’ll just turn off “third party cookies” and all will be ok (in relation to my previous article.)
Incidentally, that is not the default for Chrome and other browsers. Gee, I wonder why? Who runs all sorts of third-party ad networks again?
But that aside this doesn’t work.
The reason is an HTTP field called an “Etag.”
Etags, along with expiration dates and “If-Modified-Since” allow a browser to quickly check with a host whether or not content has changed, without re-downloading it. Let’s say you get an image on the web. Later, you go back to the same page and the same image is there, since it has not changed. If the image is still in your cache it is very wasteful to send the whole thing again — which could be several megabytes. Instead, if it hasn’t changed, you can just display what’s in the cache.
Well, to know that, you need to know if the resource changed on the server end. There are two ways to do this — using a date stamp, and using what’s called an “Etag.”
The latter can be attached to any resource, although it’s usually attached to images. The server sends down an Etag: field with the image in the HTTP headers, which is an opaque identifier. In other words, from the browser’s point of view it does not care what the string is; it doesn’t represent a time, date, or anything other than a promise from the server that it shall change if the content has changed and needs to be re-sent.
If this sounds like a cookie that’s because it can be abused to become one, and you cannot shut it off unlike cookies!
So let’s say you disable third-party cookies. Fine, you think. Nope.
I have a “Like” button. Said button has an image. That image is the finger pointing up, of course, and you must transfer it at least once. I send an Etag with it, but instead of it being a change index it’s unique to you!
Now, every single time you request the button you send the Etag for the image. If it hasn’t changed (and it basically never will, right — it’s an upturned finger!) I send back “Not modified”. Except…. I just pinned to you, personally, that access to the page and you have third-party cookies turned off!
So I send back “Not modified” but you just told me who you are, what web page you were viewing, and your browser ID and IP address.
I get all of this for every page you visit where such a button or function is present even if you never use it.
Oh by the way this works with beacons of course, since they’re 1-pixel transparent images. And no, I wasn’t the first to figure this one out many years ago, and it’s been known and in active use on the web for a long time.
The premise that blocking third-party cookies prevents these folks from being able to figure out who you are and what arbitrary web content you are viewing is false! Nice switch Mr. Browser writer, too bad it doesn’t solve the problem!