Last time we got some hints about a cookieless cookie test. Some JonDonym user were afraid of being tracked by the test with ETags and want to know our opinion about the Firefox add-on Self-Destructing Cookies, which is promoted on the website.
At short: it is a fake test and the add-on Self-Destructing Cookies is more or less useless.
The Cookieless Cookie Test
On the test page you can find a short description. The author claims, that he don't use Cookies, Javascript, LocalStorage, Flash, Java or other plugins, the IP address, user agent string or any methods employed by Panopticlick. He claims, that he uses only ETags from browser cache for the tracking demonstration.
Let's make a test. I used JonDoFox+JonDo and open the page:Number of visits: 1
Stored text: <empty>
Ok - let's reload the page:Number of visits: 2
Stored text: <empty>
I stored a small text and click the "Store" button:Number of visits: 3
Stored text: <my text>
I closed JonDoFox, open it again and load the test page:Number of visits: 4
Stored text: <my text>
What a fuck! You want to tell me, you can track a JonDoFox by using ETags? Bullshit! Let's make an moose accident test and change the IP address. The author claims, that he don't use the IP address but only ETags from browser cache. I switched the mix cascade and reload the test with a new IP address, without browser restart and without clearing the cache. If it was possible for the test to track my browser I have to see "5" visits and my text, but I got:Number of visits: 2
Stored text: <empty>
Ok - after some more test and logging the HTTP header it was clear. The test uses the IP address for session tracking and the user agent but not ETags. If an ETag was sent or not didn't affect the test result. The claims of the author are lies, it is a fake test.
Firefox add-on "Self-Destructing Cookies"
The main goal of cookieless cookie test is the promotion of the Firefox add-on Self-Destructing Cookies. It should protect you from tracking by cookiesless cookies. To test the add-on I created a fresh Firefox profil, made a try to install the add-on and got an error message: "not for your operating system". Fuck! But I found a laptop with a supported operating system and installed the add-on for a test.
At first I tested the add-on with our Anonymity Test. The add-on works like expected. It removes cookies and ETags if Firefox was closed or if the browser tab was closed. It doesn't protect the surfer from third-party tracking with ETags.
Firefox offers same protection by default without add-ons. You may delete cookies and ETags at shutdown by configuration settings and you can delete cookies and ETags during websurfing by hit CTRL-SHIFT-DEL. It is not required to close the browser tab.
JonDoFox and JonDoBrowser offer much better protection against tracking with ETags.
Afterwards I tested the add-on with the cookieless cookie test page. For my first visit I got:Number of visits: 1
Stored text: <empty>After reload the page I got:Number of visits: 1
Stored text: <empty>Reload ... reload ... reload:Number of visits: 1
Stored text: <empty>This result is very strange, because the add-on doesn't protect against tracking with ETags, if you don't close the browser tab. To be sure I logged the HTTP header. The HTTP request sent by the browser for a tracking image was: GET http://lucb1e.com/rp/cookielesscookies/etags.jpg HTTP/1.1 Host: lucb1e.com
User-Agent: ....
... Referer: http://lucb1e.com/rp/cookielesscookies/
Connection: keep-alive
If-Modified-Since: Sat, 17 Aug 2013 16:37:37 GMT
If-None-Match: "6185-4e427532a9640"
Cache-Control: max-age=0The webserver responded with:HTTP/1.0 304 Not Modified
Date: Wed, 23 Oct 2013 21:05:44 GMT
Server: Apache
ETag: "6185-4e427532a9640"
X-Cache: MISS from none
Connection: keep-alive
Proxy-Connection: keep-aliveOk - an ETag was send back to the server and the server recognized the ETag - no tracking protection in case. The Test page shows a wrong fake result. It seems, the test page can detect the installed add-on and show a wrong, fake result in this case.
It may be interesting to check the code of the add-on. Why was it not possible to implement a portable solution running on all operating systems for this simple task done by the add-on? I don't have time for fun, but if someone else will have a look at the code...