Delivery-Date: Sat, 23 Apr 2016 18:44:47 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,T_DKIM_INVALID,T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 121801E04BF;
	Sat, 23 Apr 2016 18:44:45 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 67B4A3A720;
	Sat, 23 Apr 2016 22:44:41 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 21D053A704
 for <tor-talk@lists.torproject.org>; Sat, 23 Apr 2016 22:44:38 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id rlcF5FuZaf2o for <tor-talk@lists.torproject.org>;
 Sat, 23 Apr 2016 22:44:38 +0000 (UTC)
Received: from mail-ig0-x22e.google.com (mail-ig0-x22e.google.com
 [IPv6:2607:f8b0:4001:c05::22e])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 006133A702
 for <tor-talk@lists.torproject.org>; Sat, 23 Apr 2016 22:44:37 +0000 (UTC)
Received: by mail-ig0-x22e.google.com with SMTP id g8so46141952igr.0
 for <tor-talk@lists.torproject.org>; Sat, 23 Apr 2016 15:44:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=bentasker.co.uk; s=google;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to;
 bh=AWWCz5/6E9SYzdJdekjmxCFmMn8OQIykkYUrFCVKVoU=;
 b=f8PRESiQ6lcVDqA/mA1Tj1pysvWeYOsHWuKAGIW8c9hxWzEHC70McSSy6QM1tA+JvE
 eetfFvtMTDSi/vcaqchjNm3NVRdD7Ge9kbeFLMDS7YaSAN4q1GV7Q5G7XrPr3lgaIBIH
 rEaHQIgWpcfP6nMAPzUlyVNpazY+1KeArAm/U=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:in-reply-to:references:date
 :message-id:subject:from:to;
 bh=AWWCz5/6E9SYzdJdekjmxCFmMn8OQIykkYUrFCVKVoU=;
 b=Kfreb0F8udRvx3/xdEVJxz14ZZp2MBrJFFrQ+/Dxb5qNjAQvMhNJtLRGhzN46/7fSH
 LbfrrDDbmsWiHTw/Vu/5EnO/cBxr00reihBVu56YIOh17m7ZxjOZVXF7x5VtRG0y5i+9
 /kAmw6l3Xxxypuo9duDzOjPzcUmdRzWs9azPV26qDLl8zxc2gygyE7168rHRsyqtTZT8
 Q/ygI6q4G1OBLI+N9UVvL/yapOzJ1jDajiLqD6WC8/WVh0BPMkqFfWkMGOEsFtKv+vbx
 3TS2EYNiTgkNbbBy1Ak31DiYgQqS0ZUGgiBpyG9XhLqrGMFy1VC71w1HlOq/pF2BXspV
 ZkkA==
X-Gm-Message-State: AOPr4FVTdDyy9xRDbcamlqGDzONH/DfZkUH6ARYNSsy9vw0phdMVnVYWK2eSLeoVng2ouwhWTVFL+2DwjGRTfQ==
MIME-Version: 1.0
X-Received: by 10.50.128.193 with SMTP id nq1mr4845352igb.54.1461451475594;
 Sat, 23 Apr 2016 15:44:35 -0700 (PDT)
Received: by 10.64.246.134 with HTTP; Sat, 23 Apr 2016 15:44:35 -0700 (PDT)
X-Originating-IP: [81.134.152.4]
In-Reply-To: <571BF566.4010200@gmx.com>
References: <1461417342.6149.17.camel@pentium.freedom.box>
 <571BC6FE.5080205@gmx.com>
 <1461441264.6149.45.camel@pentium.freedom.box>
 <571BF566.4010200@gmx.com>
Date: Sat, 23 Apr 2016 23:44:35 +0100
Message-ID: <CABMkiz6J4=4Day4EQ=X045EBa5O0YKxkxgZHA0wrMHKg430f3A@mail.gmail.com>
From: Ben Tasker <ben@bentasker.co.uk>
To: tor-talk@lists.torproject.org
X-Content-Filtered-By: Mailman/MimeDel 2.1.15
Subject: Re: [tor-talk] 12.7 percent of the domains I visit are intercepted
	by CloudFlare
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

> My guess is it is set by abc.com, but the " name" of the cookie involves
"cloudflare?"

Keep in mind that Cloudflare is essentially a glorified bunch of reverse
proxies. Because Cloudflare terminates your TCP connection to abc.com,
they're in a position to set cookies _as_ abc.com. So I'd fully expect the
site name to be abc.com, though it's naughty of them. The browser won't
consider it thirdparty, because it isn't - it was set by abc.com. This does
seem to be the case (picking a site that uses cloudflare randomly from a
list):

$ GET -Ssed  http://absolutewealth.com | grep Set-Co
Set-Cookie: __cfduid=dfcadd8517f9edb7f6fd202c7152da9861461451390;
expires=Sun, 23-Apr-17 22:43:10 GMT; path=/; domain=.absolutewealth.com;
HttpOnly


What it does mean, though, is when you visit xyz.com, the browser won't
present the cookie set earlier by abc.com. So it's use in tracking across
domains is incredibly limited. Pretty useful for tracking return visits to
abc.com (and it's subdomains) though

Ben

On Sat, Apr 23, 2016 at 11:21 PM, Joe Btfsplk <joebtfsplk@gmx.com> wrote:

> On 4/23/2016 2:54 PM, Rob van der Hoeven wrote:
>
>> On Sat, 2016-04-23 at 14:03 -0500, Joe Btfsplk wrote:
>>
>>> On 4/23/2016 8:15 AM, Rob van der Hoeven wrote:
>>>
>>>> Hi,
>>>>
>>>> Today I got an idea of how to measure "The CloudFlare problem". It turns
>>>> out that every time you visit a website that's behind CloudFlare a
>>>> cookie is set with the name __cfduid
>>>>
>>>> If you use Firefox these cookies end up in a SQLite database which can
>>>> be queried with the SQLite Manager add-on. My total number of cookies is
>>>> 2523 (I disable third-party cookies by default). CloudFlare cookies:
>>>> 321. So 321/2523 *100 = 12.7% of the domains I have visited are
>>>> monitored by CloudFlare. Quite shocking I think.
>>>>
>>>> Rob.
>>>> https://hoevenstein.nl
>>>>
>>>>
>>> Are you saying using TBB, cloudflare sets cookies withOUT either
>>> checking "accept cookies from sites;"
>>> or entering an exception for their domain in TBB's cookie exceptions;
>>> or when in Options > Privacy - "Accept 3rd party cookies" = Never?
>>>
>>> I am not using TBB. Sorry I was not clear about this. I use the normal
>> Firefox, enhanced with NoScript, AddBlockPlus etc. I changed the privacy
>> settings so that "Accept cookies from sites" is allowed, but "Accept
>> third-party cookies" is set to "Never"
>>
>> Now the interesting (nasty) properties of CloudFlare cookies are:
>>
>> 1) They are not coming from the CloudFlare domain, but from the domain
>> you are visiting. If you surf to abcdef.com and that site uses
>> CloudFlare then the CloudFlare cookie is set for the abcdef.com domain.
>> CloudFlare clearly is a third-party, but their cookies can not be
>> disabled by refusing third-party cookies.
>>
>> 2) Many of *my* CloudFlare cookies have an expiration date of 23 dec
>> 2019. These are clearly ment to be tracking cookies.
>>
>>
>> Technically, this isn't a Firefox discussion or support list, but...
> My guess is it is set by abc.com, but the " name" of the cookie involves
> "cloudflare?"
> What does it show under the "site" column - viewing the cookies? Does it
> show it came from Cloudflare site?
> Post the name of site & cookie name.
>
> You can check in about:config for pref:
> network.cookie.thirdparty.sessionOnly.  It should be set to False to reject
> 3rd party cookies.
>
> On Disney.com, they set a cookie named
> "HumanClickSiteContainerID_88830415" but the SITE name shown for it is
> Disney.com.
> It's true - there's always a 1st for everything.
>
> --
> tor-talk mailing list - tor-talk@lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>



-- 
Ben Tasker
https://www.bentasker.co.uk
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

