> I know little about Cloudflare's actual operation. What's the implication / danger of one entity setting cookies on multiple or 1000's of sites?
In theory it shouldn't be an issue, so long as they can't somehow tie the multiple cookies together. The problem being there are a wide range of fingerprinting techniques they could use to do just that. On the flipside though, if they're willing to go to those lengths then the cookie doesn't add a huge amount of value to their operation. The potential risks, really, are more a product of one party being the endpoint for so many sites. CF claim that cookie is used only to indicate you got past security - https://support.cloudflare.com/hc/en-us/articles/200170156-What-does-the-CloudFlare-cfduid-cookie-do- - which is _probably_ true. If they were setting a third party cookie (e.g. with a domain of nottrackingyou.cloudflare.com) it'd be a slightly different story, as they'd then be able to track you across domains, based on that cookie. > I've also read (true or not) that lots of sites sell customer / member data on cookies & IPa's to tracking companies or advertisers. They sure do. Some go even further - a little while back Verizon decided to add a unique (to the subscriber) HTTP header to any outgoing (mobile IIRC) requests so that their advertising buddies could easily track their users and generate some revenue. Completely transparent to the user, unless you happen to take a PCAP at the other end, or visit somewhere that displays the request headers it received from you. It had the particularly "pleasant" side-effect, that if you deleted cookies, when the advertising platform next saw you, it'd set a new one, pull the UID out of the injected header and link your new ID to the old one. Selling individual (first-party) cookie details isn't particularly worth while, even for a large site, as advertisers generally see more profit in profiling your behaviour as far across the net as possible. IP's are in a similar position, though I suspect they have some value if you're able to show one user always visits your site from IP 1.1.1.1 - indicating they either use a single proxy as a matter of course, or they've got a static IP on their home connection (ker-ching, easy tracking) > Years ago, lots of sites didn't require cookies just to browse. Now many do - just to take a peek, or it won't work right. Maybe that's because the cookies can be turned into cash? That's definitely a driver for some. But, back in the day, most sites were static and users interaction was largely limited to reading. A lot of sites today run on content management systems, so will set (at least) a session cookie in case you try to do something that would require a statefulness (even if there's nothing like that enabled on the site....). There's also (IMO) an aspect of laziness/stupidity - you can find sites where the developer has decided that controlling the theme and page layout is best done by setting a shedload of cookies and then reading them back with javascript. On Sun, Apr 24, 2016 at 11:34 PM, Joe Btfsplk <joebtfs...@gmx.com> wrote: > On 4/23/2016 5:44 PM, Ben Tasker wrote: > >> My guess is it is set by abc.com, but the " name" of the cookie involves >>> >> "cloudflare?" >> >> Keep in mind that Cloudflare is essentially a glorified bunch of reverse >> proxies. Because Cloudflare terminates your TCP connection to abc.com, >> they're in a position to set cookies _as_ abc.com. So I'd fully expect >> the >> site name to be abc.com, though it's naughty of them. The browser won't >> consider it thirdparty, because it isn't - it was set by abc.com. This >> does >> seem to be the case (picking a site that uses cloudflare randomly from a >> list): >> >> $ GET -Ssed http://absolutewealth.com | grep Set-Co >> Set-Cookie: __cfduid=dfcadd8517f9edb7f6fd202c7152da9861461451390; >> expires=Sun, 23-Apr-17 22:43:10 GMT; path=/; domain=.absolutewealth.com; >> HttpOnly >> >> >> What it does mean, though, is when you visit xyz.com, the browser won't >> present the cookie set earlier by abc.com. So it's use in tracking across >> domains is incredibly limited. Pretty useful for tracking return visits to >> abc.com (and it's subdomains) though >> >> Ben >> >> I know little about Cloudflare's actual operation. What's the > implication / danger of one entity setting cookies on multiple or 1000's > of sites? > I've also read (true or not) that lots of sites sell customer / member > data on cookies & IPa's to tracking companies or advertisers. Maybe not > names or credit cards, but... > > Years ago, lots of sites didn't require cookies just to browse. Now many > do - just to take a peek, or it won't work right. Maybe that's because the > cookies can be turned into cash? > I'm startin me some websites. Yee-haw! > > > > -- > tor-talk mailing list - tor-talk@lists.torproject.org > To unsubscribe or change other settings go to > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > -- Ben Tasker https://www.bentasker.co.uk -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
