CassandrichJun 15, 2023
@campuscodi Yet another malicious browser feature that needs an extension to nuke. https://addons.mozilla.org/en-US/firefox/addon/etag-stoppa/
ETag Stoppa – Get this Extension for 🦊 Firefox (en-US)

Download ETag Stoppa for Firefox. Prevents Firefox from storing entity tags by removing ETag response headers unconditionally and without exceptions. Minimalism at its fullest.

Show threadiam-py-test

@dalias @campuscodi That extension is designed to protect users from being deanonymized via ETags sent from malicious servers to their browser.
This attack is different
This is how I understand it, but I may be wrong:
- the adversary finds the onion server and notes down the ETag returned
_ the adversary uses something like shodan to find an exposed webserver which returns the same ETag
- same ETag = same content & same server
- so that IP is the IP of the onion
- now that we know the IP of the onion, we can do anything we could do to a clearnet server (send abuse reports, find where that server is, etc)
So this isn't deanonymizing the user, it is figuring out what server is hosting an onion domain (thus deanonymizing the server)

Hope this doesn't make this more confusing.

Jun 15, 2023 at 11:12pmWeb
Show threadCassandrichJun 15, 2023
@iampytest1 @campuscodi Yes, thanks for clarifying that. I just find it an infuriating new tracking vector that was added with no out-out (much less opt-in) and that has zero value to us as users, and wouldn't have known about it if not for its role (albeit in a reciprocal direction) in the above attack.
Show threadCassandrichJun 15, 2023

@iampytest1 @campuscodi I'm pretty sure this ETag bs bypasses firstparty-isolate to let cross-site embedded resources reidentify you from one site they're embedded on to another. 🤬

If so, that makes it a threat to Tor Browser users in that sense too.

Show threadRaven667Jun 16, 2023
@dalias I'm not sure that's quite right, ETag is _old_ from HTTP/1.1 in the 90s, not some new tracking mechanism, for validating the freshness of content from a url without needing to download it again, for caches and browsers, even if the bandwidth saving isn't as relevant today as it was when most people were on 56kbps links https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/ETag
ETag - HTTP | MDN

The ETag (or entity tag) HTTP response header is an identifier for a specific version of a resource. It lets caches be more efficient and save bandwidth, as a web server does not need to resend a full response if the content was not changed. Additionally, etags help to prevent simultaneous updates of a resource from overwriting each other ("mid-air collisions").

MDN Web Docs
Show threadCassandrichJun 16, 2023
@raven667 If-modified-since can do that without tracking (assuming client limits resolution of timestamp). WTF was the point of this except gratuitous tracking vector?
Show threadLisPiJun 16, 2023

@iampytest1 @dalias @campuscodi So basically this is the same old "don't expose #darknet servers to the #clearnet" thing?

I'd be wary of even reusing the same server across different #darknets, and spinning up a VM for each is cheap-enough to do with little-enough hassle there's really no good reason not to do it.

#Anonymization #DeAnonymization

Show threadsparkeyJun 16, 2023
@iampytest1 @dalias @campuscodi why was the server exposed to clearnet? doesn't that almost completely defeat the point of hosting on the Tor network?