[tor-talk] 12.7 percent of the domains I visit are intercepted by CloudFlare
Joe Btfsplk
joebtfsplk at gmx.com
Sun Apr 24 22:34:02 UTC 2016
On 4/23/2016 5:44 PM, Ben Tasker wrote:
>> My guess is it is set by abc.com, but the " name" of the cookie involves
> "cloudflare?"
>
> Keep in mind that Cloudflare is essentially a glorified bunch of reverse
> proxies. Because Cloudflare terminates your TCP connection to abc.com,
> they're in a position to set cookies _as_ abc.com. So I'd fully expect the
> site name to be abc.com, though it's naughty of them. The browser won't
> consider it thirdparty, because it isn't - it was set by abc.com. This does
> seem to be the case (picking a site that uses cloudflare randomly from a
> list):
>
> $ GET -Ssed http://absolutewealth.com | grep Set-Co
> Set-Cookie: __cfduid=dfcadd8517f9edb7f6fd202c7152da9861461451390;
> expires=Sun, 23-Apr-17 22:43:10 GMT; path=/; domain=.absolutewealth.com;
> HttpOnly
>
>
> What it does mean, though, is when you visit xyz.com, the browser won't
> present the cookie set earlier by abc.com. So it's use in tracking across
> domains is incredibly limited. Pretty useful for tracking return visits to
> abc.com (and it's subdomains) though
>
> Ben
>
I know little about Cloudflare's actual operation. What's the
implication / danger of one entity setting cookies on multiple or
1000's of sites?
I've also read (true or not) that lots of sites sell customer / member
data on cookies & IPa's to tracking companies or advertisers. Maybe not
names or credit cards, but...
Years ago, lots of sites didn't require cookies just to browse. Now
many do - just to take a peek, or it won't work right. Maybe that's
because the cookies can be turned into cash?
I'm startin me some websites. Yee-haw!
More information about the tor-talk
mailing list