[tor-talk] 12.7 percent of the domains I visit are intercepted by CloudFlare

Ben Tasker ben at bentasker.co.uk
Sun Apr 24 23:13:31 UTC 2016 

> I know little about Cloudflare's actual operation.  What's the
implication / danger of one entity setting  cookies on multiple or 1000's
of  sites?

In theory it shouldn't be an issue, so long as they can't somehow tie the
multiple cookies together.

The problem being there are a wide range of fingerprinting techniques they
could use to do just that. On the flipside though, if they're willing to go
to those lengths then the cookie doesn't add a huge amount of value to
their operation. The potential risks, really, are more a product of one
party being the endpoint for so many sites.

CF claim that cookie is used only to indicate you got past security -
https://support.cloudflare.com/hc/en-us/articles/200170156-What-does-the-CloudFlare-cfduid-cookie-do-
- which is _probably_ true.

If they were setting a third party cookie (e.g. with a domain of
nottrackingyou.cloudflare.com) it'd be a slightly different story, as
they'd then be able to track you across domains, based on that cookie.


> I've also read (true or not) that lots of sites sell customer / member
data on cookies & IPa's to tracking companies or advertisers.

They sure do. Some go even further -  a little while back Verizon decided
to add a unique (to the subscriber) HTTP header to any outgoing (mobile
IIRC) requests so that their advertising buddies could easily track their
users and generate some revenue. Completely transparent to the user, unless
you happen to take a PCAP at the other end, or visit somewhere that
displays the request headers it received from you.

It had the particularly "pleasant" side-effect, that if you deleted
cookies, when the advertising platform next saw you, it'd set a new one,
pull the UID out of the injected header and link your new ID to the old one.

Selling individual (first-party) cookie details isn't particularly worth
while, even for a large site, as advertisers generally see more profit in
profiling your behaviour as far across the net as possible. IP's are in a
similar position, though I suspect they have some value if you're able to
show one user always visits your site from IP 1.1.1.1 - indicating they
either use a single proxy as a matter of course, or they've got a static IP
on their home connection (ker-ching, easy tracking)



> Years ago, lots of sites didn't require cookies just to browse.  Now many
do - just to take a peek, or it won't work right.  Maybe that's because the
cookies can be turned into cash?

That's definitely a driver for some. But, back in the day, most sites were
static and users interaction was largely limited to reading. A lot of sites
today run on content management systems, so will set (at least) a session
cookie in case you try to do something that would require a statefulness
(even if there's nothing like that enabled on the site....). There's also
(IMO) an aspect of laziness/stupidity - you can find sites where the
developer has decided that controlling the theme and page layout is best
done by setting a shedload of cookies and then reading them back with
javascript.




On Sun, Apr 24, 2016 at 11:34 PM, Joe Btfsplk <joebtfsplk at gmx.com> wrote:

> On 4/23/2016 5:44 PM, Ben Tasker wrote:
>
>> My guess is it is set by abc.com, but the " name" of the cookie involves
>>>
>> "cloudflare?"
>>
>> Keep in mind that Cloudflare is essentially a glorified bunch of reverse
>> proxies. Because Cloudflare terminates your TCP connection to abc.com,
>> they're in a position to set cookies _as_ abc.com. So I'd fully expect
>> the
>> site name to be abc.com, though it's naughty of them. The browser won't
>> consider it thirdparty, because it isn't - it was set by abc.com. This
>> does
>> seem to be the case (picking a site that uses cloudflare randomly from a
>> list):
>>
>> $ GET -Ssed  http://absolutewealth.com | grep Set-Co
>> Set-Cookie: __cfduid=dfcadd8517f9edb7f6fd202c7152da9861461451390;
>> expires=Sun, 23-Apr-17 22:43:10 GMT; path=/; domain=.absolutewealth.com;
>> HttpOnly
>>
>>
>> What it does mean, though, is when you visit xyz.com, the browser won't
>> present the cookie set earlier by abc.com. So it's use in tracking across
>> domains is incredibly limited. Pretty useful for tracking return visits to
>> abc.com (and it's subdomains) though
>>
>> Ben
>>
>> I know little about Cloudflare's actual operation.  What's the
> implication / danger of one entity setting  cookies on multiple or 1000's
> of  sites?
> I've also read (true or not) that lots of sites sell customer / member
> data on cookies & IPa's to tracking companies or advertisers.  Maybe not
> names or credit cards, but...
>
> Years ago, lots of sites didn't require cookies just to browse.  Now many
> do - just to take a peek, or it won't work right.  Maybe that's because the
> cookies can be turned into cash?
> I'm startin me some websites.  Yee-haw!
>
>
>
> --
> tor-talk mailing list - tor-talk at lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>



-- 
Ben Tasker
https://www.bentasker.co.uk

More information about the tor-talk mailing list