$ fingerprint@info:~ echo $ETAG-FINGERPRINTING
The ETag HTTP response header is an identifier for a specific version of a resource. It allows caches to be more efficient, and saves bandwidth, as a web server does not need to send a full response if the content has not changed. For more details see, e.g., MDN web docs
The client sends a request to the server to receive a specific resource. The server sends back the requested resource together
with the ETag, an arbitrarily choosen string by the server and - in case of tracking - a unique tracking ID.
As specified in RFC 7232, the client,
i.e. the browser, saves the resource together with the received ETag in the browser cache.
As long as this data exists in the cache, each time a request for this resource is made, the client sends the corresponding, cached
ETag to the server to ask for content changes.
The difference between ETag tracking and the regular use-case of an ETag is the following:
The server sends each client a different ETag, although the clients requested the same resource.
In addition, the server may not inform the client, whether the content of a resource changed.
For ETag tracking it is only important that the client automatically sends the ETag (tracking id) to the server.
ETag Tracking, as a passive fingerprinting technique, only relies on a server-side scripting language and thus
does not need any additional methods. This means tracking works notably without:
In this demo implementation, ETag tracking is realized without any additional files (pixel, regular images, ... ). The ETag is set for this website itself.
ETag fingerpinting relies on the browser cache, which is for a default browser configuration persistent between browser restarts.
$ fingerprint@info:~ run ETag-fingerprinting
Website visits:
0
Your last visit:
Fri, 11 Oct 2024 18:50:18 +0200
Your random ETag:
1728665418BruC8SYsXgt36wAPmmGhwM3aBB
Refresh page.