On 4/23/2016 5:44 PM, Ben Tasker wrote:
My guess is it is set by abc.com, but the " name" of the cookie involves
"cloudflare?"
Keep in mind that Cloudflare is essentially a glorified bunch of reverse
proxies. Because Cloudflare terminates your TCP connection to abc.com,
they're in a position to set cookies _as_ abc.com. So I'd fully expect the
site name to be abc.com, though it's naughty of them. The browser won't
consider it thirdparty, because it isn't - it was set by abc.com. This does
seem to be the case (picking a site that uses cloudflare randomly from a
list):
$ GET -Ssed http://absolutewealth.com | grep Set-Co
Set-Cookie: __cfduid=dfcadd8517f9edb7f6fd202c7152da9861461451390;
expires=Sun, 23-Apr-17 22:43:10 GMT; path=/; domain=.absolutewealth.com;
HttpOnly
What it does mean, though, is when you visit xyz.com, the browser won't
present the cookie set earlier by abc.com. So it's use in tracking across
domains is incredibly limited. Pretty useful for tracking return visits to
abc.com (and it's subdomains) though
Ben
I know little about Cloudflare's actual operation. What's the
implication / danger of one entity setting cookies on multiple or
1000's of sites?
I've also read (true or not) that lots of sites sell customer / member
data on cookies & IPa's to tracking companies or advertisers. Maybe not
names or credit cards, but...
Years ago, lots of sites didn't require cookies just to browse. Now
many do - just to take a peek, or it won't work right. Maybe that's
because the cookies can be turned into cash?
I'm startin me some websites. Yee-haw!
--
tor-talk mailing list - [email protected]
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
