Ask HN: How does the Washington Post paywall get around Chrome's incognito mode?

12 points by hn_throwaway_99 ↗ HN
I've noticed that relatively recently (I think last 6 months or so, not sure) that the Washington Post paywall has been able to block access after multiple article reads, even if I'm using new Chrome incognito windows for each article read.

To do this, WP must be recording state from somewhere, even though (theoretically) incognito mode should prevent this. Anyone have any idea what they're doing? If I switch to a private window in Safari things work, so WP isn't just recording IP addresses, so my best guess was some combination of device fingerprinting with IP. If that's the case, that means incognito mode should really offer some sort of fingerprinting-thwarter that makes this leaked state more difficult to access.

9 comments

[ 2.2 ms ] story [ 37.4 ms ] thread
I tested opening up incognito, clicked random articles until I hit the limit then closing the incognito window.

Did this three times and always had a fresh start and could navigate until I hit the limit.

So I can't reproduce your claims.

I cannot repro either. Could it be that you have another minimized / hidden incognito window on your desktop? The two windows could share client state.
Check the URL for parameters. If you’re coming from a Google search or similar there are generally a boat load of analytics/tracking parameters in the URL. You can eliminate those and you’ll still get the same article.

I’ve seen this too (don’t recall if the was WaPo) I’ve had success with eliminating the obvious analytics junk from the URL and trying again in a fresh incognito session.

It’d be pretty easy to keep a short lived cache server-side of any analytics bearing URL that gets paywalled and use that to paywall any additional request from the same IP that match exactly and comes within a minute or two (even if the browser is cookieless) I’m figuring this is probably what they do, I know it’s how I’d do it if I was tasked with defending against the incognito technique.

This sounds likely, and I wouldn’t be surprised if google had deals with publishers to send additional data, like your computer’s internal IP via webrtc.

Alternatively WaPo could be using WebRTC to pull your internal IP and caching with your external IP along and other data to create a unique identifier.

You might be part a special cohort with early access to this 'feature'.

There are a couple ways to do it. For example, you can track incog users by abusing cert pinning with HPKP report URIs. Expect-CT (the successor to HPKP) would also be vulnerable to this attack.

(comment deleted)
Could you have some extensions running in incognito mode that are leaking state?
You probably still have an incognito window open. Incognito in chrome is a special user profile that does not write anything to disk.
If WAPO gets only sporadic traffic from your particular IP, there aren't any other readers behind that NAT and hence your access can be limited.

BTW Bezos now owns them, so they can also access that state from a multitude of other Amazon services.