Ask HN: How does the Washington Post paywall get around Chrome's incognito mode?
I've noticed that relatively recently (I think last 6 months or so, not sure) that the Washington Post paywall has been able to block access after multiple article reads, even if I'm using new Chrome incognito windows for each article read.
To do this, WP must be recording state from somewhere, even though (theoretically) incognito mode should prevent this. Anyone have any idea what they're doing? If I switch to a private window in Safari things work, so WP isn't just recording IP addresses, so my best guess was some combination of device fingerprinting with IP. If that's the case, that means incognito mode should really offer some sort of fingerprinting-thwarter that makes this leaked state more difficult to access.
9 comments
[ 2.2 ms ] story [ 37.4 ms ] threadDid this three times and always had a fresh start and could navigate until I hit the limit.
So I can't reproduce your claims.
I’ve seen this too (don’t recall if the was WaPo) I’ve had success with eliminating the obvious analytics junk from the URL and trying again in a fresh incognito session.
It’d be pretty easy to keep a short lived cache server-side of any analytics bearing URL that gets paywalled and use that to paywall any additional request from the same IP that match exactly and comes within a minute or two (even if the browser is cookieless) I’m figuring this is probably what they do, I know it’s how I’d do it if I was tasked with defending against the incognito technique.
Alternatively WaPo could be using WebRTC to pull your internal IP and caching with your external IP along and other data to create a unique identifier.
There are a couple ways to do it. For example, you can track incog users by abusing cert pinning with HPKP report URIs. Expect-CT (the successor to HPKP) would also be vulnerable to this attack.
BTW Bezos now owns them, so they can also access that state from a multitude of other Amazon services.