Evercookies: extremely persistent browser cookies

[jpeps]

I'm concerned about ANY vulnerability that enables some clown to plant whatever on my computer hoping to enrich themselves.

Yeah, Heaven forbid that anyone should make a profit.

Hi PaulBx1,

Don't get me wrong...I'm in total agreement with you that others should have the right to plant whatever on your computer

[PaulBx1]

Just some 30 seconds and they have same username and log in as you just gave

You shouldn't do anything on an open wifi connection other than, say, check the weather. Anything more than that is asking for trouble. Even logging into a website is not a good idea, unless you don't mind handing your password out to everyone. Email? Forget it.

[nooby]

Hahahah Paul you should have told me that one year ago and I had not bought the Acer 10 inch screen Nettop I used now and not the two android smartphones either.


I bought these to use at open spots to check emails and forum entries when me travel.

[Jasper]

Hi,

For those who are not already aware - Firefox 3.6.12 (with a security fix) is available today if you need it.

My regards

My apology - I have now put this message in a new thread in this section.

[Flash]

Here's an interview of the creator of the Evercookie, Samy Kamkar. Very instructive.

TechRepublic: What is an Evercookie and why did you develop it?

Samy Kamkar: Evercookie is a Javascript API that allows storing cookie data in a number of different locations when a user visits a web page. Normal sites would typically just store data (such as a session identifier) in something like a cookie.

However, Evercookie not only uses the cookie, but a number of other locations such as Flash cookies, Silverlight isolated storage, and various locations of HTML5 storage. When a user deletes their standard cookies, the other locations remain and are able to rebuild the original cookie.

I built Evercookie as a proof of concept, wanting to show how web sites are able to track users even if they delete standard cookies and LSOs. Evercookie also sheds light on the fact that there are numerous methods for storing cookies locally. Finally, Evercookie acts as a litmus test for users who want to see if they’re protected from web sites that track like this.


TechRepublic: Is the installation process automated or does the user have to initiate it?

Samy Kamkar: No, the client simply visits the web site. There is no indication that persistent data is being set, exactly like a website with standard HTTP cookies.

[jpeps]

In short, a challenge to act against the best interests and desires of the owner of the computer; very stupid and at best, bad business.

[nooby]

Hope I am not too naive.

What one need to do then is some program that recognize when an Evercookie is about to be set and that that program just pretend that all works by giving faked confirmation all has been set up and as the evercookie wants it but in reality that sites evercookie is blacklisted in some list so it is not set next time either?

Does it help to do like some told us that they made an ever updated pupsave.

so when one start anew in the morning the pupsave of yesterday get scrapped and the backup are loaded and that way nothing that did happen change that backup?

One store things one want to keep like email and html pages and pics and muic outside of pupsave and only reuse a never write to back up that is reused again and again?

I guess those that use a CD with puppy is like that

for us with frugal they can write anything to our HDD I guess.

One would need a program that looked for evercookies and be able to erase them. .

[jpeps]

Here's an interview of the creator of the Evercookie, Samy Kamkar.

Example of accurate targeting when clicking on the above link:

Italian Cookies, Biscotti
Perfect gift, easy online ordering.

[PaulBx1]

In short, a challenge to act against the best interests and desires of the owner of the computer; very stupid and at best, bad business.

Well, I suspect the point was that, if he could develop them, others could and probably have developed them. Better to get the issue out on the table before they have taken over half the world's computers and filled them with garbage.

Sounds like noscript can prevent them. I suppose I ought to try it yet again...

[Bruce B]

I hope in this post to make the Evercookie seem less fearsome,
more understandable and very easy for us Puppy users to clean up.

- Macromedia Super Cookies

Websites can use your macromedia flash files to track you across multiple
domains. Flash is not a part of your browser and it doesn't have
controls over the data Macromedia stores.

We have control!

/root/.macromedia is the parent directory where the data is stored. If you
don't want to be tracked by the content in those sub-directories, delete
the parent.

Edited to add: it will recreate itself, so the deleting should be part of your
normal keeping things clean routine. The recreating itself means it will make
new directories and store new data. Once deleted the previous data is
history.

I mention the /root/.macromedia directory because it is a portion of the
technology the Evercookie uses

- Silverlight isolated storage

I'm not even using it. To the extent the rest of us are not using it, there is
no Silverlight exploit.

- HTML5 - Various Storage Locations

Don't kill me with fearsome generalities. We are running specific operating
systems and browsers.

The OS here is Puppy Linux. The browser is SeaMonkey. (or whatever the
user or puplet installed)

SeaMonkey stores its cache under the parent directory /root/.mozilla in a
directory called Cache

Every time we empty the Cache we also empty the supposed but
non-existent various HTML5 storage locations.

- Clearing your private data

Google is main sponsor for Mozilla. Need I say more?

Google doesn't seem to believe in deleting data, not in my opinion. Don't
play fool to thinking setting your Mozilla browser really deletes data by using
browser settings.

If we are serious about deleting private data, write a script to delete the
*.sqlite files in the profile directory.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

End of post. The Evercookie is gone as well as a lot of other tracking
information stored on YOUR PERSONAL computer.

~

[PaulBx1]

Bruce, you mentioned the sqlite files before. I guess I don't understand how you can delete all of them, since that includes (for example) signon.sqlite. I couldn't function without site login information stored in the browser. No way I could remember every login.

[Bruce B]

Bruce, you mentioned the sqlite files before.
I guess I don't understand how you can delete all of them,
since that includes (for example) signon.sqlite. I couldn't
function without site login information stored in the browser.
No way I could remember every login.

PaulBx1,

I understand exactly what you mean.

For others, deleting the *.sqlite means all the information in
them is gone. But you don't necessarily want to keep
deleting all the information because some of it you want.

I've been learning Windows XP lately, so first I'll explain how
it did it with XP.

1) delete all *.sqlite

2) when the browser starts it will make fresh *.sqlite files

3) go to the trusted sites you regularly visit and enter your
login information

4) after you have done this, shut down the browser.

5) copy all the *.sqlite files (which have basically only
information you do want) to a different directory, such as
one level up

6) make a batch file to delete the *.sqlite files in the profile
directory and copy back the ones which have the login
information you want

~~~~~~~~~~~~~~~

You can use the same basic technique with the Linux bash
script.

~~~~~~~~~~~~~~~

Now I'll offer an experiment for anyone who wants to do
some testing.

In Windows go through step 4 and make the files read-only

In Linux go through step 4 and make the files immutable
using the chattr utility. I don't remember if the operative
switch is -i or +i , I think it is +i, if so the command would
be:

chattr +i *.sqlite

~~~~~~~~~~~~~~~~

I learned to do this in the Netscape days. There was a
period in time where a lot of sites wanted cookies enabled. I
made the cookie file read-only and no site ever balked.

Moreover, it seemed they had the cookie feedback they
wanted, which caused me to suspect the cookie information
existed in some cache even though it was never written to
disk.

~~~~~~~~~~~~~~~~~

In conclusion, the first steps I outlined do work. It requires
a little work to get it setup, but once setup it is a piece of
cake.

The read-only / immutable portion of the post would be
experimental insofar as I haven't tested it. But I think it
stands a good enough chance of working, that its worth a
try.

Bruce

One last thought. The sqlite files are binary. Puppy's strings
utility will display text in these binary files. A hexeditor will
also.

If anyone has some sqlite files that have been in use for a
while, and you want to see the contents, you'll get an idea
of kind of personal data they contain.

Also, and very importantly, they were mentioned as a
storage point for the topic of discussion: Evercookies

~

[droope]

Hiya

Cookies are no way evil...

or harmful...


Just information being stored.

Aaanyway, noscript + blocking flash kills evercookies.

Regards,
Droope

[Bruce B]

Hiya :)

Cookies are no way evil...

or harmful...


Just information being stored. :)

Cookies are tracking devices.

People's main consideration about them would be 'privacy related', which is
why I'd much rather this forum had a section for Privacy and another for
Security.

I like Trackers in cyberspace about as much as I do Stalkers and Peeping
Toms in the real world. Which is not at all.

Aaanyway, noscript + blocking flash kills evercookies. :)

The Evercookie uses JavaScript APIs do to it's dirty work. So, if JavaScript
is turned off one wouldn't get this kind of cookie.

But turning it off wouldn't delete the cookie if it existed. It would prevent it
from being used.

[nooby]

And if one turn of java then many sites refuse to let one make a comment or write in their forum or to read the text until one allow at least the major Ad provider to show their ad and then one see the text one look for.

So it is not easy. I try to use NoScript in FireFox but Opera and Chrome have their own Ad blockers and those are too difficult for me to learn how to use.

So I am kind of locked to use FireFox and as far as I know they have no addon yet for an EverCookie?

But are EverCookie being used now on many sites? First I thought that almost every big site used them and now I rad that it is only a concept a guy showed off and almost none use them but that in the future maybe a lot of sites would?

[jpeps]

And if one turn of java then many sites refuse to let one make a comment or write in their forum or to read the text until one allow at least the major Ad provider to show their ad and then one see the text one look for.

So it is not easy. I try to use NoScript in FireFox but Opera and Chrome have their own Ad blockers and those are too difficult for me to learn how to use.

So I am kind of locked to use FireFox and as far as I know they have no addon yet for an EverCookie?

It's lots easier to mark and replace changed files from a mozilla backup.
If you want to add passwords, etc., then mark/replace changed files to the backup. I delete all flash LSO's every session.

But are EverCookie being used now on many sites? First I thought that almost every big site used them and now I rad that it is only a concept a guy showed off and almost none use them but that in the future maybe a lot of sites would?

Follow the money; evercookies and variations thereof are already being sold.

[jrb]

I have developed a strategy to fight against these demonic creations. Please see Fighting Persistant Cookies and eliminating bloat

[nooby]

Thanks jrb, interesting approach.

Fighting Persistant Cookies and eliminating bloat
http://www.murga-linux.com/puppy/viewtopic.php?t=62391

Here is another approach, to go the legal way to give us rights to not be followed around.

Anti-tracking initiative gets US government support

* 22:04 01 December 2010 by Jim Giles

The system, known as Do Not Track, received a vote of confidence today from the Federal Trade Commission (FTC), the US government agency responsible for protecting consumers.

The commission said that it wants companies that track our movements across the web, such as advertising firms, to use Do Not Track to give consumers an easy way to opt out of such monitoring.

Now how can we trust them, maybe best to also make things like jrb suggests

[Flash]

http://ashkansoltani.org/docs/respawn_redux.html

RESPAWN REDUX

(Follow up to Flash Cookies and Privacy II)

Ashkan Soltani

08/11/2011

I thought I'd take the time to elaborate a bit further regarding the technical mechanisms described in our 'Flash Cookies and Privacy II' paper that generated a bit of buzz recently. For a bit of background, I, along with Chris Hoofnagle and Nathan Good, had the honor of supervising Mika Ayenson and Dietrich J. Wambach in replicating our previous 2009 study which found that websites were circumventing user choice by deliberately restoring previously deleted HTTP cookies using persistent storage outside of the control of the browser (a practice we dubbed ‘respawning’).
In our follow up study, we found that Hulu was still respawning deleted user cookies using homegrown Flash and Javascript code present on the Hulu.com site. Additionally, Hulu, Spotify, and many others were also respawning using code provided by analytics firm KISSmetrics (Hulu and KISSmetrics have both ceased respawning as of July 29th 2011.) Hitten Shah, the founder of KISSmetrics, initially confirmed that the research surrounding respawning was correct in an interview with Ryan Singel although he later criticized the findings after a lawsuit was filed.....

It continues with a technical description of how respawning works, etc..

[nooby]

Thanks, it shows how eager them are to know if one click on ads or not?