Slashdot Mirror

← Back to Stories (view on slashdot.org)

Beta Version of Nevercookie Released

Posted by Soulskill on from the om-nom-nom dept.

wiredmikey writes "Anonymizer has released a beta version of Nevercookie, the recently announced Firefox plugin designed to protect against the Evercookie, a JavaScript API built and made available to prove that the more you store and the more places you store it, the harder it is for users to control a Web site's ability to uniquely identify their computer. Evercookie is a more persistent form of cookie that enables the storage of cookie data in a number of different locations, such as Flash cookies and various locations of HTML5 storage. This allows websites to track user behavior even when users have enabled private browsing. Because an Evercookie stores data in locations outside of where standard cookies are stored, an Evercookie can rebuild itself unless users go through a number of steps to completely clear and reset their local storage."

12 of 77 comments (clear)

  1. If you don't want to be tracked by igreaterthanu · · Score: 3, Interesting

    Browse the internet in a virtual machine and reset the changes to the virtual hard disk afterwards. I'd like to see them get around that!

    --
    I dream of a nation where a man is not judged by his skin color but by an number assigned by a credit rating agency.
    1. Re:If you don't want to be tracked by asa · · Score: 4, Insightful

      They can fingerprint you based on your OS, system fonts, plug-ins, IP address, screen resolution and other exposed hardware capabilities, time zone, etc. Then they can surveil you as you move around the Web and increase the strength of that fingerprint based on the sites you visit that are in their "network" (think about how many properties Google owns from search to gmail to docs to youtube to blogger but then remember also that they can see you at non-googel sites because of adsense and google analytics and youtube embeds and feedburner and sites with re-captcha or google checkout or maps mash-ups or google's site-specific searches.

      You are not anonymous, even if you rebuild your VM every day. You'd have to randomize all the features of your OS and your browser and then you'd have to reboot between pretty much every website you visit.

    2. Re:If you don't want to be tracked by I'll+never+remember · · Score: 3, Interesting

      EverCookies don't care about "InPrivate Browsing" - that is the point of them.

  2. Nostrodamus eat your heart out by goldaryn · · Score: 5, Funny

    I could say what I always say about Privoxy. But it never sinks in, so instead here's an amusing link

  3. Re:Excellent.. by MoonBuggy · · Score: 3, Interesting

    Which would be a step in the right direction, but is also probably only used by a small subset of technologically inclined people.

    Fact is, rightly or wrongly, most people just don't care that much. Much as I'd like to be browsing everything via SSL and stringently choosing when to release any trackable data, even I wonder whether it really matters.

    The idea of government tracking chills me to the bone - they have a vested interest in suppressing certain ideas and the power to do so somewhat effectively - and it's absolutely true that corporations can be similarly dangerous if they grow out of control. When the only practical upshot I see, however, is that doing a search to check the dimensions of a shipping container has immediately convinced the ads on a multitude of sites that I want to buy one of the damn things, the worry eases a bit. Maybe I'm wrong, maybe we're heading towards some corporate dystopia complete with RFID implants (far trendier than those outdated barcode tattoos). Maybe people's natural greed & incompetence will bring it all crashing down and save us all. Maybe, by some miracle, it'll even be their general better nature that does it.

    For the moment, though, I can see why people don't really care that they're being tracked.

  4. Keep your hands to yourself. by westlake · · Score: 3, Insightful

    For just once, can someone design a trojan/worm that updates browsers to include useful addons like this instead of trying to steal banking information? Just sayin'.

    Tell me how you quarantee an innocent and useful payload.

    Tell me why geek the who unleashes a trojan has won the right to decide how users should manage their systems.

  5. blargh by gabbott · · Score: 4, Insightful

    Yeah, for the full privacy package you should combine this extension with an anonymizing proxy that you trust. As far as the panopticlick browser fingerprinting issue, I hope to integrate browser fingerprint manipulation into later versions of Nevercookie. This project is my 20 at work, we get 20% of our time for side projects. And yes, I expect Samy to counter with additional features to Evercookie, I'd be sad if he didn't :P.

  6. SeaMonkey by Meneth · · Score: 3, Interesting

    This plugin is not yet compatible with SeaMonkey. Someone should fix that.

  7. Delete all the cookies you want by mysidia · · Score: 5, Informative

    Your system's clock skew fingerprint will give you away, with a tiny bit of Javascript. Who needs cookies, when your computer has intrinsic characteristics / artifacts from manufacturing that uniquely identify it?

  8. Isolated browsing by Skapare · · Score: 5, Interesting

    I have been using, for many years, a script that was originally intended to defeat Firefox's attempt to always run all browser windows under the same process. The method used is to create a fake home directory and populate it with some data that was derived from a "first run" of Firefox. The script applies a few tweaks to make the paths match the dynamically generated fake home directory. Firefox believes it is the home directory. It doesn't go so far to double check this in /etc/passwd or such ... why would Firefox want to be that pedantic. If I had to, I could go a step further and defeat even that.

    The intent of that script was to keep Firefox from getting overly bloated by allowing me to full quit (exit the process) for each site visited, without killing the windows of other sites I am still currently visiting. In some cases, some sites have triggered bugs, or caused lockups. I can kill the browser for that site (if it didn't crash on its own), still keeping the windows of other sites. It might seem counter-intuitive to many, but this does work to keep the bloat level down. At least it does so with my style of browsing (I keep a number of individual sites up in a browser sometimes for weeks).

    One effect I did notice early on is that tracking was not happening if I quit a browser for one site and later started a new one to return. All the old cookies disappeared when the reaper component of the script cleaned up the leftover fake home directories. Cross site tracking wasn't happening as long as I started a new browser for each site, which I usually did, except when following links (in which case, they can get a referrer URL which I have not yet bothered to suppress). Referrers are sometimes useful (like to get a special pass through a paywall when coming from a partner site).

    If it turns out that Firefox is so leaky that cookies can be placed outside of the context of the fake home directory, then I'll just have to raise the stakes and use a chroot directory (definitely not secure once arbitrary code can be run), or go even further and use either BSD Jails or Linux Containers (LXC, based on kernel cgroups). That will just mean I have to hard link in some more libraries from a read-only bind mount or some such thing. Maybe I'd even have to make truly real home directories for user dynamically added to /etc/passwd or something. It might add several milliseconds to the Firefox start time. Hopefully, if that happens, the Firefox developers will realize they have holes and get them fixed.

    In any event, there's plenty more room to raise even higher walls between instances, even concurrently, of Firefox. We'll go where we need to go. There's only so far that the scumbag versions of web developers can go with this.

    --
    now we need to go OSS in diesel cars
  9. Re:Excellent.. by asa · · Score: 4, Insightful

    It's worth remembering that everything a corporation tracks and stores is subject to subpoena or outright theft by the US Government. Tracking isn't ephemeral. There are increasingly large "profiles" of you being stored in databases of some very large corporations and if you really believe that those are safe and secure from prying eyes, whether it's employees of those companies, insurance companies that want nothing more than can charge you more or drop your policy, or government agencies who are convinced you're a threat to national security, you're sadly mistaken.

  10. Re:Not compatible with FF 4.0 (beta 6) by gabbott · · Score: 3, Informative

    Not sure about earlier versions of 4.0, but it comes up as not compatible with Beta 6.

    Yes, it's not compatible with FF 4. I did this because I haven't had time to test it with that version. This is simply a limitation I put into the install.rdf file. If you want to give it a try on FF 4 you can download the extension, rename it to .zip and open it up. Edit the install.rdf file and change this line: 3.9.* to something like 9.9.* or whatever you like. Zip the contents back up (do not zip the parent directory, you want to be zipping up content, locale, etc into one archive). If you zip it in a parent directory it won't work. Then just rename the extension to .xpi again and try to install it. It's entirely possible it will work, but I just haven't gotten around to testing it with 4 and I know there are a bunch of changes. Let me know how it goes ;)