Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zombie Cookies Just Won't Die

Posted by CmdrTaco on from the zombie-want-caaaaache dept.

GMGruman wrote in to say "Microsoft embarrassed itself last week when it got caught using 'zombie cookies' — a form of tracking cookies that users can't delete, as they come back to life after you've 'killed' them. Microsoft says it'll stop the 'aberrant' practice. But Woody Leonhard says you ain't seen nothing yet. It turns out HTML5 offers a technical mechanism to give zombie cookies a new lease on life — and the Web browsers' private-browsing features can't stop them."

10 of 189 comments (clear)

  1. Keeps the "Re-install Windows" fix alive by billrp · · Score: 4, Insightful

    which seems to be the most common solution that's offered on fix-your-own-windows-problems forums

  2. *nix fix by Anonymous Coward · · Score: 2, Insightful

    This is why it's nice to be able to rm -rf ~/.mozilla and rm -rf ~/.macromedia as a last-ditch effort.

    1. Re:*nix fix by Z00L00K · · Score: 3, Insightful

      Nuke the cookie servers then.

      I just wonder what would happen if the cookie info returned was just some random garbage. Time to make a plugin to Firefox to handle that.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
  3. Stop blaming the Sites by Anonymous Coward · · Score: 4, Insightful

    And start blaming your browser. If you enable "Private Browsing", and anything lives beyond that session, it can be nothing other than a browser bug.

    1. Re:Stop blaming the Sites by Hatta · · Score: 3, Insightful

      Flash is an external process and thus bypasses browser settings

      So disable it during private browsing. Better to have real security with some limited functionality than a false sense of security.

      --
      Give me Classic Slashdot or give me death!
  4. A question by jandersen · · Score: 3, Insightful

    Is there any good reason why one would want to use HTML5 at all? I mean, as a user? So far it all seems to be negative - a load of giving away user control and sovereignty over your own system, packaged as "Wow, cool new feature".

    1. Re:A question by Anonymous+Brave+Guy · · Score: 4, Insightful

      Is there any good reason why one would want to use HTML5 at all? I mean, as a user?

      That's a very fair question, but it's a slightly loaded one. As a user, there is little benefit to any particular web technology, whether it's HTML, CSS, JavaScript, Flash or anything else. As a user, what you care about is results. However, those results depend on what developers can build, typically within a certain amount of time and budget.

      If you have new technologies that allow developers to do new things, and those things benefit the user, then the user wins. However, if you have new technologies that allow developers to do old things in newer, easier, faster ways, and those things benefit the user, then the user also wins, particularly if it becomes viable for developers to make something useful in a cost-effective way when they could have done it before but didn't because it was too expensive in some respect.

      And from that point of view, HTML5 tools like canvas and media tags are a big step up for some jobs over using something like Flash or Java applets.

      That said, I strongly agree that browsers shouldn't be ceding any sovereignty over their users' systems to remote code by default.

      And that said, the most devious tracking mechanism I have yet encountered didn't rely on any sort of cookie/local storage technology. It was essentially based on how various web-related protocols handle caching, it's hard to defeat without getting rid of caching, and you really don't want to get rid of caching. It is possible for browsers to avoid falling into the trap, and now that the attack vector has been identified I expect they'll do something about it.

      Then again, as you read this your browser is probably advertising an almost unique fingerprint that could track you anywhere on the Web without storing anything on your machine at all, every time it sends request headers, and despite this being a well-known problem for quite some time, the browser developers haven't done much about it yet. Until they do, fighting against tricky little local storage vectors is hitting the 1% problem, not the 99% problem...

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  5. Re:"Caught with hand in the cookie jar" joke here by dkleinsc · · Score: 3, Insightful

    That's the whole point: GP is arguing that this sort of practice is in fact quite normal, and that Microsoft will probably not stop just because of the bad press.

    --
    I am officially gone from /. Long live http://www.soylentnews.com/
  6. Speking of abhorrent... by kaizendojo · · Score: 4, Insightful

    Why is it that the only company mentioned here is Microsoft, when in fact the original research article shows this to be a lot more wide spread by some big names - none of which were mentioned here. From the Stanford article (http://cyberlaw.stanford.edu/node/6695): "We also examined a series of URL lists (spreadsheet) that contain 15,511 entries. The URLs and interest segments range greatly. Some URLs are for a landing page; others are for a specific page. Some interest segments are broad; others are fine-grained. A few example segments:


    Segment 758: discount sites including Groupon and eBay Daily Deals Segment 876: sites about coffee, including Dunkin' Donuts, Folgers, and Starbucks Segments 984-989: home improvement sites including Home Depot and Grainger Segment 2701: pages about the Ford Fiesta Several interest segments are highly sensitive:

    Segment 760: pages about getting pregnant and fertility, including at the Mayo Clinic Segment 2640: pages about menopause, including at the NIH and the University of Maryland Segment 2014: pages about repairing bad credit, including at the FTC Segment 2265: pages about debt relief, including at the FTC and the IRS"

    Please folks - If you're going to bring this to our attention, how about leaving your obvious biases aside and tell the whole story so we can be truly informed? That we we can all be aware of just how widespread an issue this is instead of just another "Microsoft is Evil" piece.

  7. Re:"zombie cookies" means Flash cookies by BitZtream · · Score: 5, Insightful

    It actually wasn't about flash cookies.

    It was about using browser cache as storage medium by doing some neat tricks on the server to get the browser to keep a javascript file in cache, which inturn functions as a cookie when used by various pages that reference it.

    Page requests cookie.js, the server then serves cookie.js with a cache expiry of a hundred years into the future, and says it hasn't changed in a hundred years either.

    Your browser caches it and then doesn't request a new copy for a 100years, why should it, it was told the file isn't going to change.

    The data in the file now serves as a unique ID which can be used to associate your browsing habits.

    THAT IS A ZOMBIE COOKIE. It has nothing to do with flash. This isn't new, a friend of mine and I discovered this years ago by accident due to a bug in a web app we were working on.

    --
    Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager