Zombie Cookies Just Won't Die

GMGruman wrote in to say "Microsoft embarrassed itself last week when it got caught using 'zombie cookies' — a form of tracking cookies that users can't delete, as they come back to life after you've 'killed' them. Microsoft says it'll stop the 'aberrant' practice. But Woody Leonhard says you ain't seen nothing yet. It turns out HTML5 offers a technical mechanism to give zombie cookies a new lease on life — and the Web browsers' private-browsing features can't stop them."

"Caught with hand in the cookie jar" joke here

[elrous0]

Microsoft says it'll stop the abhorrent practice

Fixed that for them.

Actually, an even more accurate quote might be:

Microsoft "says" it'll stop the abhorrent practice

Re:"Caught with hand in the cookie jar" joke here

[ThisIsSaei]

Bravo, sir.

Re:"Caught with hand in the cookie jar" joke here

[gomiam]

If aberrant is abnormal, why should they use abhorrent instead? It actually can be both at the same time, IMO.

Re:"Caught with hand in the cookie jar" joke here

[dkleinsc]

That's the whole point: GP is arguing that this sort of practice is in fact quite normal, and that Microsoft will probably not stop just because of the bad press.

Re:"Caught with hand in the cookie jar" joke here

[X0563511]

I think you meant they will "stop" the practice. And by stop, they really mean continue without remorse.

Re:"Caught with hand in the cookie jar" joke here

[LordLimecat]

Calling "placing cookies" abhorrent seems a bit over the top, no? Call me crazy, but I believe in perspective, and I would reserve "abhorrent" for such things as "mugging an old woman" or "racism".

Re:"Caught with hand in the cookie jar" joke here

[elrous0]

Calling "placing cookies" abhorrent seems a bit over the top, no?

But these are SUPER-cookies.

Re:"Caught with hand in the cookie jar" joke here

[Abstrackt]

As someone who believes in perspective, you should agree that context is very important. According to Google abhorrent is defined as "Inspiring disgust and loathing" so as far as privacy practices go, it's entirely valid to say it's abhorrent.

Re:"Caught with hand in the cookie jar" joke here

[laurelraven]

I think it calls out the fact that while Microsoft can "say" whatever they want, the question is whether they will actually do what they say.

Re:"Caught with hand in the cookie jar" joke here

[laurelraven]

Add to that, it's not just the act of "placing cookies" that's at question here: it's placing tracking cookies specifically designed to not be removable. No web site has the right to put something on my system without my knowledge that I cannot remove; it's a form of violation.

Context is important, though. You can always make an argument that you're being whiny because someone else has it worse than you. I think there is a logical fallacy in there somewhere that I'm too lazy to look up right now.

Re:"Caught with hand in the cookie jar" joke here

[hesaigo999ca]

just because they say they will does not mean they will!

Keeps the "Re-install Windows" fix alive

[billrp]

which seems to be the most common solution that's offered on fix-your-own-windows-problems forums

Re:Keeps the "Re-install Windows" fix alive

[encrufted]

Paranoid much?

Re:Keeps the "Re-install Windows" fix alive

[wvmarle]

Some 9 years ago when I was working for an ISP telephone help desk, our strategy for not working dial-up was basically as follows:

1) reboot computer. Customer usually tried that already.

2) Delete and recreate dial-up connection. Fixed 70-80% of the cases.

3) remove and re-install related network components. Fixed again some 80% of the remaining cases.

4) tell them that the solution lies in re-installing Windows but that we're not allowed to advice that (first-line help desk) nor that we provide support for that.

Re:Keeps the "Re-install Windows" fix alive

[catman]

When security is involved, the question is "are you paranoid *enough*". BTDT.

Re:Keeps the "Re-install Windows" fix alive

[couchslug]

More pocket money (and supposedly obsolete PCs) for me!

Nuke-and-pave is fast, which is all that matters.

Fixing Windows installations is like picking shit out of toilet paper. Just because you can doesn't mean you should, and you aren't likely to remove the entire "problem".

*nix fix

This is why it's nice to be able to rm -rf ~/.mozilla and rm -rf ~/.macromedia as a last-ditch effort.

Re:*nix fix

[camperdave]

True dat! I haven't seen a browser cookie survive a good re-partitioning and OS re-install.

Re:*nix fix

[UnknowingFool]

Well nuking something from orbit is the only way to be sure.

Re:*nix fix

[SydShamino]

Just wait until they are storing browser cookies in your laptop's battery firmware...

Re:*nix fix

[ArcherB]

This is why it's nice to be able to rm -rf ~/.mozilla and rm -rf ~/.macromedia as a last-ditch effort.

Rather than nuking it, why not just restore it to a previous, known good state...

rm -rf ~/.mozilla && rm -rf ~/.macromedia && cp ~/.mozillaGoodCopyWithBookmarksAndStuff ~/.mozilla -R

Re:*nix fix

[Z00L00K]

Nuke the cookie servers then.

I just wonder what would happen if the cookie info returned was just some random garbage. Time to make a plugin to Firefox to handle that.

Re:*nix fix

[elashish14]

I just link ~/.macromedia and ~/.adobe to /tmp, which is mounted in a ramdisk on my machine. I reboot it fairly often enough that I feel reasonably safe from persistent tracking.

For ~/.mozilla, I have cookies saved only until reboot except for sites like /. which I use to save logins. Also, extremely judicious use of NoScript. Not sure if it's good enough, but I don't know of anything more that can be done that isn't too heavy-handed.

Re:*nix fix

[LordLimecat]

Next up, the MBR cookie-- survives repartitioning and OS reinstall. Now with more cookie!

Re:*nix fix

[Bucky24]

I think the whole point of a zombie cookie is that it can survive the "save until reboot" option, though someone please correct me if I'm wrong about that.

Re:*nix fix

[C0vardeAn0nim0]

easy to defeat on *NIX. set ownership of ~/.adobe and/or ~/.macromedia with permission 000. presto, no flash crap stored on your computer, unless you're stupid enough to browse the web as root.

also, Samy Kamkar's "super cookie" is easy to avoid/defeat with firefox. click on the icon to the left of the URL, click "more info" then go to permissions. on "set cookies", uncheck "use default", then block. do the same for "offline storage".

leave the site (close the tab to be sure), then clean everything from the last hour on "tools/clear recent history".

Re:*nix fix

[izomiac]

On Windows and NTFS I restrict the creation of new folders in the Macromedia directories. That way, my progress in flash games can be saved, but my browsing history/cookies aren't stored for other sites. Here's a quick way to set that:

icacls "%APPDATA%\Macromedia\Flash Player\#SharedObjects\*" /Deny Everyone:(NP)(AD)
icacls "%APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys" /Deny Everyone:(NP)(AD)

Afterwards, delete the folders for sites you don't care about. Technically, it looks like stuff is also stored in %APPDATA%\Adobe\...\AssetCache, but I'm not quite sure of what's there so I haven't played with it. Standard Unix Permissions let you accomplish much the same thing with other OSes, but it's not as granular.

Now, if browser makers would get on board with the concept of not saving data (e.g. cache, cookies) to disk except for whitelisted sites, then we wouldn't have so many privacy issues. This seems possible in Firefox, but less so in other browsers. IMHO it should be the default, as it improves security, privacy, consistency, reliability, and performance without sacrificing any significant functionality and only requires user intervention on a handful of commonly used sites.

Re:*nix fix

[Kral_Blbec]

It's okay. I'm secure. I don't use a Mac.

Re:*nix fix

[nahdude812]

There are several forms of 'meta cookie' which can be used to uniquely identify you, and which have nothing to do with either Flash or standard browser cookies. For example, check out Panopticlick. There are also older attacks such as history sniffing (defeated in modern browsers, but still available in the majority of active browsers). Plus there's permanently cached files (a JS file with an expiry set unreachably far in the future, with a server which responds that the file is always fresh, while the content of that file is uniquely identifiable information). DOM storage, HTML5 offline cache, and many other vectors are ways to stick information on your computer in ways you're probably not expecting.

Some sites have put together combinations of these approaches to make super cookies which are almost impossible to defeat without simultaneously erasing cache, cookies, flash cookies, all browsing history, and also making sure you're running a completely vanilla OS with a completely vanilla browser install (each addon or font, and many 3rd party programs can contribute to your fingerprint being more unique). If you have an unusual font or two installed, this all by itself can make you uniquely identifiable in a way that no level of browser scrubbing will protect you.

A "super" cookie is one where every means of uniquely identifying yourself has to be simultaneously scrubbed. If you miss even one, the rest are restored.

Re:*nix fix

[hawk]

There used to be cookie exchanges with junk buster--send your cookies in, and get a random assortment from others, instead.

Re:*nix fix

[tedrampart]

the point of linking to /tmp, means it will delete the contents during a boot.. doesnt matter wheat options are in the cookie, the os will whipe the folder clean unless you set permissions to have the file retained during a boot... unless I'm missing something?

Just Set Up VMWare

[Greyfox]

And run your browser in VMWare, and wipe the VM you run your browser in clean when you exit. Or just don't browse the web anymore, since these shady practices are devaluing the platform as a whole. Which actually might be exactly what Microsoft wants...

Re:Just Set Up VMWare

[Eponymous+Coward]

Why do advertisers on the web need to know who they are advertising to? They put ads on billboards and on television and only get a very coarse idea of who is seeing them.

Re:Just Set Up VMWare

[0123456]

I'm all for that; get rid of the adverts and charge me some small fee. I'll bet that gets rid of most of the trolls anyway.

It will also get rid of most of the users as they move to free sites or just stop wasting time on the Internet in the first place.

Re:Just Set Up VMWare

[Bucky24]

They don't, but knowing makes it much easier for them to run targeted ads. It gives them an increased possibility of a sale.

Stop blaming the Sites

And start blaming your browser. If you enable "Private Browsing", and anything lives beyond that session, it can be nothing other than a browser bug.

Re:Stop blaming the Sites

[maxwell+demon]

Flash is an external process and thus bypasses browser settings. It even works cross-browser: A "Flash cookie" (LSO) can e.g. be set in Firefox and then read in Opera.

For HTML5 features however, I have to agree with you.

Re:Stop blaming the Sites

[Hatta]

Flash is an external process and thus bypasses browser settings

So disable it during private browsing. Better to have real security with some limited functionality than a false sense of security.

Re:Stop blaming the Sites

[Kunedog]

Flash is an external process and thus bypasses browser settings.

Flash is an external process and thus bypasses browser settings

So disable it during private browsing. Better to have real security with some limited functionality than a false sense of security.

Some limited functionality? Do you realize how many surprise-birthday-planning sites require Flash?

Re:Stop blaming the Sites

[poofmeisterp]

FlashBlock is your friend.

Unfortunately, it won't cover things in Internet Explorer (duh) or things that you actually DO want to view that use Flash.

I don't care about Microsoft doing it. If YouTube (read: Google) does it with blatant intent to steal every bit of information they can...... Oh wait, nothing will happen.

People are too addicted to the things they want and can complain until their blood vessels burst, but they'll continue to use said service.

I'm sort of wasting logical time posting this. I said what I needed to. :)

Re:Stop blaming the Sites

[BitZtream]

So the browser shouldn't load the flash plugin, problem fucking solved. Next.

Yes, it can simply refuse to load flash until a version that plays nicely is made, its not hard, in fact, its really fucking easy actually.

Re:Stop blaming the Sites

[ifrag]

So disable it during private browsing. Better to have real security with some limited functionality than a false sense of security.

Or how about run Flash in a temporary VM which can be immediately destroyed on exit? If there is a way to have security and functionality I'd prefer that.

Re:Stop blaming the Sites

[asdf7890]

Some limited functionality? Do you realize how many surprise-birthday-planning sites require Flash?

That is why people that know what they are doing get their content for surprise birthday planning via "trusted" private trackers not flash infected websites.

Re:Stop blaming the Sites

[John+Bresnahan]

Some limited functionality? Do you realize how many surprise-birthday-planning sites require Flash?

I'm willing to outlaw birthdays if that's what it takes to eliminate this problem!

Re:Stop blaming the Sites

[wvmarle]

Can't Mozilla "just" sandbox Flash?

Or have it run in a chroot jail or so?

Just thinking. To keep those pieces of thoroughly misbehaving but necessary evil in line.

Re:Stop blaming the Sites

[hedwards]

Flashblock doesn't work that way, what you need is noscript. The creators of Flashblock specifically state in their FAQ that they don't block LSOs, flash cookies or swf trackers.

Re:Stop blaming the Sites

[poofmeisterp]

Thanks for the info; I'll take care of that right now. I stand corrected!

Re:Stop blaming the Sites

[Unequivocal]

Private browsing isn't so private.. http://panopticlick.eff.org/

You can be pretty thoroughly tracked as an individual without cookies at all..

Re:Stop blaming the Sites

[vlueboy]

Disabling flash for everyone on your machine is easy. Arguing with someone who uses the same PC AND/OR re-enabling it for some emergency when time is important, is hard.

And you'd be surprised how many places require it. Streetview requires it, Yahoo mail has some hidden attachment functionality, and Youtube's HTML5 video fails, and sucks when it actually FINDS any video that is available in that format... iPhones load all flash-lacking youtube videos OK, but full-size PC implementations are utterly unusable when parsing the same data, for some reason.

So we're not quite there yet. The day HTML5 comes of age as a real Microsoft standard, you can fully expect your flash-less trip will not protect you that well, and you won't be finding HTML4-only browsers on that day. Apparently HTML5 features will not be GUI-configurable, other than the html5cookie^W "persistent" storage amounts.

Re:Stop blaming the Sites

[maxwell+demon]

Read the documentation of BetterPrivacy to see the limitations. Ideally, it would offer controls on par with Cookie Monster. However, that's simply not possible with Flash cookies.

A question

[jandersen]

Is there any good reason why one would want to use HTML5 at all? I mean, as a user? So far it all seems to be negative - a load of giving away user control and sovereignty over your own system, packaged as "Wow, cool new feature".

Re:A question

[maxwell+demon]

Is there any good reason why one would want to use HTML5 at all?

At least if it's in HTML, plugins can do something against it. For Flash, there's little plugins can do.

Re:A question

[The+Moof]

a load of giving away user control and sovereignty over your own system, packaged as "Wow, cool new feature".

When Slashdot ran the article about the JavaScript + HTML5 music player, that was my first impression. I remember back when scripts reading local files was regarded as a security hole in the browser, not a "cool new feature."

Re:A question

[tepples]

Is there any good reason why one would want to use HTML5 at all? I mean, as a user?

For one thing, the video, audio, and canvas elements mean not having to deal with Adobe's (historically?) inefficient and security-defective software. For another, CACHE MANIFEST and localStorage allow using a subset of a web application offline for a short period, such as on your laptop while riding the bus, while ceding less control over your system than you would if you were to install a native application.

Re:A question

[BitZtream]

Really? A plugin can't just go around watching the flash directory and wipe out files as they are created?

Its not really that hard. Its a hack, but its entirely doable.

I swear to god, people have no creatativity when it comes to solving problems on computers these days.

Re:A question

At least for the video and audio, both Flash and HTML5 are functionally inferior to just <a>'s to files. Windows Media Player can even stream such files without a problem. The only reason website developers want to use Flash is because it makes it hard (for the average user) to save the file locally, while in WMP that's just one click away.
Canvas as a replacement for Flash animation is not nearly fast enough yet; Brackenwood cannot, at least for the moment, be achieved with HTML5 canvas.

From the end-user's perspective, it would have been better if HTML5 had never been thought up, but it wasn't thought up for the end user. If browser vendors were serious about serving end users, they'd make all cookies opt-in by default, and similarly for HTML5 local storage and possibly even the browser cache (which is in essence a kind of local storage anyway).

Re:A question

[Anonymous+Brave+Guy]

Is there any good reason why one would want to use HTML5 at all? I mean, as a user?

That's a very fair question, but it's a slightly loaded one. As a user, there is little benefit to any particular web technology, whether it's HTML, CSS, JavaScript, Flash or anything else. As a user, what you care about is results. However, those results depend on what developers can build, typically within a certain amount of time and budget.

If you have new technologies that allow developers to do new things, and those things benefit the user, then the user wins. However, if you have new technologies that allow developers to do old things in newer, easier, faster ways, and those things benefit the user, then the user also wins, particularly if it becomes viable for developers to make something useful in a cost-effective way when they could have done it before but didn't because it was too expensive in some respect.

And from that point of view, HTML5 tools like canvas and media tags are a big step up for some jobs over using something like Flash or Java applets.

That said, I strongly agree that browsers shouldn't be ceding any sovereignty over their users' systems to remote code by default.

And that said, the most devious tracking mechanism I have yet encountered didn't rely on any sort of cookie/local storage technology. It was essentially based on how various web-related protocols handle caching, it's hard to defeat without getting rid of caching, and you really don't want to get rid of caching. It is possible for browsers to avoid falling into the trap, and now that the attack vector has been identified I expect they'll do something about it.

Then again, as you read this your browser is probably advertising an almost unique fingerprint that could track you anywhere on the Web without storing anything on your machine at all, every time it sends request headers, and despite this being a well-known problem for quite some time, the browser developers haven't done much about it yet. Until they do, fighting against tricky little local storage vectors is hitting the 1% problem, not the 99% problem...

Re:A question

[jonadab]

In a word, no.

The most common argument in favor that I've heard is "it's more open", which is of course nonsense. (XHTML is every bit as open as HTML5.)

The secondary argument is that it lets you do stupid junk like embed a video in a web page (instead of just linking to the video file and letting the user click it and open it in their preferred media player, like a sane person would prefer to do). This argument is at least coherent, in that HTML5 actually does provide said functionality; it just doesn't seem like a *positive* thing to me.

So, to me, HTML5 seems like a step in the wrong direction.

Re:A question

[tlhIngan]

Is there any good reason why one would want to use HTML5 at all? I mean, as a user? So far it all seems to be negative - a load of giving away user control and sovereignty over your own system, packaged as "Wow, cool new feature".

As opposed to now, where the user doesn't have control over Flash? Sure Adobe's FINALLY added the ability to clear Flash cookies - after how many years of every browser supporting it?

If you're a geek, HTML5 lets you have fine control over everything - if you don't want to run Javascript from a specific domain, you don't have to. If you want to block a site from leaving a cookie, you can (Flash is particularly bad here, as it's either "all cookies", "no cookies" or ask.).

WIth Flash, you're ceding control to a third party plugin which can do anything it wants - browser settings be damned. With HTML5, the browser is the ultimate authority of what can and cannot be done. If you're a control freak, it's a good option to have.

And heck, a browser can clear cookies and offline cached data after quitting. Can't really say the same for Flash (and I believe to clear cookies requires visiting Adobe's page for some reason).

Re:A question

[hedwards]

Better privacy does that, but anything that does this is going to be limited in scope. It gets really tricky to figure out which ones to allow during a session. Wiping them out when you close the browser does nothing for short term tracking while you serf, but it does limit the long term spying.

Better than nothing, but not good enough.

Re:A question

[Calos]

I agree.

I disable images in all of my browsers, and open them up in my image viewer of choice, like any sane person would prefer to do.

I also occasionally use a Python script to fetch webpages for me, pull out the body text and save it so that I can read it in my text editor of choice. Like any sane person would prefer to do.

Re:A question

[_0xd0ad]

I have BetterPrivacy configured to delete all flash cookies that haven't changed in the last 20 minutes. The only time I had a problem with it was in an online training app that used Flash and stored its progress in a flash cookie. I added an exclusion for it and had no further problems.

Re:A question

[Calos]

And just to clarify, that second one wasn't to address you point, but your manner of making it. Just because someone doesn't have the same preference as you, does not make them insane.

Re:A question

[Unequivocal]

Double plus on your last paragraph -- browser headers are really really unique at this point: http://panopticlick.eff.org/

Using cookies is just simpler for advertisers, but banning those on the client without enforcing some "do not track" at the supplier end won't solve the problem. They'll just move to browser headers..

Re:A question

[Opyros]

while you serf

Freudian slip?

Re:A question

[jonadab]

That's nonsense. Images and text are two-dimensional content that you scroll through and read. They go together and (if the page is at all well designed) complement one another. The user scrolls through them together and views them together, at the user's pace. It actually works pretty well.

Video, on the other hand, has (one could even say it is dominated by) a time dimension that is at odds with the user's ability to read and scroll. This makes embedded video extremely inconvenient for the user, because the video is trapped in the context of a web page where it doesn't really fit -- it nearly ALWAYS takes a different amount of time to watch the video than it takes to view the surrounding page. Furthermore, videos don't need external captions and explanations like two-dimensional images so often do. Taking an image out of the context of the web page often makes it less interesting or harder to understand, but the same is not true of video. I have never seen an example of a video embedded in a web page where remaining in the context of the page added ANY value whatsoever to the video. Ever. In every single case I have ever seen, the video would have been just as informative and understandable and more convenient for the user if it were freed from the page and opened up in a video player app separate from the browser window.

(Yes, I realize this is not the most popular view. I also consider browser plugins like Java and Flash to be a fundamentally bad idea. I blame Netscape, although of course none of the major tech companies are entirely without fault when it comes to finding various ways to make the web harder to use. But Netscape also gave us window.open() and the blink tag, among other things, so their sins are particularly egregious.)

No problem

[maxwell+demon]

The "standard" Firefox plugins already take care of it.

No DOM storage without JavaScript, no Flash cookies without Flash -> NoScript
Most tracking cookies come from ad networks -> AdBlock Plus
Most tracking cookies come from third party domains -> RequestPolicy.
And if you get one anyway, you can also get rid of it -> BetterPrivacy.

Re:No problem

[geminidomino]

Add in PasswordMaker to that list and you've pretty much summed up why I can never leave Firefox, no matter how batshit-loco the design team gets. :(

Re:No problem

[ThatsNotPudding]

And how many of those will get perpetually broken by Mozilla adopting speed-of-light updates?

Re:No problem

[marcosdumay]

Konqueror + KDE wallet are missing "only" NoScript.

But the KDE combo has Kget, what, now that the Firefox is so braindead at downloading things, is quite usefull.

Re:No problem

[geminidomino]

Does KDE Wallet generate passwords programatically, without the user getting involved (other than asking it to. PasswordMaker is nice like that. Right-click->"Populate this field" and done).

Might be worth looking into, though I spend more time working on Windows lately...

Re:No problem

[maxwell+demon]

Okay, I just disable cookies completely in Firefox and explicitly allow the sites that need them for a purpose I agree with.

The point of those supercookies is that this isn't sufficient.

It's nothing new

[badzilla]

HTML 5 local storage worries the hell out of me. It's nothing new though because Microsoft has had an almost identical "userdata persistence" feature since forever. Try this link in IE browser http://samples.msdn.microsoft.com/workshop/samples/author/persistence/userData_1.htm

Re:It's nothing new

[Dracos]

And when everybody freaks about LocalStorage and the browsers hamstring or disable it, the trackers will just fall back to using the HTML5 ping attribute which is near perfect for tracking people without cookies. It's one of the many reasons why HTML5 is broken and flawed, but nobody seems to care when there's video, audio, and canvas elements. The only inarguably good thing about HTML5 is the forms improvements.

Re:It's nothing new

[AliasMarlowe]

HTML 5 local storage worries the hell out of me. It's nothing new though because Microsoft has had an almost identical "userdata persistence" feature since forever. Try this link in IE browser http://samples.msdn.microsoft.com/workshop/samples/author/persistence/userData_1.htm

Yet another reason to avoid IE, even in its newer (differently-evil) incarnations.

Re:It's nothing new

[Voline]

HTML 5 local storage worries the hell out of me.

Me, too. Safari has an "Advanced Preference" for "Database Storage" to allow "none before asking". I always say "no". But so far only Twitter's website wants to store data on my machine.

Chrome and Firefox don't seem to have a similar preference. I see reference to cache but not local storage or database storage which I think are the relevant terms, here.

Re:It's nothing new

[vlueboy]

What I find completely wrong is that all these features are being added and almost NONE are being balanced by a nice control GUI. They just throw the storage into a random place, like the below commenter's persistence tab being under Advanced \ Networks in FF (3.6.10 here worked as well as his 6.x build, BTW)

Browsers do not have a standard set of things to block; blink tags were the first warning that very few users even in open-source browsers would probably benefit from a very fine-grained advanced section. I don't know what we're going to do when we get our wishes granted and Flash goes extinct; I can turn flash off, but see no efforts to selectively disable canvas, or even CSS attributes. Being forced to turn off stylesheets just to turn of a particular feature drives home the point that "full blast AND OFF" is a lazy programmer-thought solution to everything this day.

I'm just waiting for the day there's an HTML5 checklist where I can turn stuff off that I don't like. Opera has a very detailed but obscure page akin to FF's about page, with explanations and all. The downside is that you can't know whether features there are browser-specific or HTML5 specific, but I really liked long descriptive lines as opposed to FF's cryptic Registry-like entries. Any setting that is hidden until you create a new key is just asking for obscurity. I just hope FF can copy from Opera's book and provide some sort of in-line string for every option available by default instead of having me google the option and investigave what is relevant for MY particular release.

Huh?

[The+MAZZTer]

OK so the article cites localStorage as a problem, but Chrome at least treats it the same as cookies when clearing private data, and in incognito it shouldn't persist localStorage data across sessions (not sure about other browsers).

It also mentions that MS was sticking a JS file in the browser cache to recreate a cookie. This doesn't make sense since any file removed from the cache is just redownloaded, unless a custom version of the JS file is crafted for every client and is set to create a specific cookie value (but this isn't clarified in the article). But it sounds more like ETags are used, having nothing to do with the JS file being cached or not. I'm not sure how ETags work but I can't imagine they would be effective in incognito mode either since cache is never kept (and the article infers this is necessary).

Did I miss anything?

Re:Huh?

It sounds like they generate a new js file every time it is served, but tell the browser that it can be cached for a long time, while at the same time claiming that it hasn't been modified in years so a new one won't be requested (with a new unique value).

The main problem I see with this approach is that a squid proxy for a school or other large organization would cache this js file and then feed it to everyone in the organization. Now you might have hundreds or thousands of people with a single id. This would be counter productive for Microsoft, but maybe worth it on the whole.

Before you say there is some value in linking all of these people - they were probably already linked by using the same ip address to begin with (the same squid cache).

ZOMBIE BROWSERS

[roman_mir]

I am sorry, but just talking about cookies doesn't go far enough to describe what is happening here. It is about zombie browsers, that are just building in more and more functionality to turn your computer into a device that is not controlled by you, but is controlled by various special interests.

On the other hand you, as a user, are clearly not the customer of a browser developer company. The customers seem to be the advertisers, CAs, anybody that wants to control what you are doing. You, as a user, are a product. We used to say this about FB and such, but isn't this also true about browsers?

There needs to be a way for the user to control what is happening on his machine, otherwise it's not a general purpose computer, but some proprietary gadget that you have there. If this is not clear to the browser developers then there will be more forks built that will be Freer for the users, but there also maybe something else done, like a VM to control all of this run away software. Start it in a VM and when you are done, kill that VM and there is no cookie.

Re:ZOMBIE BROWSERS

[geekmux]

I am sorry, but just talking about cookies doesn't go far enough to describe what is happening here. It is about zombie browsers, that are just building in more and more functionality to turn your computer into a device that is not controlled by you, but is controlled by various special interests.

From tablets to cell phones, tell me something I don't know. A lack of control down into the lower levels of these types of devices has been lacking for some time now.

There needs to be a way for the user to control what is happening on his machine, otherwise it's not a general purpose computer, but some proprietary gadget that you have there...

Uhhh, yeah..which is exactly their intent with this design. In much the same way that human voice interaction is dying, so is the "personal" computer. What the hell do you need "flexibility" for when every device will be reduced to a pseudo-tablet in the near future, with everything moving to the "cloud"? Allow the functionality, introduce multiple attack vectors and nightmares for support. Lock it down, and you piss off the user community who gets pissed off every time they get a virus or malware infection. Of course, they got infected because they want flexibility.

Since we already know why you should draw a line, the question is where do you draw the line.

Re:ZOMBIE BROWSERS

[poofmeisterp]

You're 100% correct.

enableHumor();

Let me ask the question that creates a loopback to itself over and over (especially in the USA): "Where do I $BUY$ the browser that doesn't allow any of this and enables me to view an ad-free Internetzzz?"

"Wait, you meant that only YOUR ads wouldn't show? But your advertisement said your browser blocked advertisement if I bought it! Weird wording sold your product, you crafty people, you. Okay, so how do I get a version that really blocks all ads? Oh, an add-on. Weird installing an 'add-on' to block 'ads', but okay... Wait, the add-on isn't compatible with the version I bought??? So what do I do now? I need help because I'm a stupid person that can't figure all of this stuff out. Oh, I $BUY$ your next version and that will let me add this add-on ad-blocking addition? What's that? Your new version is available TODAY? Sweet. I NEED it TODAY! I'll $BUY$ it now!!! Alright, I bought it. Now how to I add the add-on? You don't recommend it? Well, I'll add it on anyway. Okay, it's added on and the ads are blocked. WAIT, they're blocked to your competitors and a few other entities of your own choosing only? Why did I $BUY$ this? Oh, no! I'm so disappointed. I guess I'll just call my lawyer and see what they have to say about this because that's all I know how to do to make it in this world." :)

why I use Linux

[JustNiz]

Microsoft disgust me. After decades of this sort of deceitful behaviour, it is evidently still too much to expect Microsoft to actually do the 'right thing' in the first place.

Even without any sort of ethics, they're also too stupid to actually learn their lesson that all these scams that Microsoft repeatedly perpetrate on their own customers always eventually get discovered and backfire with far more loss of face and therefore sales than presumably they gain from doing the thing in the first place.

Re:why I use Linux

[d.the.duck]

That would make you an imbecile. There is a superior product but I refuse to use it because of the user base. I guess you aren't using any OS then.

Re:why I use Linux

[d.the.duck]

Don't get your undies in a bundle Sally. I wasn't referring to this particular subject at all. The poster implied that the only reason he doesn't use Linux is because of people like the original poster (also somewhat implying that he accepts that Linux is superior). My example was that if there is a superior product, if you would choose not to use it because of the users of the product, that would make you an imbecile. My last comment was to point out that there are idiots among all operating systems therefore one should not judge the OS by it's user base. So, count to 10, take some Pamprin and have a little lie-down.

Speking of abhorrent...

[kaizendojo]

Why is it that the only company mentioned here is Microsoft, when in fact the original research article shows this to be a lot more wide spread by some big names - none of which were mentioned here. From the Stanford article (http://cyberlaw.stanford.edu/node/6695): "We also examined a series of URL lists (spreadsheet) that contain 15,511 entries. The URLs and interest segments range greatly. Some URLs are for a landing page; others are for a specific page. Some interest segments are broad; others are fine-grained. A few example segments:


Segment 758: discount sites including Groupon and eBay Daily Deals Segment 876: sites about coffee, including Dunkin' Donuts, Folgers, and Starbucks Segments 984-989: home improvement sites including Home Depot and Grainger Segment 2701: pages about the Ford Fiesta Several interest segments are highly sensitive:

Segment 760: pages about getting pregnant and fertility, including at the Mayo Clinic Segment 2640: pages about menopause, including at the NIH and the University of Maryland Segment 2014: pages about repairing bad credit, including at the FTC Segment 2265: pages about debt relief, including at the FTC and the IRS"

Please folks - If you're going to bring this to our attention, how about leaving your obvious biases aside and tell the whole story so we can be truly informed? That we we can all be aware of just how widespread an issue this is instead of just another "Microsoft is Evil" piece.

Re:Speking of abhorrent...

[Tim+C]

Actually, nobody said anything about anything abhorrent, the word used was aberrant. Of course if they had done as you ask, that really would be aberrant behaviour round here...

Re:Speking of abhorrent...

[poofmeisterp]

Please folks - If you're going to bring this to our attention, how about leaving your obvious biases aside and tell the whole story so we can be truly informed?

Indirect quote (*snort*):

*temper tantrum*
"Because there's no ca$h in that!!!! I want money and I'm gonna say what I want to get that from you, you person who is easily deceived by want, you. My daddy taught me that!" :)

Re:Wrong Name

[Opportunist]

Then it would at least stay dead for three days.

private-browsing features can't stop them

[Ex+Machina]

Can't you setup browsers to prompt to create local storage?

Extreme measures?

[neokushan]

A lot of commenters here seem to be taking what I would consider as extreme measures in order to avoid these cookies. Running your browser in a VM which resets each time you close it? Installing numerous addons (I see someone listed 4 you need to install to cover yourself)? Does anyone else not think that perhaps instead of avoiding the issue, it should be tackled head on?

What I mean is - if this is such a serious issue, why are we standing by just letting it happen when we could be petitioning the various standards committees, plugin developers and browser manufacturers to do something about it? The so-called zombie cookie (or Supercookie) exists because we let it exist. It's clearly an exploit in the way various technologies work together and it should be treated as such, i.e. patched until it can't be done any more.

Furthermore, any company that uses this tactic should be taken to court since it's a clear and deliberate violation of privacy. I.e. if I decide to delete a cookie, I'm making it explicitly clear that I want it gone - I'm opting OUT, so keep it that way.

Re:Extreme measures?

[PPH]

And not every web site is run by a law abiding or standards compliant entity (company or individual). Or an entity within our legal jurisdiction. I mean, look at the problems we had getting people to adopt the evil bit standard.

Re:Extreme measures?

[Tailhook]

why are we standing by

Self interest explains this. If cookies cease to `work' for the purposes of the ad networks then they'll make sites cease to work for those of us that thwart them. They're footing the bill for a lot of the `Internet', including the site you're reading now, so they call the shots. Since cookies still work for their purposes I get what I want with little bother, while everyone else has their every click correlated to their profile.

I don't want some grand solution that puts everyone at parity with me, because then I'll have to put up with what everyone puts up with. So stop talking about BetterPrivacy, NotScripts, etc. You're not helping.

Problems with HTML5

[Toonol]

I'm mostly glad to see the implementation of HTML5 everywhere, but it has some problems.

People thought that you could get rid of a lot of annoyances by increasing HTML5's capabilities to become more on par with Flash. Flash could be ditched. However, all it really means is that all the nuisances that were made in Flash (animated and noisy ads, commercials, persistent cookies, etc.) will now be made in HTML.

Flash wasn't really the problem... it was just one of the vectors FOR the problem. Now, HTML5+Javascript will take Flash's place in the eyes of marketers and spammers everywhere.

Re:Problems with HTML5

[BitZtream]

This has absolutely 0 to do with HTML5 and works in any browser since (and including) Netscape Navigator.

It does not however get around private browsing (at least not by itself, current flash implementations would allow it to do so however)

Re:Wrong Name

[Dracos]

No functional difference there.

"zombie cookies" means Flash cookies

[Sloppy]

Can't you setup browsers to prompt to create local storage?

The article does a major disservice to everyone (and I wish we could mod it down) by making up the term "zombie cookies." This new bullshit term hides what's going on and makes us all a little bit stupider. All I have to do to answer your question, is tell you what the article is really about. Instead of making up a bullshit term to confuse you, I'll use a descriptive term.

Ready?

Flash Cookies. The article is about websites caught using Flash cookies instead of browser cookies.

See, asshole-who-wrote-the-article, that wasn't hard. Flash cookies. Now instead of misleading people into thinking their browsers have a problem with cookies and other local storage, people see that the real problem they have with their browsers is plugins, which allows them to run native code that totally bypasses all the browsers' policies.

Flash cookies. Watch all the questions disappear .. but oops .. all the traffic to the fucking article disappears too, since people don't have to click through, read the first article that makes the weird reference to zombies, then click through to another article that explains WTF "zombie cookies" are about.

Slashdot should not have linked to this piece of shit.

Re:"zombie cookies" means Flash cookies

[macshit]

Flash Cookies. The article is about websites caught using Flash cookies instead of browser cookies.

See, asshole-who-wrote-the-article, that wasn't hard. Flash cookies.

Soooooo, can't you just delete the Flash cookie directory? That seems like it'd nuke 'em pretty good...

Re:"zombie cookies" means Flash cookies

[Inda]

TFA was also talking about HTML5 and its ability to perform local storage.

Was the article that shit? Have I really been duped? Twice?

Re:"zombie cookies" means Flash cookies

[BitZtream]

It actually wasn't about flash cookies.

It was about using browser cache as storage medium by doing some neat tricks on the server to get the browser to keep a javascript file in cache, which inturn functions as a cookie when used by various pages that reference it.

Page requests cookie.js, the server then serves cookie.js with a cache expiry of a hundred years into the future, and says it hasn't changed in a hundred years either.

Your browser caches it and then doesn't request a new copy for a 100years, why should it, it was told the file isn't going to change.

The data in the file now serves as a unique ID which can be used to associate your browsing habits.

THAT IS A ZOMBIE COOKIE. It has nothing to do with flash. This isn't new, a friend of mine and I discovered this years ago by accident due to a bug in a web app we were working on.

Re:"zombie cookies" means Flash cookies

[the_humeister]

Why not just clear the cache every one in a while then?

Re:"zombie cookies" means Flash cookies

[Pionar]

Can we mod this down, please? It's completely wrong, The Microsoft thing has nothing to do with Flash cookies.

Re:"zombie cookies" means Flash cookies

[0123456]

I set my cache to /tmp/mozilla-cache, so it automatically gets deleted every time I reboot. Same for Flash crap.

Re:"zombie cookies" means Flash cookies

[the_humeister]

For Flash, I set my ~/.macromedia directory to /dev/null

Re:Wrong Name

[AliasMarlowe]

If they'd just called it a "Jesus Cookie" no one would be complaining.

Then it would at least stay dead for three days.

And bugger off permanently after another 40 days or thereabouts.

Make your own supercookie

[watermark]

This reminded me of an old Slashdot article about Evercookie http://samy.pl/evercookie/

Diff?

[fuzzyfuzzyfungus]

Please correct me if I am wrong on this; but it would seem that, in principle, it would be quite tractable to generate a 'local persistence profile' tracing the activity generated by loading a URL as a series of addition, deletion, and modification operations to the state that existed before the URL was loaded(in the same way the various browsers' dev tools allow you to trace the network activity and script execution associated with loading a URL). With that, the user would have broad power(limited largely by their desire not to wade through a massively complex interface) to immediately roll back all changes made on exit, on leaving the site, or on some schedule. Wrapping that in an interface simple enough to be used and powerful enough to be useful would be a bit tricky; but you'd have an extremely granular revision-control style record to work with, which would make adding a few basic features comparatively simple(ie. "All changes that occur when running in Porn Mode are reverted on exit" or "all changes that occur when I load evil.com are reverted when I navigate away from evil.com".)

It would even be doable, probably through the use of site-specific addons developed by the knowledgable, to selectively roll back certain changes but not others(ie. if webmailfoo writes a cache of my last 30 days of email to a local store, I don't want to roll that back; but I do want to roll back the changes made by the fooad network...) or even to programmatically modify locally stored data(that aren't cryptographically signed, or otherwise protected from any tampering other than deletion...)

The local threat certainly isn't getting any easier or less complex; but it is, at least, a software problem. It's the remote threat that you really have to worry about. Covering your tracks against a reasonably smart remote agent turns out to be pretty difficult, and you can't(legally) just go and purge their systems.

Cool new feature vs. security hole

[tepples]

I remember back when scripts reading local files was regarded as a security hole in the browser, not a "cool new feature."

When the user explicitly consents to use of a specific local file or folder, it's a "cool new feature". When the user does not consent, it's a "security hole". Think of it as like a file upload control in an HTML form, but it works even when a web application is running offline from cache.

Re:Cool new feature vs. security hole

[The+Moof]

You need go back before Firefox (or Firebird, or Phoenix) existed, before the term "Web Applications" was coined, and AJAX was still a Microsoft proprietary technology in IE 4.0 called MSXML. Back then you couldn't touch the file input contents until it was posted back to the server since it was considered a security risk.

As for what I was referring to, it wasn't using an offline cache for its web application. The media player had a file input form element (what you called a 'file upload control') that read the file contents off your drive when you selected one from the file dialog. No posting back to the server or submitting the form was required, just simply picking a file.

Re:Cool new feature vs. security hole

[tepples]

before the term "Web Applications" was coined

Is there a date for that? eBay has always been a web application even before JavaScript postbacks were popular.

Back then you couldn't touch the file input contents until it was posted back to the server since it was considered a security risk.

The perceptions and uses of the web have changed so much over the past few years that I forget why they considered it such. But nowadays people rely on less jarring transitions between online use and offline use, especially on laptops and tablets, and JITs have made JavaScript at least speed-competitive with Java if not C++.

The media player had a file input form element [...] that read the file contents off your drive when you selected one from the file dialog. No posting back to the server or submitting the form was required, just simply picking a file.

And the key point is that the user explicitly consented to the use of the chosen file, therefore not a real security risk.

Re:Cool new feature vs. security hole

[thejynxed]

Unfortunately, with JavaScript and HTML5, it's trivial to do it WITHOUT the consent of the user.

That's the issue.

Re:Cool new feature vs. security hole

[tepples]

Unfortunately, with JavaScript and HTML5, it's trivial to do it WITHOUT the consent of the user.

Could you please explain further, or at least give me some web search keywords to go on?

Re:Cool new feature vs. security hole

[thejynxed]

JS injection to HTML, such as performed by many JavaScript Trojans such as JS.Gumblar. Where Gumblar was mainly restricted to redirects, downloading and execution of encrypted malicious executable files, etc, the ball changes with HTML5, which by design, gives unfettered access to certain storage areas, etc on your system via your browser. Modify, Delete, etc type of access.

Now we'll have something that can pull as well as push and execute, and won't require your permission to do so, especially since with HTML5, there are currently no plans to even allow end-users to customize any of the settings.

Imagine this: In Win7 for instance, by default most programs trigger UAC at some point if they want to change something. Read and Copy however, is not even questioned by default UAC settings. Some execute functionality is also not questioned.

Scripting something malicious to play a "video" or "mp3" in Windows Media Player (which by default after all of these years, still for some reason trusts unknown content to execute scripts, etc), is probably a trivial exercise. I also imagine something will be scripted to exploit installed plugins in conjunction with this, so if the computer say, has Flash Player, but not Windows Media Player, it will still have an avenue to do naughty things.

I can see privilege escalation exploits could also tie in heavily, to try and access say, System32 in Win7.

Don't know about HTML5, but...

[marian]

I just change the permissions on my cookies file to read only.

To manage localStorage in Firefox 6

[tepples]

To manage localStorage in Firefox 6, open the Options and go to Advanced > Network > Offline Storage.

Re:To manage localStorage in Firefox 6

[Voline]

Excellent. Thank you.

Fake Cookies

[retroworks]

Invisibility is futile. We need fake cookies, or randomly collected cookies, so that the advertising value of a cookie falls, i.e. "information inflation". Sure, Vehix knows now that I was car shopping, but what if EVERYONE had a copy of the Vehix search on their Html? What if in addition to the car I was really searching for, my browser held a record of every other car I wasn't interested in? Why can't we just run a random program, searching for random words, in the background, loading up on Zombie cookies from everywhere? "I'm Spartacus" http://retroworks.blogspot.com/2010/09/simpler-ideas-cookie-camouflage-digital.html

Re:Fake Cookies

[catmistake]

something like this?

if major browsers were forced to add this feature, the tiny background randomizing auto browser baking cookies at incomprehensible rates... I wonder what the demographics would be understood as by trendspotters... would anyone notice?

Re:Fake Cookies

[retroworks]

Wow. Yes, a lot like that. I'm not worthy.

Re:Wrong Name

[Opportunist]

Well, maybe so, but the idiots that clicked his link and got infected by his trojan will keep filling your firewall log.

Greasemonkey can do it

[WebManWalking]

Greasemonkey is a plug-in for Firefox that allows automatically executing your own scripts whenever you go to URLs that match a given pattern. You could easily write a script that looks at document.cookie and alters whatever cookies it sees. The only hard part would be deciding which cookies to overwrite, and how.

Use cases unhandled by <a> elements alone

[tepples]

At least for the video and audio, both Flash and HTML5 are functionally inferior to just <a>'s to files.

I see three advantages of Flash or HTML5 to providing links that an end user must play manually. How would you solve these use cases with just <a>'s?

• A web site can verify that the user agent has presented the entirety of one video before offering the link to another video. The advantage to the user is that the user can watch a message from a sponsor instead of providing payment details and paying for each view.
• A web site can add synchronized annotations made by other users.
• A web-based video game can play sound effects or music synchronized to events in the game.

The problem isn't as complex as it sounds.

[idbeholda]

All we have to do is shoot the zombie cookies in the head. If we take out the brain, we take down the ghoul.

Re:Use cases unhandled by elements alone

[vlueboy]

I'll put on my user hat for a sec, so it will sound harsh, but Joe User doesn't care:

How would you solve these use cases with just <a>'s?
a) A web site can verify that the user agent has presented the entirety of one video before offering the link to another video.

Joe User: Not our problem. 10 years ago websites gave me all videos at and I could play and replay at my leisure. What's different now? [yeah, I know, bandwidth abuse, but still Joe User sees no benefit from the business implementation side of things and just clicking on the next link 100 times is still easier than paying a single dollar. Isn't that how Joe User leeches specific porn online?]

b) The advantage to the user is that the user can watch a message from a sponsor instead of providing payment details and paying for each view.

Joe User: I heard that the internet is supposed to be a place for sharing. Why do I need to "pay" anyone for goods I can find elsewhere for free? I can do just that to find ALL my music and videos for free, so I don't care about this one greedy "sponsor"

Re:Use cases unhandled by elements alone

[tepples]

What's different now?

A decade ago, ISP-provided web hosting and banner-supported web hosting came with 0.005 GB of space. A decade ago, we were in the dot-com crash. A decade ago, broadband was an experimental, expensive technology, and there weren't enough viewers of bootleg online videos to have a noticeable effect of the use upon the potential market for or value of the copyrighted work. The entertainment industry was still fighting things like Napster and WinMX, which were used more often for single songs rather than albums or movies.

Joe User sees no benefit from the business implementation side of things

Joe User sees that videos are available on the Internet as opposed to not available on the Internet.

Preventing the content from persisting on disk

[forrie]

I would use DeepFreeze by Faronics which would ensure that a reboot would clean out any crap that may have been written to the disk. Simple. We use that were I work for student systems, Macs, PCs, and Linux. The downside is any persistent cookies you *do* need will be lost also. But if you're that concerned about being tracked, it's a fair trade off.

No invocations to these APIs occur silently

[tepples]

I read about Gumblar on Wikipedia. It appears to spread from an infected desktop PC to a web site by looking for saved FTP passwords and uploading itself. Ouch.

HTML5, which by design, gives unfettered access to certain storage areas, etc on your system via your browser.

Unfettered how? I thought access through <input type="file"> was limited to files that the user chose through an "Open" or "Save As" file chooser dialog presented by the system. From the File API spec: "The user is notified by UI anytime interaction with the file system takes place, giving the user full ability to cancel or abort the transaction. The user is notified of any file selections, and can cancel these. No invocations to these APIs occur silently without user intervention."