Zombie Cookies Just Won't Die

GMGruman wrote in to say "Microsoft embarrassed itself last week when it got caught using 'zombie cookies' — a form of tracking cookies that users can't delete, as they come back to life after you've 'killed' them. Microsoft says it'll stop the 'aberrant' practice. But Woody Leonhard says you ain't seen nothing yet. It turns out HTML5 offers a technical mechanism to give zombie cookies a new lease on life — and the Web browsers' private-browsing features can't stop them."

"Caught with hand in the cookie jar" joke here

[elrous0]

Microsoft says it'll stop the abhorrent practice

Fixed that for them.

Actually, an even more accurate quote might be:

Microsoft "says" it'll stop the abhorrent practice

Re:"Caught with hand in the cookie jar" joke here

[dkleinsc]

That's the whole point: GP is arguing that this sort of practice is in fact quite normal, and that Microsoft will probably not stop just because of the bad press.

Re:"Caught with hand in the cookie jar" joke here

[X0563511]

I think you meant they will "stop" the practice. And by stop, they really mean continue without remorse.

Keeps the "Re-install Windows" fix alive

[billrp]

which seems to be the most common solution that's offered on fix-your-own-windows-problems forums

Re:Keeps the "Re-install Windows" fix alive

[couchslug]

More pocket money (and supposedly obsolete PCs) for me!

Nuke-and-pave is fast, which is all that matters.

Fixing Windows installations is like picking shit out of toilet paper. Just because you can doesn't mean you should, and you aren't likely to remove the entire "problem".

*nix fix

This is why it's nice to be able to rm -rf ~/.mozilla and rm -rf ~/.macromedia as a last-ditch effort.

Re:*nix fix

[camperdave]

True dat! I haven't seen a browser cookie survive a good re-partitioning and OS re-install.

Re:*nix fix

[ArcherB]

This is why it's nice to be able to rm -rf ~/.mozilla and rm -rf ~/.macromedia as a last-ditch effort.

Rather than nuking it, why not just restore it to a previous, known good state...

rm -rf ~/.mozilla && rm -rf ~/.macromedia && cp ~/.mozillaGoodCopyWithBookmarksAndStuff ~/.mozilla -R

Re:*nix fix

[Z00L00K]

Nuke the cookie servers then.

I just wonder what would happen if the cookie info returned was just some random garbage. Time to make a plugin to Firefox to handle that.

Re:*nix fix

[LordLimecat]

Next up, the MBR cookie-- survives repartitioning and OS reinstall. Now with more cookie!

Stop blaming the Sites

And start blaming your browser. If you enable "Private Browsing", and anything lives beyond that session, it can be nothing other than a browser bug.

Re:Stop blaming the Sites

[maxwell+demon]

Flash is an external process and thus bypasses browser settings. It even works cross-browser: A "Flash cookie" (LSO) can e.g. be set in Firefox and then read in Opera.

For HTML5 features however, I have to agree with you.

Re:Stop blaming the Sites

[Hatta]

Flash is an external process and thus bypasses browser settings

So disable it during private browsing. Better to have real security with some limited functionality than a false sense of security.

Re:Stop blaming the Sites

[Kunedog]

Flash is an external process and thus bypasses browser settings.

Flash is an external process and thus bypasses browser settings

So disable it during private browsing. Better to have real security with some limited functionality than a false sense of security.

Some limited functionality? Do you realize how many surprise-birthday-planning sites require Flash?

Re:Stop blaming the Sites

[John+Bresnahan]

Some limited functionality? Do you realize how many surprise-birthday-planning sites require Flash?

I'm willing to outlaw birthdays if that's what it takes to eliminate this problem!

Re:Stop blaming the Sites

[Unequivocal]

Private browsing isn't so private.. http://panopticlick.eff.org/

You can be pretty thoroughly tracked as an individual without cookies at all..

A question

[jandersen]

Is there any good reason why one would want to use HTML5 at all? I mean, as a user? So far it all seems to be negative - a load of giving away user control and sovereignty over your own system, packaged as "Wow, cool new feature".

Re:A question

[The+Moof]

a load of giving away user control and sovereignty over your own system, packaged as "Wow, cool new feature".

When Slashdot ran the article about the JavaScript + HTML5 music player, that was my first impression. I remember back when scripts reading local files was regarded as a security hole in the browser, not a "cool new feature."

Re:A question

[tepples]

Is there any good reason why one would want to use HTML5 at all? I mean, as a user?

For one thing, the video, audio, and canvas elements mean not having to deal with Adobe's (historically?) inefficient and security-defective software. For another, CACHE MANIFEST and localStorage allow using a subset of a web application offline for a short period, such as on your laptop while riding the bus, while ceding less control over your system than you would if you were to install a native application.

Re:A question

[Anonymous+Brave+Guy]

Is there any good reason why one would want to use HTML5 at all? I mean, as a user?

That's a very fair question, but it's a slightly loaded one. As a user, there is little benefit to any particular web technology, whether it's HTML, CSS, JavaScript, Flash or anything else. As a user, what you care about is results. However, those results depend on what developers can build, typically within a certain amount of time and budget.

If you have new technologies that allow developers to do new things, and those things benefit the user, then the user wins. However, if you have new technologies that allow developers to do old things in newer, easier, faster ways, and those things benefit the user, then the user also wins, particularly if it becomes viable for developers to make something useful in a cost-effective way when they could have done it before but didn't because it was too expensive in some respect.

And from that point of view, HTML5 tools like canvas and media tags are a big step up for some jobs over using something like Flash or Java applets.

That said, I strongly agree that browsers shouldn't be ceding any sovereignty over their users' systems to remote code by default.

And that said, the most devious tracking mechanism I have yet encountered didn't rely on any sort of cookie/local storage technology. It was essentially based on how various web-related protocols handle caching, it's hard to defeat without getting rid of caching, and you really don't want to get rid of caching. It is possible for browsers to avoid falling into the trap, and now that the attack vector has been identified I expect they'll do something about it.

Then again, as you read this your browser is probably advertising an almost unique fingerprint that could track you anywhere on the Web without storing anything on your machine at all, every time it sends request headers, and despite this being a well-known problem for quite some time, the browser developers haven't done much about it yet. Until they do, fighting against tricky little local storage vectors is hitting the 1% problem, not the 99% problem...

Re:A question

[Unequivocal]

Double plus on your last paragraph -- browser headers are really really unique at this point: http://panopticlick.eff.org/

Using cookies is just simpler for advertisers, but banning those on the client without enforcing some "do not track" at the supplier end won't solve the problem. They'll just move to browser headers..

No problem

[maxwell+demon]

The "standard" Firefox plugins already take care of it.

No DOM storage without JavaScript, no Flash cookies without Flash -> NoScript
Most tracking cookies come from ad networks -> AdBlock Plus
Most tracking cookies come from third party domains -> RequestPolicy.
And if you get one anyway, you can also get rid of it -> BetterPrivacy.

Re:No problem

[geminidomino]

Add in PasswordMaker to that list and you've pretty much summed up why I can never leave Firefox, no matter how batshit-loco the design team gets. :(

Huh?

[The+MAZZTer]

OK so the article cites localStorage as a problem, but Chrome at least treats it the same as cookies when clearing private data, and in incognito it shouldn't persist localStorage data across sessions (not sure about other browsers).

It also mentions that MS was sticking a JS file in the browser cache to recreate a cookie. This doesn't make sense since any file removed from the cache is just redownloaded, unless a custom version of the JS file is crafted for every client and is set to create a specific cookie value (but this isn't clarified in the article). But it sounds more like ETags are used, having nothing to do with the JS file being cached or not. I'm not sure how ETags work but I can't imagine they would be effective in incognito mode either since cache is never kept (and the article infers this is necessary).

Did I miss anything?

ZOMBIE BROWSERS

[roman_mir]

I am sorry, but just talking about cookies doesn't go far enough to describe what is happening here. It is about zombie browsers, that are just building in more and more functionality to turn your computer into a device that is not controlled by you, but is controlled by various special interests.

On the other hand you, as a user, are clearly not the customer of a browser developer company. The customers seem to be the advertisers, CAs, anybody that wants to control what you are doing. You, as a user, are a product. We used to say this about FB and such, but isn't this also true about browsers?

There needs to be a way for the user to control what is happening on his machine, otherwise it's not a general purpose computer, but some proprietary gadget that you have there. If this is not clear to the browser developers then there will be more forks built that will be Freer for the users, but there also maybe something else done, like a VM to control all of this run away software. Start it in a VM and when you are done, kill that VM and there is no cookie.

Re:ZOMBIE BROWSERS

[geekmux]

I am sorry, but just talking about cookies doesn't go far enough to describe what is happening here. It is about zombie browsers, that are just building in more and more functionality to turn your computer into a device that is not controlled by you, but is controlled by various special interests.

From tablets to cell phones, tell me something I don't know. A lack of control down into the lower levels of these types of devices has been lacking for some time now.

There needs to be a way for the user to control what is happening on his machine, otherwise it's not a general purpose computer, but some proprietary gadget that you have there...

Uhhh, yeah..which is exactly their intent with this design. In much the same way that human voice interaction is dying, so is the "personal" computer. What the hell do you need "flexibility" for when every device will be reduced to a pseudo-tablet in the near future, with everything moving to the "cloud"? Allow the functionality, introduce multiple attack vectors and nightmares for support. Lock it down, and you piss off the user community who gets pissed off every time they get a virus or malware infection. Of course, they got infected because they want flexibility.

Since we already know why you should draw a line, the question is where do you draw the line.

Re:ZOMBIE BROWSERS

[poofmeisterp]

You're 100% correct.

enableHumor();

Let me ask the question that creates a loopback to itself over and over (especially in the USA): "Where do I $BUY$ the browser that doesn't allow any of this and enables me to view an ad-free Internetzzz?"

"Wait, you meant that only YOUR ads wouldn't show? But your advertisement said your browser blocked advertisement if I bought it! Weird wording sold your product, you crafty people, you. Okay, so how do I get a version that really blocks all ads? Oh, an add-on. Weird installing an 'add-on' to block 'ads', but okay... Wait, the add-on isn't compatible with the version I bought??? So what do I do now? I need help because I'm a stupid person that can't figure all of this stuff out. Oh, I $BUY$ your next version and that will let me add this add-on ad-blocking addition? What's that? Your new version is available TODAY? Sweet. I NEED it TODAY! I'll $BUY$ it now!!! Alright, I bought it. Now how to I add the add-on? You don't recommend it? Well, I'll add it on anyway. Okay, it's added on and the ads are blocked. WAIT, they're blocked to your competitors and a few other entities of your own choosing only? Why did I $BUY$ this? Oh, no! I'm so disappointed. I guess I'll just call my lawyer and see what they have to say about this because that's all I know how to do to make it in this world." :)

Speking of abhorrent...

[kaizendojo]

Why is it that the only company mentioned here is Microsoft, when in fact the original research article shows this to be a lot more wide spread by some big names - none of which were mentioned here. From the Stanford article (http://cyberlaw.stanford.edu/node/6695): "We also examined a series of URL lists (spreadsheet) that contain 15,511 entries. The URLs and interest segments range greatly. Some URLs are for a landing page; others are for a specific page. Some interest segments are broad; others are fine-grained. A few example segments:


Segment 758: discount sites including Groupon and eBay Daily Deals Segment 876: sites about coffee, including Dunkin' Donuts, Folgers, and Starbucks Segments 984-989: home improvement sites including Home Depot and Grainger Segment 2701: pages about the Ford Fiesta Several interest segments are highly sensitive:

Segment 760: pages about getting pregnant and fertility, including at the Mayo Clinic Segment 2640: pages about menopause, including at the NIH and the University of Maryland Segment 2014: pages about repairing bad credit, including at the FTC Segment 2265: pages about debt relief, including at the FTC and the IRS"

Please folks - If you're going to bring this to our attention, how about leaving your obvious biases aside and tell the whole story so we can be truly informed? That we we can all be aware of just how widespread an issue this is instead of just another "Microsoft is Evil" piece.

Extreme measures?

[neokushan]

A lot of commenters here seem to be taking what I would consider as extreme measures in order to avoid these cookies. Running your browser in a VM which resets each time you close it? Installing numerous addons (I see someone listed 4 you need to install to cover yourself)? Does anyone else not think that perhaps instead of avoiding the issue, it should be tackled head on?

What I mean is - if this is such a serious issue, why are we standing by just letting it happen when we could be petitioning the various standards committees, plugin developers and browser manufacturers to do something about it? The so-called zombie cookie (or Supercookie) exists because we let it exist. It's clearly an exploit in the way various technologies work together and it should be treated as such, i.e. patched until it can't be done any more.

Furthermore, any company that uses this tactic should be taken to court since it's a clear and deliberate violation of privacy. I.e. if I decide to delete a cookie, I'm making it explicitly clear that I want it gone - I'm opting OUT, so keep it that way.

Problems with HTML5

[Toonol]

I'm mostly glad to see the implementation of HTML5 everywhere, but it has some problems.

People thought that you could get rid of a lot of annoyances by increasing HTML5's capabilities to become more on par with Flash. Flash could be ditched. However, all it really means is that all the nuisances that were made in Flash (animated and noisy ads, commercials, persistent cookies, etc.) will now be made in HTML.

Flash wasn't really the problem... it was just one of the vectors FOR the problem. Now, HTML5+Javascript will take Flash's place in the eyes of marketers and spammers everywhere.

"zombie cookies" means Flash cookies

[Sloppy]

Can't you setup browsers to prompt to create local storage?

The article does a major disservice to everyone (and I wish we could mod it down) by making up the term "zombie cookies." This new bullshit term hides what's going on and makes us all a little bit stupider. All I have to do to answer your question, is tell you what the article is really about. Instead of making up a bullshit term to confuse you, I'll use a descriptive term.

Ready?

Flash Cookies. The article is about websites caught using Flash cookies instead of browser cookies.

See, asshole-who-wrote-the-article, that wasn't hard. Flash cookies. Now instead of misleading people into thinking their browsers have a problem with cookies and other local storage, people see that the real problem they have with their browsers is plugins, which allows them to run native code that totally bypasses all the browsers' policies.

Flash cookies. Watch all the questions disappear .. but oops .. all the traffic to the fucking article disappears too, since people don't have to click through, read the first article that makes the weird reference to zombies, then click through to another article that explains WTF "zombie cookies" are about.

Slashdot should not have linked to this piece of shit.

Re:"zombie cookies" means Flash cookies

[BitZtream]

It actually wasn't about flash cookies.

It was about using browser cache as storage medium by doing some neat tricks on the server to get the browser to keep a javascript file in cache, which inturn functions as a cookie when used by various pages that reference it.

Page requests cookie.js, the server then serves cookie.js with a cache expiry of a hundred years into the future, and says it hasn't changed in a hundred years either.

Your browser caches it and then doesn't request a new copy for a 100years, why should it, it was told the file isn't going to change.

The data in the file now serves as a unique ID which can be used to associate your browsing habits.

THAT IS A ZOMBIE COOKIE. It has nothing to do with flash. This isn't new, a friend of mine and I discovered this years ago by accident due to a bug in a web app we were working on.

Re:Wrong Name

[AliasMarlowe]

If they'd just called it a "Jesus Cookie" no one would be complaining.

Then it would at least stay dead for three days.

And bugger off permanently after another 40 days or thereabouts.

To manage localStorage in Firefox 6

[tepples]

To manage localStorage in Firefox 6, open the Options and go to Advanced > Network > Offline Storage.