Zombie Cookies Just Won't Die

GMGruman wrote in to say "Microsoft embarrassed itself last week when it got caught using 'zombie cookies' — a form of tracking cookies that users can't delete, as they come back to life after you've 'killed' them. Microsoft says it'll stop the 'aberrant' practice. But Woody Leonhard says you ain't seen nothing yet. It turns out HTML5 offers a technical mechanism to give zombie cookies a new lease on life — and the Web browsers' private-browsing features can't stop them."

"Caught with hand in the cookie jar" joke here

[elrous0]

Microsoft says it'll stop the abhorrent practice

Fixed that for them.

Actually, an even more accurate quote might be:

Microsoft "says" it'll stop the abhorrent practice

Re:"Caught with hand in the cookie jar" joke here

[dkleinsc]

That's the whole point: GP is arguing that this sort of practice is in fact quite normal, and that Microsoft will probably not stop just because of the bad press.

Keeps the "Re-install Windows" fix alive

[billrp]

which seems to be the most common solution that's offered on fix-your-own-windows-problems forums

Stop blaming the Sites

And start blaming your browser. If you enable "Private Browsing", and anything lives beyond that session, it can be nothing other than a browser bug.

Re:Stop blaming the Sites

[maxwell+demon]

Flash is an external process and thus bypasses browser settings. It even works cross-browser: A "Flash cookie" (LSO) can e.g. be set in Firefox and then read in Opera.

For HTML5 features however, I have to agree with you.

Re:Stop blaming the Sites

[Hatta]

Flash is an external process and thus bypasses browser settings

So disable it during private browsing. Better to have real security with some limited functionality than a false sense of security.

A question

[jandersen]

Is there any good reason why one would want to use HTML5 at all? I mean, as a user? So far it all seems to be negative - a load of giving away user control and sovereignty over your own system, packaged as "Wow, cool new feature".

Re:A question

[Anonymous+Brave+Guy]

Is there any good reason why one would want to use HTML5 at all? I mean, as a user?

That's a very fair question, but it's a slightly loaded one. As a user, there is little benefit to any particular web technology, whether it's HTML, CSS, JavaScript, Flash or anything else. As a user, what you care about is results. However, those results depend on what developers can build, typically within a certain amount of time and budget.

If you have new technologies that allow developers to do new things, and those things benefit the user, then the user wins. However, if you have new technologies that allow developers to do old things in newer, easier, faster ways, and those things benefit the user, then the user also wins, particularly if it becomes viable for developers to make something useful in a cost-effective way when they could have done it before but didn't because it was too expensive in some respect.

And from that point of view, HTML5 tools like canvas and media tags are a big step up for some jobs over using something like Flash or Java applets.

That said, I strongly agree that browsers shouldn't be ceding any sovereignty over their users' systems to remote code by default.

And that said, the most devious tracking mechanism I have yet encountered didn't rely on any sort of cookie/local storage technology. It was essentially based on how various web-related protocols handle caching, it's hard to defeat without getting rid of caching, and you really don't want to get rid of caching. It is possible for browsers to avoid falling into the trap, and now that the attack vector has been identified I expect they'll do something about it.

Then again, as you read this your browser is probably advertising an almost unique fingerprint that could track you anywhere on the Web without storing anything on your machine at all, every time it sends request headers, and despite this being a well-known problem for quite some time, the browser developers haven't done much about it yet. Until they do, fighting against tricky little local storage vectors is hitting the 1% problem, not the 99% problem...

No problem

[maxwell+demon]

The "standard" Firefox plugins already take care of it.

No DOM storage without JavaScript, no Flash cookies without Flash -> NoScript
Most tracking cookies come from ad networks -> AdBlock Plus
Most tracking cookies come from third party domains -> RequestPolicy.
And if you get one anyway, you can also get rid of it -> BetterPrivacy.

Re:No problem

[geminidomino]

Add in PasswordMaker to that list and you've pretty much summed up why I can never leave Firefox, no matter how batshit-loco the design team gets. :(

Speking of abhorrent...

[kaizendojo]

Why is it that the only company mentioned here is Microsoft, when in fact the original research article shows this to be a lot more wide spread by some big names - none of which were mentioned here. From the Stanford article (http://cyberlaw.stanford.edu/node/6695): "We also examined a series of URL lists (spreadsheet) that contain 15,511 entries. The URLs and interest segments range greatly. Some URLs are for a landing page; others are for a specific page. Some interest segments are broad; others are fine-grained. A few example segments:


Segment 758: discount sites including Groupon and eBay Daily Deals Segment 876: sites about coffee, including Dunkin' Donuts, Folgers, and Starbucks Segments 984-989: home improvement sites including Home Depot and Grainger Segment 2701: pages about the Ford Fiesta Several interest segments are highly sensitive:

Segment 760: pages about getting pregnant and fertility, including at the Mayo Clinic Segment 2640: pages about menopause, including at the NIH and the University of Maryland Segment 2014: pages about repairing bad credit, including at the FTC Segment 2265: pages about debt relief, including at the FTC and the IRS"

Please folks - If you're going to bring this to our attention, how about leaving your obvious biases aside and tell the whole story so we can be truly informed? That we we can all be aware of just how widespread an issue this is instead of just another "Microsoft is Evil" piece.

Re:ZOMBIE BROWSERS

[geekmux]

I am sorry, but just talking about cookies doesn't go far enough to describe what is happening here. It is about zombie browsers, that are just building in more and more functionality to turn your computer into a device that is not controlled by you, but is controlled by various special interests.

From tablets to cell phones, tell me something I don't know. A lack of control down into the lower levels of these types of devices has been lacking for some time now.

There needs to be a way for the user to control what is happening on his machine, otherwise it's not a general purpose computer, but some proprietary gadget that you have there...

Uhhh, yeah..which is exactly their intent with this design. In much the same way that human voice interaction is dying, so is the "personal" computer. What the hell do you need "flexibility" for when every device will be reduced to a pseudo-tablet in the near future, with everything moving to the "cloud"? Allow the functionality, introduce multiple attack vectors and nightmares for support. Lock it down, and you piss off the user community who gets pissed off every time they get a virus or malware infection. Of course, they got infected because they want flexibility.

Since we already know why you should draw a line, the question is where do you draw the line.

"zombie cookies" means Flash cookies

[Sloppy]

Can't you setup browsers to prompt to create local storage?

The article does a major disservice to everyone (and I wish we could mod it down) by making up the term "zombie cookies." This new bullshit term hides what's going on and makes us all a little bit stupider. All I have to do to answer your question, is tell you what the article is really about. Instead of making up a bullshit term to confuse you, I'll use a descriptive term.

Ready?

Flash Cookies. The article is about websites caught using Flash cookies instead of browser cookies.

See, asshole-who-wrote-the-article, that wasn't hard. Flash cookies. Now instead of misleading people into thinking their browsers have a problem with cookies and other local storage, people see that the real problem they have with their browsers is plugins, which allows them to run native code that totally bypasses all the browsers' policies.

Flash cookies. Watch all the questions disappear .. but oops .. all the traffic to the fucking article disappears too, since people don't have to click through, read the first article that makes the weird reference to zombies, then click through to another article that explains WTF "zombie cookies" are about.

Slashdot should not have linked to this piece of shit.

Re:"zombie cookies" means Flash cookies

[BitZtream]

It actually wasn't about flash cookies.

It was about using browser cache as storage medium by doing some neat tricks on the server to get the browser to keep a javascript file in cache, which inturn functions as a cookie when used by various pages that reference it.

Page requests cookie.js, the server then serves cookie.js with a cache expiry of a hundred years into the future, and says it hasn't changed in a hundred years either.

Your browser caches it and then doesn't request a new copy for a 100years, why should it, it was told the file isn't going to change.

The data in the file now serves as a unique ID which can be used to associate your browsing habits.

THAT IS A ZOMBIE COOKIE. It has nothing to do with flash. This isn't new, a friend of mine and I discovered this years ago by accident due to a bug in a web app we were working on.

Re:*nix fix

[Z00L00K]

Nuke the cookie servers then.

I just wonder what would happen if the cookie info returned was just some random garbage. Time to make a plugin to Firefox to handle that.