Slashdot Mirror
Firefox Will Soon Block Third-Party Cookies
An anonymous reader writes "Stanford researcher Jonathan Mayer has contributed a Firefox patch that will block third-party cookies by default. It's now on track to land in version 22. Kudos to Mozilla for protecting their users and being so open to community submissions. The initial response from the online advertising industry is unsurprisingly hostile and blustering, calling the move 'a nuclear first strike.'"
Translation: Boo-fucking-hoo. Online marketing scum have been abusing users for years, making this a retaliatory measure. Let them cry all they want, because nobody gives a shit.
"So after all this, you make my case for me. To end this stalemate, you must die..."
Stick it in v19.0.1. Bring it on!
Since Netscape 4.7, there was an option to block third-party cookies (yet DoubleClick found a way around that). Changing a default option should have no impact on the advertisers - they can adapt or die.
[grumpy cat] Good.
If the advertising industry is still capable of responding, we obviously haven't nuked them enough yet.
...would be incorporating AdBlockPlus and NoScript and enabling both by default.
Do it.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Actually quite amazing that this policy wasn't the default in the first place, but anyway.
This is more or less what that law was intended to achieve. Instead, it blew up in the users' faces by requiring them to click "yes" lest they be redirected someplace else, thereby giving permission to store any and all cookies regardless of origin. Much simpler this way.
Block 3rd party cookies, and that is. This is my default setting, and it rarely has any impact on the actual content of a website.
Enjoy life! This is not a dress rehearsal.
It should be default.
I regularly clean out my cookies with "delete all", but I'd prefer to keep the ones for sites that require a login. But it's too hard to delete cookies individually.
Sorry mate-no mod points for me today.
The great thing about Firefox is you can block all cookies by default, and whitelist only specific domains. Just block everything except ones you know you need (like maybe your banking site). Use "allow for session" for sites that need cookies for some reason but you don't need to save permanent data. There's also a great extension called "Cookie Monster" that will let you set all those options on a per-domain basis from the status bar.
cry more. If you want money, go get a real job.
Doesn't Safari already do this by default?
When they just get websites using their advertising services to add subdomains covering their cookies.
At that point you WON'T be able to solve this without a huge mess of per-domain whitelists, eventually coalescing into the cookies for the advertisers being handled THROUGH the corporate websites.
I was arguing this a decade or decade and a half ago to anyone who would listen, but it was brushed off (And rightfully so given that it's taken this long for a browser to actually this by default.)
but totally forgot when i enabled that setting on chrome. maybe a year ago?
The initial response from the online advertising industry is unsurprisingly hostile and blustering, calling the move 'a nuclear first strike.'
This is a completely justified nuclear response. The nuclear first strike was when the advertising industry started stalking people everywhere they go without informed consent or even an easy way for average people to opt out, and with no way to purge your history. If you had only used cookies in the public interest, the browser that cares about its users would not have to respond to your hostile behavior.
Stop-Prism.org: Opt Out of Surveillance
We have grown to expect free stuff like alternate browsers, and Acrobat and Flash and Java (etc). We all are part of the new diorama of the Interweb, which is increasingly mined to extract information for commercial purposes. Its business. We'll have to get used to it. The consideration paid to the folks that build and maintain that diorama-space (TM) is the sale of the information that you push into it. The growing fear for me is how often its -extracted- vs -provided-. I am aware of everything that I type in, but have NO idea why facebook needs read/write access to my camera, address book or phone number list, or my surfing history or the .... (Whatever ...)... As the a prior /. poster put it.... I can imagine the wringing pedipalps that must accompany any new data mining vector of personal and private data from anyone that has a cell phone, or smart phone or laptop or tablet (ie: all of us!! ) That said, who will negotiate for fair data-access on the side of the user? On the way home from dinner, (wife was driving!), I checked on NJ Devils hockey ticket offer that came via email. Once home, I opened a browser and all of a sudden, there were NJ Devils images all over the periphery of my experience. I felt sorta violated. On the other hand, I would rather see those I guess than meal deals from Moscow, or Brisbane or Kolkata. I guess another way we could address this is by making that data we maintain fairly unrepresentative. Imagine a script that visits 20 websites in a row, Opens a connection, pauses, closes opens another and output > /dev/null. Is that how we mask our nakedness?
Time for a new Political party in the US (or two!) One is off the rails Other cant pony up a leader.
The initial response from the online advertising industry is unsurprisingly hostile and blustering, calling the move 'a nuclear first strike.'
I guess one person's "nuclear first strike" is another's "measured response."
Most sites will work fine, but you'll have to add an exception for disqus.com if you want to post comments on sites that use disqus. Latest version of it should detect and warn you to enable coolies though.
I would go even further than Mozilla plans to go (and Safari goes already):
By default, I would require all cookies to be either 1st party or "blessed" by either the user or the 1st party.
In other words, if Slashdot had a Facebook widget, either the end user would have to whitelist Facebook to allow it to deposit cookies from anywhere, or Slashdot would have to explicitly "bless" the specific widget or the web browser would not let the embedded Facebook widget read or write cookies without prompting the user first.
By default, I would have the web browser remind the user periodically that he had non-recently-used cookies and offer to clear them out.
Of course I would give the user options that included more or less privacy than the default.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
there goes the funding from google.
The patch is not exactly a one-liner, because the implemented behavior is not as straight-forward as just "block 3rd party cookies".
It's "block cross-site cookies from origins which I've not visited yet as a 1st party websites and have already 1st party cookies from".
This means, for instance, that Facebook, Google and Twitter gets likely a free-pass to track almost anybody.
And that once you (accidentally or not) click any ad box, you give a free-pass to its advertising agency too.
There's a browser safer than Firefox, it is Firefox, with NoScript
The "first-party context" loophole is the deathknell of this thing, just as Safari's own mechanism doesn't actually protect anybody's privacy.
If you don't like tracking cookies, that's fine, but there is an infinite variety of workarounds for this so-called solution. One can easily use a URL proxy, for instance -- you click a link marked "Next Page" that actually goes to "entirelylegitimatewebsite.com/track_me_please," which sets a cookie and immediately redirects you to "mysite.com/nextpage." Hey presto, first-party context cookie set!
On the other hand, there's browser local storage, beacon URLs via AJAX... the list goes on and on. Hell, even if most web browsers _do_ start blocking all third-party cookies under all circumstances, the data kingpins will start offering handy little Rack and Tomcat plugins that use first-party cookies to track user behavior across the Web.
If you're a Web user who's paranoid about information leaks, you should already be using Tor and some privacy-centric web browser. But given the degree of personalization inherent in most of the 21st century Web, I have a hard time understanding why a paranoiac would use the Web at all.
Don't we wish.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Why must we always ask the predictably outraged organizations what they think? 1) We already know, and 2) WGAS. It's like asking the NRA what they think about a ban on Teflon bullets.
I would go even further than Mozilla plans to go (and Safari goes already):
By default, I would require all cookies to be either 1st party or "blessed" by either the user or the 1st party.
How is that going further? Your version make it more likely for cookies to be allowed, not less.
In other words, if Slashdot had a Facebook widget, either the end user would have to whitelist Facebook to allow it to deposit cookies from anywhere, or Slashdot would have to explicitly "bless" the specific widget or the web browser would not let the embedded Facebook widget read or write cookies without prompting the user first.
Why would Slashdot include a Facebook widget and then not allow it to be fully "functional"?
From :a built-in version of adblock enabled by default.
http://ploum.net/post/ghost-web
Firefox 22 is released, just in time to become the default browser in Ubuntu 13.10.
The release contains many performance improvements and one big, major feature
Actually, I would prefer this. It lets me hold the first party - the one I'm really interacting with - responsible for not abusing the data and taking the heat from privacy groups if the data is misused.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Above post should be moderated to +10.
Sounds like the big guys are looking to squeeze out any smaller competition. Not a surprise, since Mozilla is pretty much Google's bitch.
It was the only way to be sure.
Sites will start blocking Firefox browsers. If enough popular sites do this, people will be switching to other browsers. Or people will start making Firefox masquerade as a different browser, which (if it becomes popular) will subsequently be made illegal. That is assuming that third-party cookie blocking won't just be made illegal.
It is appropriate to describe this as a first-strike, because there will be a retaliatory salvo, and much of our Internet freedom will get caught in the crossfire.
If you have some spare time restart your browser, fire up wireshark and filter for DNS queries then go to just the home page of any of a bazillion web sites... It is insane... one single page load of something like cnn,fox,nbc,forbes translates into 20-30 of dns queries for all manner of advertising and market intelligence companies.. Everyone knows this stuff exists but I was genuinly shocked by the volume and number of sites involved.
If it isn't cookies it will be fingerprinting, flash cookies, DNS cache probing + IP but we can work to mitigate these things as well.
Not kudos to Mozilla for taking so many years to do what is obviously needed. This and many other things should not have needed a community submission. The core programmers should already know how to do these things and know that they are essential for safe browsing experience.
now we need to go OSS in diesel cars
RequestPolicy is worthwhile too, helps manage 3rd party content.
It would be a wonderful world if that happened. I've always been really sad that we didn't manage to have a micropayment system in place in 1995, so that we could pay for what we used instead of having advertising shoved down their throats. I would much rather be the customer than the product.
That's a great idea. Then they could make a micropayment back to me for everything in the page they end up sending me that I don't actually read so they can offset the bandwidth cap that my ISP starts charging me extra for after it's been exceeded.
PS: Micropayments are an incredible bitch to implement, if you've ever tried it, since the transaction fees and data storage pile up. There's a reason the phone companies charge so much per text message, and a lot of it has to do with paying micropayments to themselves every time someone makes a micropayment on sending a text message. The transactional overhead is very high.
Wah Wah Wah....
1 single setup to kill all advertising.
Dansguardian on Whitelist Mode (i.e I tell it what sites I want to visit... I have a list of around 700 servers in my white list)
not one bit of advertising comes through.
the occasional web site hosts advertising on their server, so ad-block in the browser takes care of that....
if for some reason I need to connect to the web directly, all I need to do is simply change the proxy port....
advertisers will just find other ways and means... there is too much at stake for them to just roll over. there are probably a lot of programmers working in the advertising industry that would be combing the firefox source code for other doors to help their clients gate crash the user experience.
Will we still have the option to completely block third-party cookies then?
That's why we can block whichever cookies we choose.
Do you doubt that making "block all" the default is best?
You are welcome on my lawn.
Above post should be moderated to +10.
Sounds like the big guys are looking to squeeze out any smaller competition. Not a surprise, since Mozilla is pretty much Google's bitch.
Although I'd prefer that tracking would simply be made illegal, I tell you what: I'm less concerned about letting the big guys doing it because they are more likely to have some basic security in place and controls to at least respect the TOS. I'm more concerned about small guys...
I have to block ALL cookies.
Get free satoshi (Bitcoin) and Dogecoins
After disabling all updates in the UI and having Firefox pop that stupid update cartoon racoon up anyway, then going through about:config and disabling updates in there, and then having it pop up AGAIN with downloading the version blocklist, I uninstalled it. If I have to add 127.0.0.1 updates.mozilla.org to my hosts file to make it do what I want (or what I don't) then something is wrong with it.
add in an iframe?
Actually, since Firefox 1.0 this has been a feature.
However a "Bug" prevented it from working and we all know that
Mozilla and regression testing -- never the twain shall meet...
Anyway, this is just a bug fix...
RequestPolicy
Ghostery manages to bloat my memory, so I use the lightweight about:trackers extension instead.
Also, instead of NoScript to avoid XSS I use UserCSP
Because I also block cookies by default, for the cookie lifetime I have "ask me every time", which only prompts when I quickly toggle allowing cookies to add a site to the whitelist. So for a button to quickly toggle them on and back off I use Toggle Cookies which also keeps 3rd party cookies blocked by default even when allowing.
What a frelling disaster. The end of third party cookies will pose problems for my household. My wife is getting better at baking but so far cookies seem beyond her even with third party products.
Extension
I also think this could block lots of cookies used for SSO. Some people do actually like to be able to log using their twitter or github credentials.
Think about it. If they call it a nuclear strike, they will start using some other technique. Flash-Cookies, DOM-Storage, E-Tags, whatever fits. And this is not so easy to block. So now, the default allowed their techniques and the advanced users could just uncheck it. then, we will need more advanced filters, because they use more advanced tracking.
... I'll probably make FireFox my default browser. This is more awesome than sharks with frickin' laser beams. God bless Mozilla.
then the question is, why not doing it the other way round: allow 3rd-partys to access their own cookies, but do not allow them to set a cookie, if they are not the 1st party at the moment.
I would think that this falls under "Do no evil". If Google is serious about following their own motto it should be a no brainer. It will be interesting to see if they follow suit.
If Google goes this route then what happens to Internet Explorer? Since their effective motto is "Doing evil is our business", it might take a lot of pressure for them to fall into line.
No matter what happens with other browsers, this is a big win for open source software. It shows that open source is really for the good of the user community.
Why is Snark Required?
Fuck these assholes until they bleed.
"Nuclear first strike"? It's a counter-measure. I'm so sick of people using war rhetoric inappropriately. There is no "nuclear cookie blocker" and there is no "war on Christmas". There are no bombs going off and nobody is dying in the streets. This statement makes me want to bomb the corporate office of an ad agency so they have something to complain about*. Might stop the spam for a week too.
*This user does not support the actual use of explosives to make a point. Bombs are not educational tools and should be used responsibly. We now return to your regularly scheduled flame war.
Bullshit. Votes are more important than campaign funds.
And each company in the entertainment industry can control votes by using whatever news outlets its parent company owns to frame the political discourse.
this is the correct behavior, user would complain if for some reason their "sign in with facebook" buttons stopped working
Snowden and Manning are heroes.
I never quite understood how, for the past several years, embedded PayPal payment buttons have remained completely broken if the client disabled third party cookies. Maybe if all browsers did this PayPal would finally fix their system.
Firefox team cares about cookies again? This sounds great to me (but prepare for advertisers to start detecting it and kicking users out with very detailed instructions on how to "fix" the setting before returning).
Does this mean the option to make cookies session-only will make a comeback?
Caveat Emptor is not a business model.
for google to circumvent the new cookie policy just like they did last year with safari (which has the same cookie defaults that firefox will have).
ref: http://www.wired.com/threatlevel/2012/02/google-safari-browser-cookie/
In my opinion this is by far not enough. I think by default a browser should refuse any 3rd party content. (subdomains of same company don't count as 3rd party, there are public-suffix-lists to determine these) Not images and especially not javascripts.
Just give the user a visual hint that the page tried to include stuff from non-trusted domains and give the user the possibility to allow some 3rd-party domains for the page he's currently using.
This is not meant as a way to prevent online advertisement. It would still be possible for web-hosters to point a subdomain or proxy-path to an adprovider. But if they do so this means explicitly hosting and taking responsibility for all scripts and tracking pixels they include in their pages. And also that the ads would not be in the same cookie-context.
I have Firefox set to ask me about new domains trying to push cookies to me, and usually set all of them to "accept for session". That way, advertisers are happy, I am happy (since they pushed their cookies, and no content is denied to me), and when I close the browser, their precious cookies are gone and they can't use them to track me. I only fully accept cookies from sites I trust.
What I would like to see, however, is some sort of compartmentalization of cookie jars. Each site gets its own cookie jar, where all of the 3rd party cookies set when visiting the site go as well. When I go to another site, it gets another cookie jar, and 3rd parties can't see cookies set while on first site. Of course, some cookies could be allowed to be "shared". Does anyone know of something like this?
When's that? Next week?
About the only thing that'll survive a nuclear war is cockroaches. So, if the cookie tracking online ad industry survives this nuclear strike, are they cockroaches...?
I hate to rain on your parade, but...
Let's say someone has a website http //www.good.example.com, and want http //ads.doubleclick.net to get past this filter. Assuming they control their own DNS, they simply need to set up a CNAME www.bad.example.com that points to ads.doubleclick.net. Voila, the ads.doubleclick.net server shows up on the same domain as www.good.example.com.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
"The patch is not exactly a one-liner, because the implemented behavior is not as straight-forward as just 'block 3rd party cookies'. It's 'block cross-site cookies from origins which I've not visited yet as a 1st party websites and have already 1st party cookies from'. "
That's okay, because the ability to straight-up block 3rd party cookies is already baked in. But that makes this even less news than I first thought it was.
Why they would want to water down their default that much I don't know, but I don't really care. The settings for just blocking 3rd parties are there. I really would like to see just that as a default, though.
"this is the correct behavior, user would complain if for some reason their "sign in with facebook" buttons stopped working"
I don't agree that the fact that users would complain makes it the correct behavior. As far as I am concerned, blocking all 3rd party cookies is the correct behavior. It certainly is for kids... it should be or adults too.
The "IP Stack natively provideth 1st" built in - custom hosts files, natively, & tightly integrated with the IP stack & its built-in DNS resolver engines @ the kernelmode/ring 0/rpl 0 level - clean, fast, & over 44++ yrs. of optimization poured into it over time since 1969. The IP stack loads @ OS startup, thus the hosts file too into RAM for speed, & that makes AdBlock, redundant.
Hosts ARE superior to AdBlock - & on several levels I invite anyone to disprove me on, listed below in fact.
Here's how I generate them, easy as apple pie, from 12++ reputable sources for custom hosts file data online:
---
APK Hosts File Engine 5.0++ 32/64-bit:
http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74
Which, if you read the list of what it can do for you as an end user of the resulting output it produces listed in the link above, you'll understand how/why...
"It's as strong as steel, & a 3rd of the weight" - Howard Stark from the film "Captain America"
---
Especially vs. competing alternate 'solutions', noted below in AdBlock/Ghostery & yes even DNS servers, next, as 'examples thereof'...
Solutions that used to be good & I even recommended them in security guides I wrote up over the decades now -> http://www.google.com/search?hl=en&tbo=d&output=search&sclient=psy-ab&q=%22HOW+TO+SECURE+Windows+2000/XP%22&btnG=Submit&gbv=1&sei=ka3yUKzxB-6_0QHLroCQCA
That did extremely well for myself (and users of them), for Windows users, for "layered-security"/"defense-in-depth" purposes - the BEST THING WE HAVE GOING vs. threats of all kinds, currently!
(Not anymore though, & certainly NOT far as AdBlock's concerned especially, not after this):
---
Adblock Plus To Offer 'Acceptable Ads' Option:
http://news.slashdot.org/story/11/12/12/2213233/adblock-plus-to-offer-acceptable-ads-option
(Meaning by default, which MOST USERS WON'T CHANGE, it doesn't block ALL ads - they "souled-out"... talk about "foxes guarding the henhouse")!
---
Plus, Adblock CAN'T DO AS MUCH & not from a single file solution that runs in Ring 0/RPL 0/kernelmode via tcpip.sys, a driver (since it's part of the IP stack & tightly integrated into it) which is far, Far, FAR FASTER than ring 3/rpl 3/usermode apps like browsers, & addons slow them down (known issue in FireFox).
To wit, 10++ things AdBlock can't do, hosts can:
---
1.) Blocking rogue DNS servers malware makers use
2.) Blocking known sites/servers that serve up malware... like known sites/servers/hosts-domains that serve up malicious scripts
3.) Speeding up your FAVORITE SITES that hosts can speed up via hardcoded line item entries properly resolved by a reverse DNS ping
4.) AdBlock works on Mozilla products (browser & email), hosts work on ANY webbound app AND are multiplatform.
5.) AdBlock can't protect external to FireFox email programs, hosts can (think OUTLOOK, Eudora, & others)
6.) AdBlock can't help you blow past DNSBL's (DNS block lists)
7.) AdBlock can't help you avoid DNS request logs (hosts can via hardcoded favorites)
8.) AdBlock can't protect you vs. TRACKERS (hosts can)
9.) AdBlock can't protect you vs. DOWNED or "DNS-poisoned" redirected DNS servers (hosts can by hardcodes)
10.) Hosts are EASIER to mana
Mozilla publish the release schedule...so 2013-06-25
https://wiki.mozilla.org/RapidRelease/Calendar
1st of all - Ghostery's owned by advertisers. Read this from CISCO ->
---
More dangerous to click on an online advertisement than an adult content site these days, Cisco said:
http://www.securityweek.com/easier-get-infected-malware-good-sites-shady-sites-cisco-says
(& I can put dozens more out to go with it if you wish - "ask & ye shall receive"...)
---
This is a far, Far, FAR better solution in the next link below, by "yours truly", since it's merely working natively with the custom hosts file itself, & that only!
I.E. -> It's no added weight to process data for the IP stack itself really, doesn't need to remain resident (though the program below can & be useful) & it makes gathering reliable data from 12++ reputable security oriented sites easy as apple pie possible:
---
APK Hosts File Engine 5.0++ 32/64-bit:
http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74
Which, if you read the list of what it can do for you as an end user of the resulting output it produces listed in the link above, you'll understand how/why...
"It's as strong as steel, & a 3rd of the weight" - Howard Stark from the film "Captain America"
---
Especially vs. competing alternate 'solutions', noted below in AdBlock/Ghostery & yes even DNS servers, next, as 'examples thereof'...
Solutions that used to be good & I even recommended them in security guides I wrote up over the decades now -> http://www.google.com/search?hl=en&tbo=d&output=search&sclient=psy-ab&q=%22HOW+TO+SECURE+Windows+2000/XP%22&btnG=Submit&gbv=1&sei=ka3yUKzxB-6_0QHLroCQCA
That did extremely well for myself (and users of them), for Windows users, for "layered-security"/"defense-in-depth" purposes - the BEST THING WE HAVE GOING vs. threats of all kinds, currently!
(Not anymore though, & certainly NOT far as Ghostery's concerned especially, not after this):
---
FROM -> http://yro.slashdot.org/comments.pl?sid=2931443&cid=40412193
Evidon, which makes Ghostery, is an advertising company. They were originally named Better Advertising, Inc., but changed their name for obvious PR reasons. Despite the name change, let's be clear on one thing: their goal still is building better advertising, not protecting consumer privacy. Evidon bought Ghostery, an independent privacy tool that had a good reputation. They took a tool that was originally for watching the trackers online, something people saw as a legitimate privacy tool, and users were understandably concerned. The company said they were just using Ghostery for research. Turns out they had relationships with a bunch of ad companies and were compiling data from which sites you visited when you were using Ghostery, what trackers were on those sites, what ads they were, etc., and building a database to monetize. (AND, when confronted about it, they made their tracking opt-in and called it GhostRank, which is how it exists today.) They took an open-source type tool, bought it, turned it from something that's actually protecting people from the ad industry, to something where the users are actually providing data to the advertisers to make it easier to track them. This is a fundamental conflict of interest.
Far as I am concerned since malware's present in the adbanner out there, & here's some "examples thereof" over time (bad - bad as well also in the fact they suckup my bandwidth I pay for too + up cpu, ram, & other I/O processing in electricity costs raised from it happening too):
---
THE NEXT AD YOU CLICK MAY BE A VIRUS:
http://it.slashdot.org/story/09/06/15/2056219/The-Next-Ad-You-Click-May-Be-a-Virus
Yahoo, Microsoft's Bing display toxic ads:
http://www.theregister.co.uk/2011/09/16/bing_yahoo_malware_ads/
Malware torrent delivered over Google, Yahoo! ad services:
http://www.theregister.co.uk/2009/09/24/malware_ads_google_yahoo/
Rogue ads infiltrate Expedia and Rhapsody:
http://www.theregister.co.uk/2008/01/30/excite_and_rhapsody_rogue_ads/
Google sponsored links caught punting malware:
http://www.theregister.co.uk/2008/12/16/google_sponsored_links/
DoubleClick caught supplying malware-tainted ads:
http://www.theregister.co.uk/2007/11/13/doubleclick_distributes_malware/
Yahoo feeds Trojan-laced ads to MySpace and PhotoBucket users:
http://www.theregister.co.uk/2007/09/11/yahoo_serves_12million_malware_ads/
Real Media attacks real people via RealPlayer:
http://www.theregister.co.uk/2007/10/23/real_media_serves_malware/
Attacks Targeting Classified Ad Sites Surge:
http://it.slashdot.org/story/11/02/02/1433210/Attacks-Targeting-Classified-Ad-Sites-Surge
Hackers Respond To Help Wanted Ads With Malware:
http://it.slashdot.org/story/11/01/20/0228258/Hackers-Respond-To-Help-Wanted-Ads-With-Malware
Ruskie gang hijacks Microsoft network to push penis pills:
http://www.theregister.co.uk/2010/10/12/microsoft_ips_hijacked/
Major ISPs Injecting Ads, Vulnerabilities Into Web:
http://it.slashdot.org/story/08/04/19/2148215/major-isps-injecting-ads-vulnerabilities-into-web
Two Major Ad Networks Found Serving Malware:
http://tech.slashdot.org/story/10/12/13/0128249/Two-Major-Ad-Networks-Found-Serving-Malware
NY TIMES INFECTED WITH MALWARE ADBANNER:
http://news.slashdot.org/story/09/09/13/2346229/new-york-times-site-pop-up-says-your-computer-is-infected
MICROSOFT HIT BY MALWARES IN ADBANNERS:
http://apcmag.com/microsoft_apologises_for_serving_malware.htm
ADOBE FLASH ADS INJECTING MALWARE INTO THE NET:
http://it.slashdot.org/story/08/08/20/0029220/adobe-flash-ads-lau
That's OK because it stops DoubleClick from tracking you to a completely different web site example2.org.
Blocking all third party cookies breaks things that a lot of people like and use, like Facebook/Twitter login, disquis, etc. This is a better solution than the current wide-open default, while still allowing you to block everything if you choose.
"Big Money does not have to adapt. You do." - by Anonymous Coward on Saturday February 23, @04:45PM (#42991537)
AdBlock's inferior to it -> http://yro.slashdot.org/comments.pl?sid=3488893&cid=42993215
* So is Ghostery, & even DNS in some capacities (considering hosts local queries from RAM, are far faster than remote servers, that can be DNS poisoned rather easily, & also downed ones certainly, by far + running one locally at home's more complexity/moving parts that are redundant vs. custom hosts files on even a small LAN, & thus, running up a power bill spent on CPU cycles, RAM, & other forms of I/O required by DNS too - think about it & just use a filtering DNS that's remote instead)...
APK
P.S.=> It's not only my bandwidth that banner ads take, it's what I pay out to an ISP monthly - I wanted it back, & got it (technology's a wonderful thing) + then some, from that program I wrote up... & from a single file, in hosts, that's natively built in to the IP stack itself running in ring 0/rpl 0/kernelmode, fast as it gets, using custom hosts as simply a filter in RAM for speed to do what adblock does, & better!
(Especially since adblock doesn't block all ads anymore & is redundant considering hosts are already there @ OS startup & webbound apps calling it, & when the IP stack starts up & in memory for it running in a far, Far, FAR faster mode of operation than usermode/ring 3/rpl 3 webbrowsers, slowed down MORE by addons (known fact, & nothing illustrates it better than stacking a few up to REALLY see it))...
... apk
As a rough example, Google used to make keeping your accounts completely isolated rather seamless. Then, they decided that wasn't good enough for profiling so they made account switching a total pain in the ass. Note, I'm not talking about accound switching within THEIR control. I mean account switching so that Google has no idea that your YouTube account and your GMail account belong to the same person.
All I'm saying is, the marketroids will figure out a way to make your browsing experience miserable w/o disabling this feature.
I swear to God...I swear to God! That is NOT how you treat your human!
No, the "first strike" was when you advertising cocksuckers first thought about making money on the internet. Go pass a kidney stone.
Which is based on OAuth and has precisely nothing whatsoever to do with third-party cookies.
It does cause problems for other completely legitimate use cases, but this is not one of them.
How are sites slashdotted when nobody reads TFAs?
If this change reduces the overall efficacy of advertising on websites, then we'll likely see many independent websites go out of business. Facebook will love this, as it seems like their goal to rub out (yes, I mean this in the mobster sense) the web outside of them.
Maybe we need a compromise?
Have a website somehow "vouch" for the third-party cookies in use on their site by either disclosing them to their users, or letting them present an option/warning to visitors that says "To keep our site financially sustainable, we ask that visitors accept cookies from our advertisers -- to that end, we require cookies to not be blocked to access our content".
I understand why people detest advertising, but it's also part of a commercial ecosystem that keeps the independent web alive and kicking. If we allow the blocking of third-party cookies, we should also give webmasters the power to block access from anyone who is blocking them, and even more, blocking ads on their site. It's only fair.
Steve Magruder, Metro Foodist
After many years of Firefox being a major pain in the ass due to Mozilla adding one new obnoxious "feature" after another, requiring more crap to be disabled and/or changed upon new installation of every new Firefox release... they're *finally* taking a step forward by actually changing a setting to be more useful, requiring one less change for once? Wow... this is quite shocking. Very good move for once, Mozilla. Of course, Firefox is still hopeless with its default settings for my own usage, so this won't be a major change overall, but it's still a welcome change. Only question: Why the fuck wasn't this the default years ago!?!
If you're relying upon 3rd party cookies for SSO, you're doing it wrong.
Very, very wrong.
My
I also think this could block lots of cookies used for SSO. Some people do actually like to be able to log using their twitter or github credentials.
I log into StackExchange with Google SSO and I have no problem typing in my password to do so. In fact, I find it disturbing that sometimes I _don't_ have to.
Note that StackExchange stores the login cookie between browser sessions, so I find that I only have to 'log in' about once a month or so, but I use the site daily.
It is dangerous to be right when the government is wrong.
Then they become 'responsible' for the content served, including malware-infested ads. So long as that responsibility is enforcible, i.e. I can sue a site for sending me malware, then I see this as a good thing.
For that matter, why haven't the large ad networks been sued for 'hacking' i.e. serving malware?
It is dangerous to be right when the government is wrong.
What about extending that "third party blocking" to content ?
You know, (iframed) HTML content, images, scripts, CSS and others. Only leaving content from the site you're currently visiting.
Apart from stopping cookies (no content retrieved means no cookies) it will also stop a number of other methods (part of the process of retrieving content) to do the same.
Unfortunately they need to do this else accounts.google.com session cookie is not going to work on mail.google.com, drive.google.com.... How do you distinguish third party cookies from valid cross domain authentication systems.
https://github.com/fredan/nxdomain
It will block Ads on the DNS level so your browser cannot connect
to the advertisements servers and as a result, you will not see any
ads at all.
==========
NXDOMAIN
==========
Might also be knows as 'NoAds' or 'LessAds' or something similar.
What NXDOMAIN does is quiet simple.
For every request it gets, it check to see if that 'host' (the lookup
value that is) is in a list.
If it is, we answer with a NXDOMAIN as the answer. You can not
connect to a host if you don't have the ip address and with
NXDOMAIN you don't get that. The consequence of this is that
no ads in your browser can be loaded, just to make an example.
Why everyone keeps focusing on regular cookies is beyond me. Advertisers have already moved on long ago to using "web 2.0" tricks, etc to put their tracking stuff in using Flash LSOs and HTML5 cache tricks that doesn't get erased by any browser by default, even if you select "Clear Private Data".
@Mindless Drivel: 100% of Twitter posts ever Tweeted.
This is not really good news for Internet users. Ok all you guys can bitch about online marketing people, but why do you think your favourite sites are free? Make it harder to advertise and you make it harder for content providers to keep their website up.
Bad move by Firefox - it will encourage advertisers to use browser fingerprinting. (Something which is very difficult to opt out of) .. fonts, plugin's ect
So we need another patch to stop browsers leaking identifying information
I tried all sorts of cookie policies already, including blocking third party cookies. There were problems with various sites frequently enough that it just got old.
Now, I accept everything, but the browser deletes EVERYTHING when it closes. Sure, I know that they track me for an hour, but then I disappear.
Google however...
FTFA:
> Content from a third-party origin only has cookie permissions if its origin already has at least one cookie set.
So any website (Google, Facebook, ...) that you visit once can track you across the whole web, until all cookies of that website are deleted. And not enough with that:
> What comes next for the Firefox cookie policy?
> [...] Relaxing the cookie policy for websites that honor Do Not Track.
As if anyone could control whether a site honors Do Not Track.
I just hope this isn't Firefox's new interpretation of what "Accept 3rd party cookies" means. I unchecked that option a long time ago, and I expect the browser to honor my choice and block all 3rd party cookies.
This wouldn't make a huge difference. The "trackers" could set a unique ID cookie when you visited their domain, and when you visited other domains they wouldn't need to change that cookie. They alreadly got the information that you visited that page and stuck it in their database.
Online advertising pays for our whole party. I guess you would rather be charged a toll for every web service you use? Stupid privacy zealot. You think you can do the Internet equivalent of walking around in public, totally invisible.
By the way, the only way to gain any anonymity online is with Tor and a stateless browser. In other words, we don't need another half-baked solution that literally does nothing except block funding for free web sites.
This means, for instance, that Facebook, Google and Twitter gets likely a free-pass to track almost anybody.
Never visited facebook, never visited twitter. 2 out of three, not too bad . . .
Except that the Ad agencies want to track you across different sites and won't have access to that cookie when the user is on foobar.com
I've often wondered why we don't associate third party cookies with the page or host they were set at. e.g. If the user is visiting example.org and adsite.org sets a cookie, AdSite can only access it while the user is on example.org, if the user visits example.com then AdSite doesn't see a cookie set.
22 is the current release on the Nightly channel. If you're willing to live with the occasional bug, and daily updates, you can have it now. The option whether to block 3rd party cookies is gone. They are always blocked.
I was blocking 3rd party cookies, until my (required, no alternative) mail order medication site stopped working due to an "upgrade" they made.
I had to turn off 3rd party cookie blocking to log in.
If 3rd party cookie blocking is enabled by default I hope there is a way to turn it off for the 1 site, or all sites if I need to.
Otherwise I will have to use the insecure IE for their site.
You can lose something that is loose, so tighten the loose item so you don't lose it.
Although I'd prefer that tracking would simply be made illegal, I tell you what: I'm less concerned about letting the big guys doing it because they are more likely to have some basic security in place and controls to at least respect the TOS. I'm more concerned about small guys...
Build your own browser!
Telephone Telemarketers are still in business. Looks like the internet advertisers need to be spanked as well.
Jack of all trades,master of none
Mozilla needs to fix plugins management. Have any Google products installed on Windows? Try disabling the Firefox Google update plugin... Easy, until you next start Firefox and it is enabled again... This seems like the sort of behaviour that should have this plugin blacklisted automatically, as Firefox has done with other plugins.
I have MS Office and antivirus plugins installed in Firefox that I didn't add. No app should be able to add plugins to their browser without user approval. Firefox should be blocking this, possibly by asking for permission to install them on the next time Firefox is used.
Users should be able to remove plugins, not just disable them.
"Blocking all third party cookies breaks things that a lot of people like and use, like Facebook/Twitter login, disquis, etc."
No it doesn't. Those are script, not cookie, issues. You can enable the scripts while keeping 3rd-party cookies blocked.
I'm less concerned about small guys doing it because by being small, the data they gather will be more sparse and less useful. It is exactly the big ones who collect a threatening amount of data.
But of course the best thing is if they don't get any data at all, no matter if big or small. Thanks to AdBlock Plus and RequestPolicy, they don't even get the chance to request a cookie.
Unfortunately sites these days tend to spread over many different domains, and use third-party JavaScript necessary for operation directly from third-party sites, with domain names where it is often hard to guess what they are for, so getting a web site to work without enabling some unnecessary stuff keeps getting harder.
The Tao of math: The numbers you can count are not the real numbers.
VC money did none of those things. The hundreds of thousands of non-VC-funded businesses hoping to make money off ads demonstrates the two are unrelated. In fact the gold rush mentality of VCs increased competition, and funded various alternatives to ad-supported web sites (microtransactions, CyberCash, subscriptions, link trading, etc.) which all failed to gain traction. How would things have been any better if corporate portals like go.com and msn.com had dominated the web due to an absence of thousands of VC-funded competitors?
As you say, the public chose ad-supported, and that predictable outcome is nothing to do with "VC money". Meanwhile the low barriers to entry make it possible for non-ad supported web models to exist; I don't run ads on my blog, and projects like DIASPORA* and Freedom Box are providing an alternative to "customer as product."
=S
Ghostery is fantastic, but
* Disqus comments don't show up (a third party tracks your activity across web sites)
* Google Play cheap deal links stop working ("Ghostery prevented a redirect from clickserve.dartsearch.net to ad.doubleclick.net")
* some sites including aol.com properties completely break (the morons coding those sites rely on blocked JS code pulling in vital functionality like showing images and expanding comments, maybe intentionally)
Sadly there's no way I can recommend Ghostery to the average web user. And the last problem suggests any site that wants to screw Ghostery users can simply rely on an ad network's copy of jQuery, so that when Ghostery blocks it the site falls over.
Even blocking third-party cookies is troublesome. It again breaks many Disqus comment implementations, and several companies that present bills online seems to rely on my bill-pay site setting third-party cookies on the corporate site. Firefox's implementation will work in these cases, as I've been to both Disqus and those companies' web sites.
=S
Those DNS queries are tangential to cookies. The requests to advertising and market intelligence companies for images and scripts pass info about the current page and your IP address, and the JavaScript code they load sends additional information. Even if you block cookies those companies get enough information to fingerprint you and figure out you're the same person who visited all the other pages on which they loaded their crap.
So run AdBlock and Ghostery, but the latter will break some functionality.
=S
Sites will start blocking Firefox browsers. If enough popular sites do this, people will be switching to other browsers. Or people will start making Firefox masquerade as a different browser, which (if it becomes popular) will subsequently be made illegal. That is assuming that third-party cookie blocking won't just be made illegal.
It is appropriate to describe this as a first-strike, because there will be a retaliatory salvo, and much of our Internet freedom will get caught in the crossfire.
I block 3rd party cookies in all of the big 3: Chrome, IE, and Firefox, using the built-in settings, but I also block most advertising SITES completely. Blocking almost all ads in the process.
I do this by using MVP's ad blocking hosts file, which can be found here: http://winhelp2002.mvps.org/hosts.htm
This blocks not just the ad's, but the cookies too, since if they cannot reach your computer, they cannot access or ad cookies either.
It's not a perfect solution, sometimes leaving blank spots on webpages, and ALSO blocking most coupon sites, but it can be easily edited to remove sites you want to allow. I personally have a few elevated batch files that add / remove sites to the hosts file, and another that renames it (essentially removing it), and renames it again (making it available again).
I started using my hosts file to block ad sites when Double Click began tracking cookies between websites, and then stopped about 6 months later, because I believe in supporting the free websites I use, and know that if the free website model cannot be self-sustaining, that the only real alternative is to pay for every online service. Meaning no free email, search engines, help sites, or News.
My problem is that advertisers keep pushing the envelope of performance, and thus have made my 2 year old ASUS x64 netbook (my main computer, since I've returned to school) as slow a sh*t on the internet, causing some webpages to take minutes to load (because of multiple, heavy, ads), and others to freeze (because of heavy CPU usage). So about 9 months ago I began blocking sites again with the hosts file, purely as self-defense, because I can't afford to upgrade my computers every year and a half.
Blocking sites with my hosts file also has the side-effect / ?advantage? of blocking ALL traffic from my computer to those data-collection websites, not just traffic from my browser. Meaning that any ad-driven software I've installed cannot pull ads from any site listed in my hosts file. This is not because I am unwilling to "pay" for the ad-driven software, but have been forced to takes steps to keep my computer usable, and those pieces of software are simply "collateral damage".
If advertisers would be willing to limit the size and CPU usage of their ads based on the capacity of the target computer, I might be willing to open up my hosts file to them again. Until then, I will advise others to use their hosts file to block ads.
THINK! It's patriotic
In other words, if the internet breaks, you die?
That sucks.
Yeah, that would probably be the best option. However I've found no place where I can download the needed time for that. :-)
The Tao of math: The numbers you can count are not the real numbers.
but i never visisted ad.d*bleclick.net directly.
While Ads are annoying, they are also the main reason why we have free content. Seems to me the majority of the people wants something for no cost which would not work because of all the costs associated with running a business and/or a website. From web hosting costs to paying employees, the money have to come from some where! I wish that all those complaining about Ads think about what happens when/if the majority of sites goes to a purely subscription method because they cannot depend on Ad revenue any longer. Just like 'free' TV versus Premium Cable channels, if you want 'free' someone have to pay for the service. If you don't want Ads, then you need to step it up and pay for the content yourself. Just imagine Wikipedia having to go to a subscription method because they cannot raise enough money. They have to 'beg' for money as it is to keep running because they do not run ads on their pages.
While there are a minority of bad apples when it comes to advertisers. Believe it or not, the majority of the websites depending on ad revenue actually do NOT want to be associated with the shady networks. However, by you blocking ALL ads, you are essentially cutting the legs out from under the legitimate websites and advertisers who's main benefit is to provide you with easily accessible and FREE content. Additionally, cookies are already limited to be accessed by the domain (via cross domain restrictions already in place) and a cookie is still the ONLY way for a website to know definitely that you have opted out. Without an opt-out cookie, a website or advertiser would have no way of knowing your tracking options (at least not until the Do Not Track functionality is implemented universally).
To say 'suck it' to all advertisers seems a bit over reacting and would in the end only hurt all of us by limiting the amount of 'free' content available on the internet.
I'm less concerned about whether "big guys" or "small guys" are given a free pass to rape website users, and more concerned about giving users a choice over who violates them, with opt-out as the default.
My other UID is three digits.
I'm less concerned about letting the big guys doing it because they are more likely to have some basic security in place and controls to at least respect the TOS
Exactly! Big companies would never have buggy infrastructure with poor security practices!
Kinda like Sony. Oh... wait.
Anonymous coward? that's not nice, my name is Patrick Young I just do not want to register.
To Identify children Browsers could add, similar to Do Not Track, another setting that passes notification to the website the user is under 13. Sure adults will claim to be 12, so what. Once it is an available feature then lobby for legislation to enforce.
IF YOU DO NOT WANT ADVERTISING.... USE AdBlock
AdBlock is a Browser Add-On for FireFox and Chrome. It disables most third party content from websites
Third party content is how most ads are served and tracing is implemented.
Specifically (not limited to) blocks Facebook, Google Double Double & Ad Sense Ads, and Google Analytics.