Slashdot Mirror
Google Chrome To Boost User Privacy by Improving Cookies Handling Procedure (bleepingcomputer.com)
Catalin Cimpanu, writing for BleepingComputer: Google engineers plan to improve user privacy and security by putting a short lifespan on cookies delivered via HTTP connections. Google hopes that the move will force website developers and advertisers to send cookies via HTTPS, which "provides significant confidentiality protections against [pervasive monitoring] attacks."
Sending cookies via plaintext HTTP is considered both a user privacy and security risk, as these cookies could be intercepted and even modified by an attacker. Banning the sending of cookies via HTTP is not yet an option, so Chrome engineers hope that by limiting a cookie's lifespan, they would prevent huge troves of user data from gathering inside cookies, or advertisers using the same cookie to track users across different sites.
Sending cookies via plaintext HTTP is considered both a user privacy and security risk, as these cookies could be intercepted and even modified by an attacker. Banning the sending of cookies via HTTP is not yet an option, so Chrome engineers hope that by limiting a cookie's lifespan, they would prevent huge troves of user data from gathering inside cookies, or advertisers using the same cookie to track users across different sites.
You're still using a browser published by an ad company.
Let us manage cookies without making us have extensions and let us choose which sites are allowed to have cookies. All web browsers have been crippling their cookie management recently.
I tip le fedora in your general direction, good sir!
Easy way to boost privacy - Stop using Chrome and google services...
Google has been pushing https a lot already, for a few years, and cookies exchanged over an https site are secure. Websites using http to send/set/read session (...) cookies deserve to be hacked.
Slashdot, fix the reply notifications... You won't get away with it...
Pray I don't alter it any further!
They're an out dated tracking technology from the 90's.... even main stream radio shows like "kim komando" have programs talking about how companies like apple and google use far more sophisticated tracking tech that we all know we can't opt out of.
https://duckduckgo.com/?q=brow...
When chrome is able to evade browser fingerprinting, we'll talk.
Is there even a browser out there that does this?
Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
Websites using http to send/set/read session (...) cookies deserve to be hacked.
Does this include of your home router, printer, or NAS box? The login page of home network devices like these probably uses cleartext HTTP because several usability problems with running a private HTTPS server still have not been solved for less-technical users.
In mainstream web browsers, the warning for a cleartext HTTP connection is still not as scary as the warning for an HTTPS certificate from an unknown issuer. And when displaying this warning, mainstream web browsers make no distinction among the same subnet on a home LAN, the same subnet on a coffee shop LAN, and the public Internet. This makes the "trust on first use" model of SSH, where the user is expected to compare the key fingerprint presented to the client with the fingerprint presented out of band, less practical.
Most home users aren't technical enough to operate a private certificate authority, install its root certificate into the trusted certificate repository of each browser on each device that they use, and issue a certificate to each of these home network appliances. Nor are most home users technical enough to find one of the few gratis DDNS providers that is on the Public Suffix List and set up an automated integration with both the DDNS provider and Let's Encrypt.
Ohhhhh, google means they are the only one to store, sell and analyse the data.
"privacy" -Gotcha!
A 'singular oddity' is an event that cannot be explained and only happens when you are alone.
It's like every day is a Zuckerberg hearing where cross site stalking of Internet users is justified by invoking "security" without the whole room breaking out in laughter.
Are we actually expected to care tracking bugs designed to stalk us might be leveraged by other stalkers? Chrome itself is loaded with Google malware that spies on its users.
I do not support breaking HTTP in the name of security. Reduced complexity and permission requirements needed for HTTP make it valuable hedge against attempts to leverage DNS and PKI as a means of censorship.
That's a nice, pithy statement, but it's not really accurate. For example, it's possible to throw bricks through my living room window but so far that hasn't been used against me.
"First they came for the slanderers and i said nothing."
Yes, although Chromium is fine (and is engineered way better than Firefox), provided you don't turn on telemetry. I'm partial to Brave, which uses a Chromium base but with additional security features.
Fingerprinting is the most sophisticated tracking technology today, though it still isn't mainstream. EFF, Brave and others are working on developing technologies against it. The best defense presently is to block tracking scripts. Hopefully they come up with better defenses later.
The other thing is most of the web is moving heavily towards mobile, and companies are pushing users into dedicated apps. If you're engaging with a service via its app, cookies and fingerprinting and scripts and tracking code all don't matter since you're just giving the service a direct line into your device via the app. It's a good idea to keep your devices free from any software and apps you don't actually need and use your (secured) browser as often as possible.
Brave has an anti-fingerprinting feature that attempts to control or confuse access to canvass, WebGL, and a few other things. It's not perfect but it works pretty decently. Brave still isn't ready for prime time, though. The desktop version is in beta. Mobile works, but with some limitations.
why waste good bricks :D
For example, it's possible to throw bricks through my living room window but so far that hasn't been used against me.
That's a nice, pithy example, but it's not really relevant. There is no benefit to throwing bricks through your living room window, but there are well-established means of monetizing user data.
This is especially true since fingerprinting can offer data that cookies don't. For example, fingerprinting may expose a user who has cleared his cookies, switched browsers to segregate his activity, or used Incognito Mode. Fingerprinting can link an unknown/new user to a preexisting cookie or advertising profile in some cases. It circumvents existing privacy measures and exposes information that was never available before.
It is both bad and difficult to stop. Most fingerprinting metrics are exposed by the browser because they were useful to web developers for legitimate reasons. Almost any attempt to stop fingerprinting will break something else. Legal prohibitions are probably necessary, and even that won't stop some people.
---
According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
Delete your cookies every night. Clear everything so you start fresh in the morning.
Make web sites and advertisers work to figure out who you are.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
Actually the browser's author or what that author does is both inaccurate (Google is not just about advertising) and irrelevant. If Google Chrome were published as free software—software that respected a user's freedom to run, inspect, modify, and share published software—users could inspect the source code, change what they didn't like, run the variant they prefer, and share their improved version. Users don't have these freedoms with Google Chrome, Chrome is proprietary (nonfree, user-subjugating) software.
So users have to decide to reject the software or have blind faith that Google will do right by them and believe that it is in Google's interest to "boost user privacy" at all. The mechanism by which Google purports to do this is irrelevant because Google got to where it is by spying on and censoring users. Proprietary software is often malware and Google's proprietary software is no exception.
Digital Citizen
Dear Google, it's not your internet. Stop fucking with the browser and the protocols to force more of the internet ecosystem into your monopolistic business services.
Dear DoJ, wake the fuck up! It's long past time you dragged Google over the coals for their Daily Do Evil. You punished Microsoft for far less - Microsoft didn't actively remove User Choice they just installed Internet Explorer as the default browser on their own operating system.
That said web sites don't have any business pushing out cookies that expire in years instead of days or hours. In addition to that there are plenty of web sites in the Alexa Top 1000 list that publish way more cookies than they really ought to - one site I tested had 63 Set-Cookie headers in its GET / HTTP/1.1 response... what the fuck?