Google Chrome To Boost User Privacy by Improving Cookies Handling Procedure

Catalin Cimpanu, writing for BleepingComputer: Google engineers plan to improve user privacy and security by putting a short lifespan on cookies delivered via HTTP connections. Google hopes that the move will force website developers and advertisers to send cookies via HTTPS, which "provides significant confidentiality protections against [pervasive monitoring] attacks."

Sending cookies via plaintext HTTP is considered both a user privacy and security risk, as these cookies could be intercepted and even modified by an attacker. Banning the sending of cookies via HTTP is not yet an option, so Chrome engineers hope that by limiting a cookie's lifespan, they would prevent huge troves of user data from gathering inside cookies, or advertisers using the same cookie to track users across different sites.

They're cutting out the competition

You're still using a browser published by an ad company.

Re:They're cutting out the competition

[thebryce]

mod parent up!

Re:They're cutting out the competition

[AHuxley]

The ads are now direct and more encrypted :)

Re: They're cutting out the competition

[the_B0fh]

Someone just built one for FaceBook, on FireFox.

Just let us have cookie control

Let us manage cookies without making us have extensions and let us choose which sites are allowed to have cookies. All web browsers have been crippling their cookie management recently.

Easy way to boost privacy

[Moldiver]

Easy way to boost privacy - Stop using Chrome and google services...

Re:Easy way to boost privacy

[hcs_$reboot]

and for starters, replace DNS servers 8.8.8.8 and 8.8.4.4 with 1.1.1.1 / 1.0.0.1 ...

Re:Easy way to boost privacy

[thegarbz]

Easy way to boost privacy - Stop using Chrome and google services...

Depends on what you mean by privacy. There are people I trust with my data. There are many more that I don't. Just because I use Chrome and Google Services doesn't mean I don't want a secure method of communicating with people, them specifically.

https

[hcs_$reboot]

Google has been pushing https a lot already, for a few years, and cookies exchanged over an https site are secure. Websites using http to send/set/read session (...) cookies deserve to be hacked.

Cookies are obsolete now. Fingerprinting is in.

[denis-The-menace]

https://duckduckgo.com/?q=brow...

When chrome is able to evade browser fingerprinting, we'll talk.

Is there even a browser out there that does this?

Re:Cookies are obsolete now. Fingerprinting is in.

[phantomfive]

Is there any company that actually uses browser fingerprinting? I haven't seen it used anywhere (but obv that doesn't mean it's unused). Other methods are still too practical, and easier to work with.

Then your router/printer deserves to be hacked

[tepples]

Websites using http to send/set/read session (...) cookies deserve to be hacked.

Does this include of your home router, printer, or NAS box? The login page of home network devices like these probably uses cleartext HTTP because several usability problems with running a private HTTPS server still have not been solved for less-technical users.

In mainstream web browsers, the warning for a cleartext HTTP connection is still not as scary as the warning for an HTTPS certificate from an unknown issuer. And when displaying this warning, mainstream web browsers make no distinction among the same subnet on a home LAN, the same subnet on a coffee shop LAN, and the public Internet. This makes the "trust on first use" model of SSH, where the user is expected to compare the key fingerprint presented to the client with the fingerprint presented out of band, less practical.

Most home users aren't technical enough to operate a private certificate authority, install its root certificate into the trusted certificate repository of each browser on each device that they use, and issue a certificate to each of these home network appliances. Nor are most home users technical enough to find one of the few gratis DDNS providers that is on the Public Suffix List and set up an automated integration with both the DDNS provider and Let's Encrypt.

Chrome privacy?

[GeekWithAKnife]

Ohhhhh, google means they are the only one to store, sell and analyse the data.

"privacy" -Gotcha!

Re: Cookies are obsolete now. Fingerprinting is in

[phantomfive]

That's a nice, pithy statement, but it's not really accurate. For example, it's possible to throw bricks through my living room window but so far that hasn't been used against me.

Re: Cookies are obsolete now. Fingerprinting is in

[EndlessNameless]

For example, it's possible to throw bricks through my living room window but so far that hasn't been used against me.

That's a nice, pithy example, but it's not really relevant. There is no benefit to throwing bricks through your living room window, but there are well-established means of monetizing user data.

This is especially true since fingerprinting can offer data that cookies don't. For example, fingerprinting may expose a user who has cleared his cookies, switched browsers to segregate his activity, or used Incognito Mode. Fingerprinting can link an unknown/new user to a preexisting cookie or advertising profile in some cases. It circumvents existing privacy measures and exposes information that was never available before.

It is both bad and difficult to stop. Most fingerprinting metrics are exposed by the browser because they were useful to web developers for legitimate reasons. Almost any attempt to stop fingerprinting will break something else. Legal prohibitions are probably necessary, and even that won't stop some people.

Even easier method

[smooth+wombat]

Delete your cookies every night. Clear everything so you start fresh in the morning.

Make web sites and advertisers work to figure out who you are.

Software freedom boosts privacy

[jbn-o]

Actually the browser's author or what that author does is both inaccurate (Google is not just about advertising) and irrelevant. If Google Chrome were published as free software—software that respected a user's freedom to run, inspect, modify, and share published software—users could inspect the source code, change what they didn't like, run the variant they prefer, and share their improved version. Users don't have these freedoms with Google Chrome, Chrome is proprietary (nonfree, user-subjugating) software.

So users have to decide to reject the software or have blind faith that Google will do right by them and believe that it is in Google's interest to "boost user privacy" at all. The mechanism by which Google purports to do this is irrelevant because Google got to where it is by spying on and censoring users. Proprietary software is often malware and Google's proprietary software is no exception.