Evercookie: Virtually Irrevocable Persistent Cookies
About The Author
Follow me on Twitter @thomholwerda
2010-09-23 1:53 pmgoogle_ninja
the very worst possible thing you could store in a cookie is how many times you hit the site, and where you came from. You can just store that information server side if you like, so its not like cookies make the situation worse or anything like that.
cookies are locked down to the point of barely being useful. there is no reason to be scared of them.
2010-09-23 7:08 pmPiranha
Perhaps you should read what cookies can actually store.
It can store a whole lot more than just “number of visits”
2010-09-23 10:22 pmgoogle_ninja
I was saying realistically thats as bad as it gets. Anything else that can be tracked can also be tracked server side, and easier too.
The only difference is that cookies are by browser, not by ip. So if you are on an ISP that releases your ip every time you connect to them, you visit a site, disconnect your internet, reconnect, and visit the site again, they are able to tell the two visits came from the same person. If you don’t change your IP every visit, there is no difference at all between what can be tracked via cookie, and what can be tracked via ip.
2010-09-25 1:36 pmTuishimi
This is true but you have to give that information to the server by hitting it and by having it in your browser, accessible to the server.
So the more you have stored in cookies, the more data can potentially be gleaned from you.
2010-09-25 3:09 pmgoogle_ninja
Basically, when you go to a web page, your browser sends a request for the various pieces (html, images, stylesheets, etc). It also sends a whole bunch of data in a special part of the request called the header, this info includes what browser you have, what os you have, what your IP is, what webpage you came from, etc.
If all the site owner wants is analytics, that is enough, and even if arent using cookies, you can be sure those sites are still tracking that info.
Where cookies come in is that while that info is useful, it is even MORE useful if you can reliably tie some of those requests together. That way you know things like even though reddit sends you boat loads of traffic, those people never hang around of long and never come back, while lifehacker on the other hand is the site that sends you people who become core users of your site, returning over and over again.
The problem is that the IP address is not enough to say for sure that it is the same person. It very often is, but there are loads of situations where it isn’t. If your ISP gives you a new ip for whatever reason, if someone is going through a network gateway, or if someone is going through a proxy server, those IP addresses won’t be terribly reliable or useful.
Any time you visit a site that is more of an application (like facebook or gmail), those sites will give you a session cookie, so that they can reliably tell which user is from each request. These cookies usually are a unique identifier (or UUID), and they usually go away when you close your browser. Sites trying to get better analytics on their visitors use the same technique, but make the cookie persist indefinitely.
Now, almost since day 1, cookies have inspired these “TEH SKIES ARE FALLING!!” type reactions. What it boils down to at the end of the day is not the information that sites are gathering from their visitors, it is that if someone knows where to look on your browser, they can tell just what kind of a porn fiend (or something else embarrassing) you actually are, because you have been tagged by half the porn sites on the internet.
People who don’t have embarrassing fetishes they explore online, or if they do, don’t live with a spouse or their parents, really don’t have anything to freak out about, since who really cares if they know user 1284173395-34073024-26782419 is a regular rather then a first timer?
Last point (this is already rather long), it isn’t just porn sites who do that. The number I used is the quantcast.com cookie I got tagged with and is used on osnews. Quantcast is an extremely popular service, chances are everything you visit will be using them and/or google analytics. Now, I don’t care that the people who run this site know that I don’t come from google, spend an average of 20 mins or so a day here, and have been coming fairly regularly for a few years so it just doesn’t bother me.
Edited 2010-09-25 15:13 UTC
I don’t see how the potential advantage of persistence accross browsing sessions outweights the risk to my own privacy.
The persistence it-self makes these evercookies too closely related to spyware to be welcome on my system for my confort. My next browser of choice will be one recognizing such incoming evercookies and allowing me to accept or refuse them.
Even plain cookies are out of control. Initially, they were introduced for providing a session integrity and storing user’s settings – all on service by service basis. I have no problem with these – they only collect information from a single website, can be easily removed or blocked if needed, and have no effect on other services.
The problem is with services like google, facebook and plenty of “analytics” websites setting what effectively are “web-wide cookies”. I simply don’t want these. Logging out from gmail, youtube or facebook to read some news elsewhere is not really an option – it’s simply too obtrusive to bother about. It’s so much easier to let these guys to track your browsing session instead.
So what to do about cookies?
– Use existing techniques (block third-party cookies, use adblock etc.) They often work, although they’re somewhat indiscriminate – sometimes block too much, often too little.
– Track the cookies. Store all available information about them, like the time the cookie was set, full URL and full title of the page they came from etc. Maybe even allow users to exchange opinions on each of them.
– Make cookies “first-class UI objects”. Integrate cookie management with URL bar, browsing history and bookmarks. At present, cookies are obscured by layers of gui – that’s not what we want, cookies are too important for user’s privacy to be just thrown somewhere in the file system. How to do it? I’m not a UI designer. Maybe just put an icon per each cookie next to the page URL/title and allow the user to enable/disable them easily?
– Introduce some sort of session management or sandboxing. I want to know that this group of tabs belongs to the session where I’m logged in my google account and the other does not. Not really sure how to implement this feature so the browser is still easy to use, maybe by making sure that each new browser window opens with a “fresh session”?
I heard Firefox-4 will bring some improvements in cookie management but looking at their roadmap they are just planning to rearrange some of the existing GUI knobs. That may not be enough.
OTOH, I don’t expect such features to arrive in competing browsers first (maybe except for Konqueror or Opera) so, yes, I’m looking at you, Firefox.
2010-09-23 6:21 amRawMustard
Well said. Firefox cookie management is totally inadequate for a browser that promotes itself as being friendly to users and their privacy. I must install a third party extension which breaks with each update just to have some form of control. Blocking third party cookies or blocking cookies completely is a shallow attempt at cookie management.
Did I say I hate cookies? I like chocolate ones though
2010-09-23 8:06 amValhalla
OTOH, I don’t expect such features to arrive in competing browsers first (maybe except for Konqueror or Opera) so, yes, I’m looking at you, Firefox.
The easy way is to use Firefox’s option of turning off ‘accept cookies from sites’ and add those you want to allow to ‘exceptions’. Then if you are feeling paranoid you can examine those ‘allowed’ cookies to see what information they store.
2010-09-23 1:45 pmj-kidd
Logging out from gmail, youtube or facebook to read some news elsewhere is not really an option – it’s simply too obtrusive to bother about. It’s so much easier to let these guys to track your browsing session instead.
You want something to be done, yet you don’t want to do it yourself. Once you find a way to not use gmail, then you can disable cookie for the whole google.com, and solve half of your problem.
It’s really not that hard. I don’t even use google search anymore.
2010-09-23 3:02 pmndrw
I agree with you that this indeed would work. But I was thinking more in line of a solution, not a workaround, however effective it would be.
I can give up using using a service or two but how about others? Is everyone interested in basic privacy supposed to disable cookies and JS by default, stop using Google/Facebook/… apps and install tens of addons to weed out unwanted cookies?
Currently there are no manageable solutions for tackling the network effect (other than leaving the web, or at least some of its services) and we can be sure that there will be more organizations trying to exploit it in the future.
2010-09-24 2:22 amj-kidd
Well, I think your technical solutions are indeed workarounds, because whatever solution it is, we can be sure that there will be organizations trying to exploit it.
The solution is to support organizations that do no evil.
2010-09-24 3:35 amndrw
Altight, not using the web is a perfect solution to privacy dangers caused by using the web.
If that’s what you wanted to say – I agree with you entirely.
2010-09-24 12:45 pmj-kidd
So “not using gmail” is somehow equivalent to “not using web”?
2010-09-24 4:01 pmndrw
You’re simply talking about a different problem, one that is totally unimportant to me.
I’m OK letting Google read my emails to friends (who are mostly using GMail anyway). I’m OK letting my bank know how much money I have. I’m OK letting a railway company know where do I travel… I am OK with all of that because these are different organizations, I explicitly agreed to use their services and risks to privacy are well understood (in particular there is no single party that has all the knowledge).
What happens on the web is very different. Almost all websites distribute cookies from a handful of major players, be it from Google, Facebook or someone else.
– BBC, CBS – Google
– CNN – Facebook
– Amazon – Google
– OSNews – Google
– Slashdot – Google
– a well known xxx site – Google
– YouTube, Google Maps,… – (no prize for guessing who)
Hell, even logon page of my online banking is pulling some crap from a third-party stats site.
Fast forward several years and all websites will be shipping these cookies. So regardless of whether you’re using GMail or not, Google or some other advertising agency will know more about you than you do.
Looks like we fell into an endless loop, so if no one else wants to comment on this thread then it’s EOT for me.
As far as I can tell, this can be defeated by a Firefox install with the following tweaks:
2. Install BetterPrivacy (Nukes LSOs, DOMStorage, and Click-Ping)
3. Install NoScript and set “Apply these restrictions to whitelisted sites too” to get something like FlashBlock but more reliable. (Second layer of defense against LSOs, first layer against the planned SilverLight Isolated Storage and Java MAC address fingerprinting mechanisms)
4. Make sure you’re running a Firefox version with the fix to close the getComputedStyle() :visited hole. (Kills “Storing cookies in Web History”)
5. Set Firefox to flush the cache on exit. (Kills the current Canvas-based “cookies in cache” solution and the planned ETags one)
Amusingly, I was already doing all of this long before I’d heard of evercookie.
I’m not yet sure what to do about the planned window.name part. As I understand it, window.name is session-only by nature, but I’m not yet sure whether Firefox’s session manager preserves or discards them when persisting your browser session.
As for legitimate “Well, it’s here so we might as well use it responsibly” uses for evercookie, the only one I can think of is setting a “ban token” so that ban-evading users have their ability to create new accounts removed and so the system can move IP bans around to follow them so innocents on the same ISP don’t get caught in the crossfire.
If I do that on any site I run, I’ll be sure to not even load the evercookie JS unless the user is on probation. (I also generally take a cautious “Stop them from causing trouble but let them continue to use our service” approach to problem users. Hence the term “probation”)
Thanks for this very interesting link and for the author who did the research for ever cookie.
I hope developers ie mozilla ff will take note of the flaws used for history and png “cookie exploit”
You’ll have to sort out Flash (and other plugins!) elsewhere, but for built-in tracking Firefox tracking vectors:
Options/Preferences -> Privacy -> Clear history, tick the following:
– Active Logins
– Site Preferences
– Offline Website Data
Then in a new tab, go to about:config, search for sessionstore.privacy_level and set all entries to 2.
This second step is IMPORTANT, as otherwise any restored tabs are stupidly excluded from having their above history cleared (see the comment from today here: https://bugzilla.mozilla.org/show_bug.cgi?id=529899 )
2010-09-23 5:51 pmBlueofRainbow
Interesting to know that plug-ins may have (overwrite?) different security settings than the browser they plug-into!
This is the kind of inconsistencies which frustrate me as an user. If I desire to have a given security setting – whether for my desktop (local) or my browser (connected to the web) – I desire these settings to be enforced all the way down to the applications and plug-ins by cascade. If I explicitely need to set an exception, it would likely be more restrictive for the application/plug-in than the top level instead of being more permissive.
Also, it should be part of the desktop OS and browser preference settings – not a work-around requiring half a dozen additional tools to be searched for, installed, and maintained up to date in addition to the desktop OS and browser them-selves.
I just defeated the Evercookie by using Google Chrome’s Incognito window mode…
2010-09-23 4:10 pmssokolow
He actually says in the FAQ that well-implemented Incognito Mode systems will defeat it. (I’m assuming part of “well implemented” means “Must either disable plugins or use Flash’s new Incognito Mode API”)
Edited 2010-09-23 16:10 UTC
There is no reason (ever) for websites to put irrevocable cookies in user systems…
They may claim it is to keep track of.. and at that point, in the US, they have lost the argument.
There will be devices, set up, to stop the problem from persisting…
But, most important, if this is the game the site wants to play, the site should be paid in kind.
Denial of Service from all computers they set up with said cookies could be triggered by the elimination software…
Sending site urls to black hats…
Broadcasting sites guilty of such crass innovations…
Just to have something off the top of my head.
If sites want to track people, that is their right, I guess. If people don’t want to be tracked, that is the peoples right. But, if the site inherently wants to attack the peoples computer… it is fully declaring war… and should face the consequences.
2010-09-25 1:41 pmTuishimi
“if evercookie has found the user has removed any of the types of cookies in question, it recreates them using each mechanism available.”
The difference between that and a virus is??
BleachBit 0.8.1 cleans evercookies (and other stuff): http://bleachbit.sourceforge.net/news/test-bleachbit-081-beta .
Sure, you need to erase your history, your cache, your cookies and your LSO (Flash cookies), but it’s still quite easy to remove. If there are abuse for those evercookies, tools will be made to actually remove them properly and easily. These tools will even be integrated into your browsers if need be.
On the bright side, the LSO part of evercookies is interesting for keeping you logged-in across browsers. I might try to make a (opt-in) functionality in my tools to activate it (think cross-browser login). It is useful for web developers that need to test something across many browsers.
This is an abuse of our right to privacy. I don’t think the average person should have to take great steps to ensure their privacy. This device if implemented only has potential for marketing companies. I personally resent having my privacy invaded.