- Cookie 5 More Privacy Better Browsing 5 0 35
- Cookie 5 More Privacy Better Browsing 5 0 32
- Cookie 5 More Privacy Better Browsing 5 0 36
- Cookie 5 More Privacy Better Browsing 5 0 30
For years, Chrome, Firefox, and virtually all other browsers have offered a setting that doesn't save or refer to website cookies, browsing history, or temporary files. Privacy-conscious people rely on it to help cloak their identities and prevent websites from tracking their previous steps. Now, a software consultant has devised a simple way websites can in many cases bypass these privacy modes unless users take special care.
Ironically, the chink that allows websites to uniquely track people's incognito browsing is a much-needed and relatively new security mechanism known as HTTP Strict Transport Security. Websites use it to ensure that an end user interacts with their servers only when using secure HTTPS connections. By appending a flag to the header a browser receives when making a request to a server, HSTS ensures that all later connections to a website are encrypted using one of the widely used HTTPS protocols. By requiring all subsequent connections to be encrypted, HSTS protects users against downgrade attacks, in which hackers convert an encrypted connection back into plain-text HTTP.
Sam Greenhalgh, a technology and software consultant who operates RadicalResearch, has figured out a way to turn this security feature into a potential privacy hazard. His proof of concept is known as HSTS Super Cookies. Like normal cookies, they allow him to fingerprint users who browse to his site in non-privacy mode, so if they return later, he will know what pages they looked at. There are two things that give his cookies super powers. The first is that once set and depending on the specific browser and platform it runs on, the cookies will be visible even if a user has switched to incognito browsing. The second is that the cookies can be read by websites from multiple domain names, not just the one that originally set the identifier. The result: unless users take special precautions, super cookies will persist in their browser even when private browsing is turned on and will allow multiple websites to track user movements across the Web.
Download Chrome for Windows. For Windows 10/8.1/8/7 32-bit. For Windows 10/8.1/8/7 64-bit. This computer will no longer receive Google Chrome updates because Windows XP and Windows Vista are no.
- If you upgrade to Disconnect’s premium offering ($5/mo or $50/yr) you get those features along with mobile apps for iOS and Android to protect your browsing and block malware and adware on the.
- Cookies, more properly called HTTP cookies, are small bits of data stored as text files on a browser. Websites use those small bits of data to keep track of users and enable user-specific features. They enable core website functionality, such as e-commerce shopping carts, and are also used for more controversial purposes, such as tracking user.
Update: The latest version of firefox, 34.0.5, no longer allows HSTS Super Cookies set in regular mode to persist in private mode. Greenhalgh said this fix is recent and produced screenshots showing his PoC worked on version 33 of Firefox, at least when running on Windows. Firefox 34.0.5 continued to allow multiple websites access super cookies. Chrome on Windows remained fully vulnerable, as did Chrome and Safari running on an iPad tested by Ars. Internet Explorer isn't vulnerable because currently supported versions of the browser don't support HSTS.
How it works
For any one site, HSTS can be used to hold only a single binary value—either on or off. To work around this limitation, Greenhalgh strings together 32 sites, adds all of the ons and offs, and stores them as a binary number. The result is the ability to uniquely tag more than two billion individual browsers. To make it easier on the website, the decimal number he stores is converted into a base36 string, so 169ze7 is used to represent 71009647, or lm8nsf is used to represent 1307145327. Of course, a less scrupulous website could perform the same tracking in a way that was less transparent.
Once someone visits Greenhalgh's PoC page in normal browsing mode, the unique identifier will persist even when viewing the page with privacy mode turned on. What's more, other sites—for instance, this one—will be able to read the identifier, allowing the tracking of users across large numbers of websites. These abilities fly in the face of what most users have come to expect. Typically, turning on privacy mode prevents websites from reading any previously set cookies. And unlike HSTS Super Cookies, most standard cookies can be read only by the Internet domain that set them.
Fortunately, except for people using the Safari browser on an iPhone or iPad, it's possible to flush the browser flags that make HSTS Super Cookies possible. All that's required is that before switching to privacy mode a user delete all cookies. Every standard browser—with the exception of Safari on iDevices—will also flush the HSTS settings. (Unfortunately, these settings appear to be difficult or impossible to remove when using Safari on iPads and iPhones, Greenhalgh said.) He found no evidence HSTS flags set in privacy mode are carried over into normal browsing, meaning people who have visited a site only incognito are safe from the attack.
HSTS Super Cookies are a good example of how the introduction of new features–even those that provide much-needed security improvements—can turn into holes hackers can exploit. The whole point of HSTS is to ensure a browser always uses HTTPS when making subsequent visits to a website that supports the mechanism. Browser developers almost certainly wanted those flags to carry over from normal mode to privacy mode to ensure privacy-minded users received the benefit of this protection. Now that there's a viable way of using HSTS to uniquely identify these users, developers will surely rethink their decision, but their options may remain limited.
Post updated to add details about recent fixes in Firefox.
The Scorecard
Browser | Cookie Controls | Third-party Cookies | Tracking Opt-out |
---|---|---|---|
Firefox | C Some block-list control | D Enabled by default | C- Only supports 'Do Not Track' header, disabled by default. |
Edge | ? | F Enabled by default, and sometimes sent even when disabled. | B Supports both the 'Do Not Track' header and 'Tracking Protection Lists'. (what is enabled by default?) |
Chrome | A Good cookie block-list controls. | F Enabled by default, and sometimes sent even when disabled. | D- Horrible anti-tracking support, only available as an optional extension called Keep My Opt-Outs. |
Safari | ? | B+ Disabled by default, but sometimes sent even when disabled. | F No anti-tracking feature. |
Explanation of topics
Cookie control
Since some sites do require cookies and you may want to allow them for sites you trust, you do not want to just block all cookies, but allow them on a site-by-site basis. The browsers are evaluated here based on how well they allow the user to block untrusted sites (should be the default) and allow trusted sites (should be an easily modifiable list).
Third-party Cookies
Cookies are required whenever you login to a website (technically, you can create a login session without cookies, but not very securely). However, most all websites also transmit cookies from third parties that are used to track your clicks and behavior across many websites. There is no legitimate use for third party cookies — their only use is to keep you under surveillance. Third party cookies should be blocked by default in all browsers.
Tracking Opt-out
There are three methods of opting out of behavioral tracking:
- Do Not Track HTTP header: The “Do Not Track” header tells websites that you don’t want to be tracked. It is a good idea, but is not supported yet by any advertisers, and my never be. Currently, Firefox 4 and Internet Explorer 9 have optional support for the Do Not Track header.
- Tracking Protection Lists: Browsers with “Tracking Protection Lists” allow you to subscribe to a list of companies that will be blocked. This is a great method, because it works today and allows you to effectively block almost all tracking. Support for Tracking Protection Lists is built into Internet Explorer 9 and can be added to Firefox and Chrome by using the Adblock Plus extension.
- Opt-out cookies: Opt-out cookies are a system pushed by the advertising industry. This method has many flaws, and has been shown by researchers to be only marginally respected by advertisers. Advertisers allow you to set special cookies to tell them you don’t want to be tracked. These cookies can be easily deleted, however. So some browser extensions will allow you to keep these cookies once set (as with Chrome) or to automatically set them (as with Beef TACO for Firefox).
Scorecard Notes
Firefox
- Tracking Opt-out: Announced in early 2011, Firefox will support an optional ability to tell a web site you want to “opt-out” of tracking. This opt-out is disabled by default and few websites support it. Technologically, Firefox is doing this the “right way” and the EFF has applauded Firefox’s move. However, we still give Firefox a failing grade because this blocking does not actually do much of anything currently and will only be effective if trackers are required by law to honor it, which seems extremely unlikely — especially since it is very difficult to enforce national privacy law on the global internet.
Internet Explorer
- Tracking Opt-out: Originally, the engineers at Microsoft built the best anti-tracking technology in existence: The browser would automatically detect when your behavior was being tracked across different websites and would block this tracking. This was also enabled by default! Once the advertising executives got wind of this, a battle ensued withing Microsoft. Eventually, the engineers lost and the advertisers won: Internet Explorer is distributed with this feature, but is only available while InPrivate browsing is on. This makes it useless, because it must be enabled manually for each browser window and doesn’t work with the normal browsing mode (this is important, because only in normal browsing mode do you have many handy features, like bookmarks, your history and form completion).
Cookie 5 More Privacy Better Browsing 5 0 35
Internet Explorer 9
Toolbox for pages 2 2 4 download free. Version 9 of Internet Explorer is much better than all the previous versions.
- Tracking Opt-out: IE9 was the first browser to support the Do Not Track header and Tracking Protection Lists.
Chrome
- Tracking Opt-out: Announced in early 2011, Chrome will allow users to set a special “opt-out” cookie that is recognized by members of Network Advertising Initiative. This method is nearly useless. One report found that the NAI cookie did not work consistently, ignored new ways of profiling and tracking, does not include a majority of industry groups, and lacks transparency. The report concludes that “the only success of the NAI has been lulling regulators into thinking that self-regulation fairly and effectively addresses the interests of consumers who are the targets of behavioral advertising.”
- Cookie tracking: the way that Chromium allows users to control cookies is fairly advanced. You can block all cookies and selectively (through a context-menu that pops up in the URL) enable certain domains as you see it. You can also directly see which cookies are set for the site you are visiting in that dialog. Also, when you set your config to “ask first”, you get the confirmation dialogs one at a time instead of all at once as it is in Firefox.
- Flash cookies: Chrome does the right thing and cleans up flash cookies whenever you clear cookies.
Safari
- Third-party cookies: Safari wins as the only browser to disable third-party cookies by default.
- Other: Safari deserves bonus points for being the only browser immune to history harvesting.
- Tracking Opt-out: At this time, I don’t think there is any planned.
Cookie 5 More Privacy Better Browsing 5 0 32
How to get an “A+”
Cookie 5 More Privacy Better Browsing 5 0 36
What would a browser need to do in order to score “A+” on the scorecard?
Cookie 5 More Privacy Better Browsing 5 0 30
- Third-Party Cookies: There is no legitimate use for third party cookies. They should always be blocked.
- Tracking Opt-out: The ideal would be…
- enabled by default: At a minimum, the user should be presented with a choice the first time you use the browser.
- do-not-track header: The browser should send the “do-not-track” header like Firefox, in case anyone ever actually honors it.
- detected tracking: The browser can, and should, detect when tracking is happening and shut it down. You should not need to rely on the voluntary compliance of the tracker to honor your settings. This is what IE was going to do, until the executives killed it.
- block lists: Allow the user to subscribe to lists of trackers that will get blocked.
- on for normal browsing: tracking opt-out is useless if it is only enabled while in a special “Secure Browsing” mode.