Automatically block/delete super cookies

Savvy internet users these days are aware that some websites store cookies on their computers for purposes that are not in their interests. Cookies support tracking of surfing and shopping behavior and correlating computer-unique data to the person – accumulating a personal profile that can be used for targeting advertisements, identity theft or other covert reasons. Most such tracking cookies are stored by website advertisers. Many websites owners are not aware of such behavior of their advertisers, and many claim no responsibility for behavior of their advertisers in their privacy policy page. Users who disable all cookies quickly learn that a significant number of legitimate sites throw error messages or don’t work. For more info, see HTTP cookie - Wikipedia

My favorite web browser is Mozilla’s Firefox (Mozilla’s products — Mozilla (US)) because it supports the Adblock Plus extension (Adblock Plus | The world's #1 free ad blocker) with Rick752’s EasyList subscriptions (http://easylist.adblockplus.org/). This blocks most ads and tracking, which speeds up browsing and also blocks cookies by advertisers. There is little unwanted blocking, and it is easy for users to disable Adblock Plus while placing an internet order to avoid blocking desirable ads. Like other browsers, Firefox supports the option to delete cookies (with a whitelist) before closing, which blocks tracking across browser sessions, even if not caught by Adblock Plus. In the Firefox menu Tools|Options|Privacy, check “Accept cookies from sites”, uncheck “Accept third-party cookies” and select Keep until: “I close Firefox”.

Few internet users are aware of super cookies, which are data stored on users’ computers by other methods than traditional cookies. While traditional cookies have an expiration date, super cookies are remain indefinitely. Below is more info and blocking techniques for super cookies using Flash, JavaScript, Java userData and DOM storage. Note that these super cookies are not addressed by the Private Browsing feature in Firefox 3.5: Private Browsing - Use Firefox without saving history | Firefox Help

Adobe Flash Player
See Local shared object - Wikipedia
Users are advised to configure Flash settings at Adobe - Flash Player : Settings Manager - Global Storage Settings Panel

Using the Global Storage Settings Panel, the user can prevent Flash cookies by setting the storage limit to zero, preventing prompts for storage, preventing third-party storage and preventing common components storage. However, many legitimate sites throw errors or fail to work with Flash cookies blocked. Here are sites that display an error if third-party Flash storage is blocked:

CCleaner (http://www.ccleaner.com/) allows deleting of Flash cookies, but this does not prevent tracking over multiple browser sessions between cleanings.

Legitimate sites can be allowed to work, while preventing tracking across browser sessions, by deleting Flash cookies either at the beginning or end of a browser session. The best method I found for this is the BetterPrivacy add-on for Firefox at https://addons.mozilla.org/en-US/firefox/addon/6623
The latest version is available at the author’s page: http://netticat.ath.cx/extensions.html

BetterPrivacy has negligible memory usage. It allows the user to create a white list of allowed Flash cookies. It allows for automatic deleting of Flash cookies when the browser session starts, ends or both. I prefer deleting only at the session start because it speeds closing Firefox, allows me to examine Flash cookies after Firefox closes and prevents cross-session tracking when Firefox crashes.

Flash stores shared objects in this folder:
C:\Documents and Settings\user_name\Application Data\Macromedia\Flash Player#SharedObjects
Flash stores site-specific Flash cookies in this folder:
C:\Documents and Settings\user_name\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
Flash stores global settings and previously-visted websites having Flash cookies in this file:
C:\Documents and Settings\user_name\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol
BetterPrivacy has an option labeled “Also auto-delete Flashplayer default cookie (settings.sol)” that refers to this file. If the user enables this option, then Flash global settings are deleted too and revert to defaults. I prefer not to use default global settings, which ask the user’s permission for potentially dangerous actions, because I share my PC with an inexperienced user. By not deleting the default cookie, the user will see previously-visited websites in the Website Storage Settings Panel. But notice that there is no storage used for each after BetterPrivacy deletes the Flash cookies.

I put my Firefox profile in C:\Documents and Settings\All Users\Application Data so that I can share it between my administrator and limited-user accounts. BetterPrivacy supports this by automatically detecting the Flash storage folder if its last known location is unavailable.

JavaScript
See HTTP cookie - Wikipedia
Super cookies can be stored as JavaScript programs in the browser cache. I block many potentially-malicious JavaScript actions by unchecking all items in the Advanced JavaScript Settings menu in Firefox under Tools|Options|Content. More control is available with the JavaScript Options add-on at https://addons.mozilla.org/en-US/firefox/addon/6527

JavaScript can be disabled in most browsers, but then many desirable legitimate sites fail to work. The NoScript Firefox add-on (NoScript Security Suite – Get this Extension for 🦊 Firefox (en-US)) supports a white list of sites allowed to use JavaScript, Java, Flash and other plug-ins. I highly recommend NoScript because it provides protection that no other software provides. See FAQ - NoScript: block scripts and own your browser!

To block JavaScript super cookie tracking across browser sessions (sites in the NoScript whitelist), configure the browser to delete its cache of web pages when closing. In the Firefox menu Tools|Options|Privacy, check “Always clear my private data when I close Firefox”, click the “Settings…” button and check “Cache”.

userData
See userData Behavior (A, ABBR, ACRONYM, ...) | Microsoft Learn
userData is only used by Microsoft’s Internet Explorer (IE version 5 and newer). To block userData super cookie tracking completely, use a different web browser than IE except for Windows Update. Since many applications use IE for internet communications, users are advised to block userData super cookie tracking across application sessions, in each PC account:
Control Panel|Internet Options|Security|Internet zone|Security level slider=High
OR
Control Panel|Internet Options|Security|Internet zone|Custom level…|Miscellaneous|Userdata persistance=disable

DOM storage
See https://developer.mozilla.org/En/DOM:Storage and the Security section of John Resig - DOM Storage
Currently only supported by Mozilla-based browsers, Internet Explorer 8 and Safari. DOM storage can be completely disabled in Firefox by adding dom.storage.enabled=false in about:config. Disabling DOM storage prevents many desirable legitimate sites from working. For example, Video News - CNN fails to complete page loading or allow video playback.

My preferred balance between usability and security for DOM storage, like traditional cookies, is to allow during the browser session, but delete at the beginning or end of a browser session.
Webappsstore.sqlite - MozillaZine Knowledge Base states “Deleting webappsstore.sqlite will delete any data web sites have stored there. A new file will be created when it is needed.”
I found that the webappsstore.sqlite file in my Firefox profile had not changed in a couple of months. Therefore, sites such as cnn.com that use only session DOM storage do not update the file.

BetterPrivacy v1.35 has an option “Auto-delete DOMstorage file”. My testing indicates the deletion occurs at both the beginning and the end of a session, which ensures security even if Firefox crashes.

Silverlight
Silverlight is increasing in market share against Adobe Flash Player for multimedia sites, like Netflix.com, because it adapts better to changing network conditions for a smoother streaming experience. Netflix stores a PC-unique ID as Silverlight super cookie. Deleting all Silverlight super cookies causes Netflix to register another PC (device) with the account when the next streaming movie is viewed. Netflix allows only 6 devices to be registered.

To delete Silverlight super cookies while allowing sites like Netflix to work, a whitelist is needed. Unfortunately, BetterPrivacy doesn’t presently support Silverlight. Request this feature at http://netticat.ath.cx/forum/index.php

Until BetterPrivacy or NoScript supports blocking Silverlight with a whitelist, my best option is to block all Silverlight except on the Netflix site with the following custom rules in the Adblock Plus extension:
.xap^
silverlight
@@netflix.com

By the way, Netflix streaming only works on the admin account for Windows XP. Info I found on the net indicates that the limitation is due to the present version of Silverlight.

External Application Cache
A web browser can embed or spawn several external applications, each having their own cache. Since this cache is not cleared or controlled by the browser, private browsing is not completely achieved. Also, this cache can be used for either cross-site scripting (XSS) or cross-session super cookies. Enabling this cache speeds browsing, but the difference may be insignificant for users with high-speed internet connections. Clearing this cache at the end of the browser session facilitates private browsing and prevents cross-session super cookies, while disabling this cache achieves the same and also prevents XSS. What follows is how to disable cache in several external applications. Apply to each account.

Java:
Control Panel|Java|General|Settings…, uncheck “Keep temporary files on my computer”
Control Panel|Java|General|Settings…|Delete Files, check all boxes

Adobe Flash Player:
Storage at C:\Documents and Settings\user_name\Application Data\Adobe\Flash Player\AssetCache
Go to the Global Storage Settings panel:
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html
Uncheck “Store common Flash components to reduce download times.”
Click “Confirm” when asked to delete.

QuickTime:
Control Panel|QuckTime|Advanced|Download Cache|click “Empty Cache” button
Control Panel|QuckTime|Advanced|Download Cache|slide the size to 0 MB|Apply

General Exploits
Web sites can exploit security flaws in browser plug-ins to create and access super cookies. For example, the To Do list of Samy Kamkar - evercookie - virtually irrevocable persistent cookies includes “Using Java to produce a unique key based off of NIC info,” which may be based on Java security flaw. Browser exploit kits have become widely available. See A Peek Inside the ‘Eleonore’ Browser Exploit Kit – Krebs on Security

The best security is to uninstall unnecessary applications that provide browser plug-ins. However, it may not be clear as to which applications are necessary. Also, some applications may be needed on the computer, but not by the internet browser. An example is Java, which is included and used by OpenOffice.org. Plug-ins can easily disabled to handle such cases or as a test to see if they are needed:
Firefox|Tools|Add-ons|Plugins tab|select a plug-in|Disable

Java used to be popular for client use with web sites years ago. Java is still popular for server use on web sites, but the industry has moved to Adobe Flash Player for client use. My spouse and I have had the Java plug-in disabled for several months with no problems. I have only found one government site that still uses the Java client. More support for uninstalling/disabling Java: Java Patch Plugs 27 Security Holes – Krebs on Security

The MediaPlayerConnectivity extension for Firefox (https://addons.mozilla.org/en-US/firefox/addon/446/) allows the user to specify external applications to handle media objects based on MIME type or file extension. With the limitation that media objects are not rendered in the browser, it eliminates the need for many plug-ins. I actually prefer to render media outside the browser because I can view it full-screen and with all the user controls provided by the application.

Because of MediaPlayerConnectivity, I have been able to uninstall QuickTime and replace it with VLC Media Player (http://www.videolan.org/). I have disabled the plug-ins for Windows Media Player, Windows Presentation Foundation and Foxit Reader. VLC handles media previously handled by Windows Media Player, and Foxit Reader handles PDF files outside the browser.

You can test your super cookie strategy here: Samy Kamkar - evercookie - virtually irrevocable persistent cookies

Happy surfing!

Ummmmmmmmmm cookies are not harmful and news about this kind of stuff is rather old. Use CCleaner and be done with it.

By making this statement with such authority, you are implicitly taking responsibility for consequences to persons who take your advice, including the inexperienced users who share their computers. Are you ready to take this responsibility, or would you like to rephrase your response?

Kind regards

Yup…

Bookmarked for future reference.

Ummmmmmmmmm cookies are not harmful and news about this kind of stuff is rather old.

Bookmarked for future reference.

I only knew about some of them

SilentMusic7 - Nice post. It’s the reason I registered. Thank you.

SilentMusic7, Thank you

I edited the first post by adding the following:

BetterPrivacy v1.35 has an option “Auto-delete DOMstorage file”. My testing indicates the deletion occurs at both the beginning and the end of a session, which ensures security even if Firefox crashes.

to replace the following:

I created the following batch file, named firefox_del_DOM.bat, that deletes the DOM storage file at the beginning of the browser session:

ECHO OFF
PUSHD "C:\Documents and Settings\user_name\Application Data\Mozilla\Firefox\Profiles\profile_name"
IF NOT EXIST parent.lock GOTO firefox_not_running
ECHO Firefox is already running
PAUSE
EXIT
:firefox_not_running
IF EXIST webappsstore.sqlite DEL webappsstore.sqlite
POPD
START firefox.exe

Deleting at the beginning of the browser session ensures security even if Firefox crashes. The batch file is designed to be in the same folder as firefox.exe under Program Files, which prevents modification by limited user accounts. Edit the second line with your specific folder and profile name. The batch file prevents file deletion while Firefox is already running (the developer of the BetterPrivacy add-on indicates that this is why the file cannot be deleted by a Firefox add-on). I created a shortcut on my desktop for the batch file named “Firefox secured”, using the icon of firefox.exe.

To: SilentMusic7…THANK YOU SO VERY, VERY MUCH!

I have been using Firefox about 99% of the time - rarely using IE anymore. I have searched & searched the web for answers about the Super Cookies since the end of last year, but nobody ever mentioned anything about the fact that you can actually prevent them from even getting in! I have spent so much time going back & forth to IE simply to delete the cookies from the Flash Manager Settings…time consuming & f-r-u-s-t-r-a-t-i-n-g!

A few hours ago, I went to the NoScript forum for the first time, and while reading some articles about privacy, there was a link to this page. I had never been here before…and as I read through your post, I stopped at the instructions for preventing super cookies by disabling user data info in IE. I stopped right there and followed your instructions…tested it out on gmail & youtube…and VOILA — NO SUPER COOKIES ANY LONGER!

I’m fairly good with the PC and perhaps I should have been able to figure this out…but then, none of the other websites must have had it figured out either!

I am so thankful to have found you here…you have not only made my day, but day after day, after day, after day, after day, after day…etcetera, etcetera, etcetera!!!

P.S. I haven’t had time to look through this website, but from just glancing at it, I really think I’m going to like it! Again…I really can’t thank you enough, SilentMusic7!

You are very welcome.

I edited the first post by adding my preferred option for disabling userData:
Control Panel|Internet Options|Security|Internet zone|Security level slider=High

This option provides increased security in other ways, and it simplifies checking whether some installation changed my IE settings.

In the DOM storage section of the first post, I removed the text “or checking the option in the BetterPrivacy add-on mentioned above” because the latest version of BetterPrivacy does not have this option.

In the first post, I created an External Application Cache section, where I moved the Java info and added info about Adobe Flash Player and QuickTime.

In the first post, I created a Silverlight section and changed my comment on NoScript to a recommendation.

I agree I have this last month seen damage done by some super cookies that it almost took a lowlevel to repair a customers computer however old this data might seem i am also seeing Viruses that were originally written for win95 & 98 being reborn with a more relentless and malicious intent to them every one remember the bouncin Smiley and then your pc would keep rebooting? OK I Must be Old you use to hit alt F X and the virus would shut down and then all ya had to do was clear your temp files and your system was safe they are using a variant of this ancient virus in super cookies which is causing DNS FAILURES AND MODEM TIME outs for those on dialup this is a problem cause it prevents the user from even updating their antivirus all because of a harmless Super Cookie

In the first post, I added a method to block Silverlight with a whitelist. I also added a link at the end of the post for a site to test your super cookie strategy.

In the first post, I added a section called General Exploits. I also updated the rules for blocking Silverlight.

Revivin’ time. Informative thread and thanks for it. Could you suggest how to block SilverLight super cookies when not using AdBlocker?

By the way, you need not block ads with Adblock Plus in order to use it to block Silverlight. Just delete all ad-blocking rules. If you need more help with this, go to the forum at adblockplus.org.

I blocked Silverlight super cookies by uninstalling Silverlight. I previously only needed Silverlight for Netflix. Now, I bought a TV with Netflix built-in. Netflix.com also shows a Roku streaming player box for $59.99 to allow other TVs to work with Netflix.

Another option to block Silverlight super cookies is to manually disable or enable the plug-in in Firefox in the Tools|Add-ons|Plugins tab.

A way to delete all super cookies when closing the web browser is to use Sandboxie (http://www.sandboxie.com/) to sandbox the browser. If you only want to use Sandboxie with the web browser, it is free for personal use.

I have the paid version of Sandboxie. I use it with Comodo Internet Security, where I have Defense+ configured to only provide buffer overflow protection (see https://forums.comodo.com/defense-sandbox-help-cis/how-to-get-buffer-overflow-protection-without-hips-t65171.0.html). I have Sandboxie configured with a whitelist of executables that can be launched by each internet-facing application. For example, Foxit PDF viewer, LibreOffice and VLC Media Player. This is a simple way to provide protection against scripts that Comodo cannot match alone. Once Sandboxie is configured, it is easy for an inexperienced user to operate. Simply close the web browser and all browser-related downloads/changes are deleted. Closing the web browser before and after web purchases or online banking thus eliminates most PC-side vulnerabilities.

That is all I want to say about Sandboxie in this thread. For more discussion about Sandboxie, please open another thread.