Savvy internet users these days are aware that some websites store cookies on their computers for purposes that are not in their interests. Cookies support tracking of surfing and shopping behavior and correlating computer-unique data to the person – accumulating a personal profile that can be used for targeting advertisements, identity theft or other covert reasons. Most such tracking cookies are stored by website advertisers. Many websites owners are not aware of such behavior of their advertisers, and many claim no responsibility for behavior of their advertisers in their privacy policy page. Users who disable all cookies quickly learn that a significant number of legitimate sites throw error messages or don’t work. For more info, see http://en.wikipedia.org/wiki/HTTP_cookie
My favorite web browser is Mozilla’s Firefox (http://www.mozilla.com/en-US/products/firefox/) because it supports the Adblock Plus extension (http://adblockplus.org/en/) with Rick752’s EasyList subscriptions (http://easylist.adblockplus.org/). This blocks most ads and tracking, which speeds up browsing and also blocks cookies by advertisers. There is little unwanted blocking, and it is easy for users to disable Adblock Plus while placing an internet order to avoid blocking desirable ads. Like other browsers, Firefox supports the option to delete cookies (with a whitelist) before closing, which blocks tracking across browser sessions, even if not caught by Adblock Plus. In the Firefox menu Tools|Options|Privacy, check “Accept cookies from sites”, uncheck “Accept third-party cookies” and select Keep until: “I close Firefox”.
Few internet users are aware of super cookies, which are data stored on users’ computers by other methods than traditional cookies. While traditional cookies have an expiration date, super cookies are remain indefinitely. Below is more info and blocking techniques for super cookies using Flash, JavaScript, Java userData and DOM storage. Note that these super cookies are not addressed by the Private Browsing feature in Firefox 3.5: http://support.mozilla.com/en-US/kb/Private+Browsing
Adobe Flash Player
See http://en.wikipedia.org/wiki/Local_Shared_Object
Users are advised to configure Flash settings at http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html
Using the Global Storage Settings Panel, the user can prevent Flash cookies by setting the storage limit to zero, preventing prompts for storage, preventing third-party storage and preventing common components storage. However, many legitimate sites throw errors or fail to work with Flash cookies blocked. Here are sites that display an error if third-party Flash storage is blocked:
http://www.pandora.com/
http://www.mtvmusic.com/
CCleaner (http://www.ccleaner.com/) allows deleting of Flash cookies, but this does not prevent tracking over multiple browser sessions between cleanings.
Legitimate sites can be allowed to work, while preventing tracking across browser sessions, by deleting Flash cookies either at the beginning or end of a browser session. The best method I found for this is the BetterPrivacy add-on for Firefox at https://addons.mozilla.org/en-US/firefox/addon/6623
The latest version is available at the author’s page: http://netticat.ath.cx/extensions.html
BetterPrivacy has negligible memory usage. It allows the user to create a white list of allowed Flash cookies. It allows for automatic deleting of Flash cookies when the browser session starts, ends or both. I prefer deleting only at the session start because it speeds closing Firefox, allows me to examine Flash cookies after Firefox closes and prevents cross-session tracking when Firefox crashes.
Flash stores shared objects in this folder:
C:\Documents and Settings\user_name\Application Data\Macromedia\Flash Player#SharedObjects
Flash stores site-specific Flash cookies in this folder:
C:\Documents and Settings\user_name\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
Flash stores global settings and previously-visted websites having Flash cookies in this file:
C:\Documents and Settings\user_name\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol
BetterPrivacy has an option labeled “Also auto-delete Flashplayer default cookie (settings.sol)” that refers to this file. If the user enables this option, then Flash global settings are deleted too and revert to defaults. I prefer not to use default global settings, which ask the user’s permission for potentially dangerous actions, because I share my PC with an inexperienced user. By not deleting the default cookie, the user will see previously-visited websites in the Website Storage Settings Panel. But notice that there is no storage used for each after BetterPrivacy deletes the Flash cookies.
I put my Firefox profile in C:\Documents and Settings\All Users\Application Data so that I can share it between my administrator and limited-user accounts. BetterPrivacy supports this by automatically detecting the Flash storage folder if its last known location is unavailable.
JavaScript
See http://en.wikipedia.org/wiki/HTTP_cookie#Client-side_persistence
Super cookies can be stored as JavaScript programs in the browser cache. I block many potentially-malicious JavaScript actions by unchecking all items in the Advanced JavaScript Settings menu in Firefox under Tools|Options|Content. More control is available with the JavaScript Options add-on at https://addons.mozilla.org/en-US/firefox/addon/6527
JavaScript can be disabled in most browsers, but then many desirable legitimate sites fail to work. The NoScript Firefox add-on (https://addons.mozilla.org/en-US/firefox/addon/722) supports a white list of sites allowed to use JavaScript, Java, Flash and other plug-ins. I highly recommend NoScript because it provides protection that no other software provides. See http://noscript.net/faq#qa1_10
To block JavaScript super cookie tracking across browser sessions (sites in the NoScript whitelist), configure the browser to delete its cache of web pages when closing. In the Firefox menu Tools|Options|Privacy, check “Always clear my private data when I close Firefox”, click the “Settings…” button and check “Cache”.
userData
See http://msdn.microsoft.com/en-us/library/ms531424(VS.85).aspx
userData is only used by Microsoft’s Internet Explorer (IE version 5 and newer). To block userData super cookie tracking completely, use a different web browser than IE except for Windows Update. Since many applications use IE for internet communications, users are advised to block userData super cookie tracking across application sessions, in each PC account:
Control Panel|Internet Options|Security|Internet zone|Security level slider=High
OR
Control Panel|Internet Options|Security|Internet zone|Custom level…|Miscellaneous|Userdata persistance=disable
DOM storage
See https://developer.mozilla.org/En/DOM:Storage and the Security section of http://ejohn.org/blog/dom-storage/
Currently only supported by Mozilla-based browsers, Internet Explorer 8 and Safari. DOM storage can be completely disabled in Firefox by adding dom.storage.enabled=false in about:config. Disabling DOM storage prevents many desirable legitimate sites from working. For example, http://www.cnn.com/video/ fails to complete page loading or allow video playback.
My preferred balance between usability and security for DOM storage, like traditional cookies, is to allow during the browser session, but delete at the beginning or end of a browser session.
http://kb.mozillazine.org/Webappsstore.sqlite states “Deleting webappsstore.sqlite will delete any data web sites have stored there. A new file will be created when it is needed.”
I found that the webappsstore.sqlite file in my Firefox profile had not changed in a couple of months. Therefore, sites such as cnn.com that use only session DOM storage do not update the file.
BetterPrivacy v1.35 has an option “Auto-delete DOMstorage file”. My testing indicates the deletion occurs at both the beginning and the end of a session, which ensures security even if Firefox crashes.
Silverlight
Silverlight is increasing in market share against Adobe Flash Player for multimedia sites, like Netflix.com, because it adapts better to changing network conditions for a smoother streaming experience. Netflix stores a PC-unique ID as Silverlight super cookie. Deleting all Silverlight super cookies causes Netflix to register another PC (device) with the account when the next streaming movie is viewed. Netflix allows only 6 devices to be registered.
To delete Silverlight super cookies while allowing sites like Netflix to work, a whitelist is needed. Unfortunately, BetterPrivacy doesn’t presently support Silverlight. Request this feature at http://netticat.ath.cx/forum/index.php
Until BetterPrivacy or NoScript supports blocking Silverlight with a whitelist, my best option is to block all Silverlight except on the Netflix site with the following custom rules in the Adblock Plus extension:
.xap^
silverlight
@@netflix.com
By the way, Netflix streaming only works on the admin account for Windows XP. Info I found on the net indicates that the limitation is due to the present version of Silverlight.
External Application Cache
A web browser can embed or spawn several external applications, each having their own cache. Since this cache is not cleared or controlled by the browser, private browsing is not completely achieved. Also, this cache can be used for either cross-site scripting (XSS) or cross-session super cookies. Enabling this cache speeds browsing, but the difference may be insignificant for users with high-speed internet connections. Clearing this cache at the end of the browser session facilitates private browsing and prevents cross-session super cookies, while disabling this cache achieves the same and also prevents XSS. What follows is how to disable cache in several external applications. Apply to each account.
Java:
Control Panel|Java|General|Settings…, uncheck “Keep temporary files on my computer”
Control Panel|Java|General|Settings…|Delete Files, check all boxes
Adobe Flash Player:
Storage at C:\Documents and Settings\user_name\Application Data\Adobe\Flash Player\AssetCache
Go to the Global Storage Settings panel:
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html
Uncheck “Store common Flash components to reduce download times.”
Click “Confirm” when asked to delete.
QuickTime:
Control Panel|QuckTime|Advanced|Download Cache|click “Empty Cache” button
Control Panel|QuckTime|Advanced|Download Cache|slide the size to 0 MB|Apply
General Exploits
Web sites can exploit security flaws in browser plug-ins to create and access super cookies. For example, the To Do list of http://samy.pl/evercookie/ includes “Using Java to produce a unique key based off of NIC info,” which may be based on Java security flaw. Browser exploit kits have become widely available. See http://krebsonsecurity.com/2010/01/a-peek-inside-the-eleonore-browser-exploit-kit/
The best security is to uninstall unnecessary applications that provide browser plug-ins. However, it may not be clear as to which applications are necessary. Also, some applications may be needed on the computer, but not by the internet browser. An example is Java, which is included and used by OpenOffice.org. Plug-ins can easily disabled to handle such cases or as a test to see if they are needed:
Firefox|Tools|Add-ons|Plugins tab|select a plug-in|Disable
Java used to be popular for client use with web sites years ago. Java is still popular for server use on web sites, but the industry has moved to Adobe Flash Player for client use. My spouse and I have had the Java plug-in disabled for several months with no problems. I have only found one government site that still uses the Java client. More support for uninstalling/disabling Java: http://krebsonsecurity.com/2010/04/java-patch-plugs-27-security-holes/
The MediaPlayerConnectivity extension for Firefox (https://addons.mozilla.org/en-US/firefox/addon/446/) allows the user to specify external applications to handle media objects based on MIME type or file extension. With the limitation that media objects are not rendered in the browser, it eliminates the need for many plug-ins. I actually prefer to render media outside the browser because I can view it full-screen and with all the user controls provided by the application.
Because of MediaPlayerConnectivity, I have been able to uninstall QuickTime and replace it with VLC Media Player (http://www.videolan.org/). I have disabled the plug-ins for Windows Media Player, Windows Presentation Foundation and Foxit Reader. VLC handles media previously handled by Windows Media Player, and Foxit Reader handles PDF files outside the browser.
You can test your super cookie strategy here: http://samy.pl/evercookie/
Happy surfing!
