The Glade 4.0

"Turn the lights down, the party just got wilder."
It is currently Sun Nov 24, 2024 11:17 am

All times are UTC - 6 hours [ DST ]




Post new topic Reply to topic  [ 23 posts ] 
Author Message
 Post subject: Undeletable Web Cookies?
PostPosted: Mon Aug 15, 2011 12:49 pm 
Offline
Noli me calcare
User avatar

Joined: Thu Sep 03, 2009 10:26 am
Posts: 4747
Schneier

Quote:
New, Undeletable, Web Cookie
A couple of weeks ago Wired reported the discovery of a new, undeletable, web cookie:
Researchers at U.C. Berkeley have discovered that some of the net’s most popular sites are using a tracking service that can’t be evaded -- even when users block cookies, turn off storage in Flash, or use browsers’ “incognito” functions.
The Wired article was very short on specifics, so I waited until one of the researchers -- Ashkan Soltani -- wrote up more details. He finally did, in a quite technical essay:
What differentiates KISSmetrics apart from Hulu with regards to respawning is, in addition to Flash and HTML5 LocalStorage, KISSmetrics was exploiting the browser cache to store persistent identifiers via stored Javascript and ETags. ETags are tokens presented by a user’s browser to a remote webserver in order to determine whether a given resource (such as an image) has changed since the last time it was fetched. Rather than simply using it for version control, we found KISSmetrics returning ETag values that reliably matched the unique values in their 'km_ai' user cookies.


Wired
Ashkan Soltani

I only understand the very basics of it, but I'm glad (and a bit concerned) Hulu stopped the practice at the end of July.

_________________
"Dress cops up as soldiers, give them military equipment, train them in military tactics, tell them they’re fighting a ‘war,’ and the consequences are predictable." —Radley Balko

Image


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Mon Aug 15, 2011 12:54 pm 
Offline
Rihannsu Commander

Joined: Thu Sep 03, 2009 9:31 am
Posts: 4709
Location: Cincinnati OH
I doubt "undeletable" is fair. Perhaps just 'difficult to delete'?


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Mon Aug 15, 2011 1:06 pm 
Offline
Noli me calcare
User avatar

Joined: Thu Sep 03, 2009 10:26 am
Posts: 4747
I doubt you read the links. Perhaps you could take it up with Schneier regarding his use of language?

_________________
"Dress cops up as soldiers, give them military equipment, train them in military tactics, tell them they’re fighting a ‘war,’ and the consequences are predictable." —Radley Balko

Image


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Mon Aug 15, 2011 1:28 pm 
Offline
Rihannsu Commander

Joined: Thu Sep 03, 2009 9:31 am
Posts: 4709
Location: Cincinnati OH
Did read the links.
It wasn't a criticism of you. I'm just pointing out that major-pain-in-the-ass-to-eliminate doesn't mean impossible.

Low level format works nicely ;-)
To be clear there are 'undeletable' methods which rely on uniquely identifying hardware, (which mercifully can be turned off these days) or tracking can be instituted at other locations not associated with the PC itself which I would consider 'undeletable' because no action on the PC would clear the the tracking.


Top
 Profile  
Reply with quote  
PostPosted: Mon Aug 15, 2011 2:11 pm 
Offline
Evil Bastard™
User avatar

Joined: Thu Sep 03, 2009 9:07 am
Posts: 7542
Location: Doomstadt, Latveria
...

I'd seriously shut up about now ...

_________________
Corolinth wrote:
Facism is not a school of thought, it is a racial slur.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Mon Aug 15, 2011 2:26 pm 
Offline
Rihannsu Commander

Joined: Thu Sep 03, 2009 9:31 am
Posts: 4709
Location: Cincinnati OH
Except that you're incapable of doing such, Khross?


Last edited by TheRiov on Mon Aug 15, 2011 2:26 pm, edited 1 time in total.

Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Mon Aug 15, 2011 2:26 pm 
Offline
Noli me calcare
User avatar

Joined: Thu Sep 03, 2009 10:26 am
Posts: 4747
Wow, found the post, read the links and posted a reply, all within five minutes. Impressive!

_________________
"Dress cops up as soldiers, give them military equipment, train them in military tactics, tell them they’re fighting a ‘war,’ and the consequences are predictable." —Radley Balko

Image


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Mon Aug 15, 2011 2:36 pm 
Offline
Rihannsu Commander

Joined: Thu Sep 03, 2009 9:31 am
Posts: 4709
Location: Cincinnati OH
Yes, apart from the code, which I didn't bother to read, as I'm NOT coder, I am quite capable of reading 5000 words far less than 5 minutes.
Thanks for checking up on me though Vindicarre.

But it doesn't require any detailed reading of the articles to pull out that these sites are STILL tracking data on the computer. Data can be purged.

What the articles say is that none of the built in features of browsers or plugins have methods of purging the data.

That does NOT mean the data is undeletable. It simply means that until someone writes a tool that deletes the data, your only recourse is actually locate the data, the files its stored in, and purge those, potentially by hand.

That is NOT the same as undeletable.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Mon Aug 15, 2011 2:41 pm 
Offline
Noli me calcare
User avatar

Joined: Thu Sep 03, 2009 10:26 am
Posts: 4747
Like I said, take it up with Schneier, I'm sure your qualifications will wow him. Deleting the cookies does not remove them. The cookies, as such, aren't removed upon deletion.

_________________
"Dress cops up as soldiers, give them military equipment, train them in military tactics, tell them they’re fighting a ‘war,’ and the consequences are predictable." —Radley Balko

Image


Last edited by Vindicarre on Mon Aug 15, 2011 2:43 pm, edited 1 time in total.

Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Mon Aug 15, 2011 2:42 pm 
Offline
Rihannsu Commander

Joined: Thu Sep 03, 2009 9:31 am
Posts: 4709
Location: Cincinnati OH
Because bloggers & news articles never use sensational headlines with just a little bit of hyperbole to get you to read?


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Mon Aug 15, 2011 2:45 pm 
Offline
Noli me calcare
User avatar

Joined: Thu Sep 03, 2009 10:26 am
Posts: 4747
Yet, your comments had nothing to do with the facts in the articles, but please continue.

_________________
"Dress cops up as soldiers, give them military equipment, train them in military tactics, tell them they’re fighting a ‘war,’ and the consequences are predictable." —Radley Balko

Image


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Mon Aug 15, 2011 2:46 pm 
Offline
God of the IRC
User avatar

Joined: Wed Sep 02, 2009 7:35 pm
Posts: 3041
Location: The United States of DESU
Chill.

_________________
Image


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Mon Aug 15, 2011 3:16 pm 
Offline

Joined: Thu Sep 03, 2009 10:03 am
Posts: 4922
Why are you guys doing this in the tech forum (again)? This is partly why I posted my Google article in Hellfire.


Top
 Profile  
Reply with quote  
 Post subject: Re:
PostPosted: Mon Aug 15, 2011 3:58 pm 
Offline
User avatar

Joined: Fri Feb 05, 2010 11:59 am
Posts: 3879
Location: 63368
TheRiov wrote:
Did read the links.
It wasn't a criticism of you. I'm just pointing out that major-pain-in-the-ass-to-eliminate doesn't mean impossible.

Low level format works nicely ;-)
To be clear there are 'undeletable' methods which rely on uniquely identifying hardware, (which mercifully can be turned off these days) or tracking can be instituted at other locations not associated with the PC itself which I would consider 'undeletable' because no action on the PC would clear the the tracking.

Quote:
websites were circumventing user choice by deliberately restoring previously deleted HTTP cookies using persistent storage outside of the control of the browser (a practice we dubbed ‘respawning’).
.
.
.
we found that Hulu was still respawning deleted user cookies using homegrown Flash and Javascript code present on the Hulu.com site.


TheRiov, unless you have access to delete info on their servers, you're not going to be able to delete the cookies.

_________________
In time, this too shall pass.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Mon Aug 15, 2011 4:23 pm 
Offline
Rihannsu Commander

Joined: Thu Sep 03, 2009 9:31 am
Posts: 4709
Location: Cincinnati OH
The portion of the article you're referring to Taskiss, is actually about an older code, and the cookie is still on the user's pc --but other parts of the script that are downloaded to the pc, regenerate the cookie after its deleted.

in some respects this behavior (in what you're quoting) isn't dissimilar from what some virii do. They exist as several discrete pieces, and even if you delete part of it, the other pieces restore the deleted parts of the virus. Perhaps only one of the files actually does the damage, but because the other two, otherwise harmless files, check to see if the destructive portion is there, just deleting the damaging portion doesn't solve it.

The situation being described in the section of the article you're referring to is similar. Only the cookie itself is passed back to the server to uniquely identify the user. BUT if you delete the cookie, other buried parts of the code tucked away in cached javascript/flash files that are NOT trashed with cookies will rebuild the cookie.
Now cookies are usually unique to a browser (ie, if Load up Chrome and Firefox, If I load a page with one, the other browser has no idea that I logged in to the site) You can test this easily enough by signing into the Glade with Chrome and Firefox as different users-- the cookies that identify you to the site are NOT shared.


The article/blog post reference the above script but are actually pointing to a separate part of the code where the browser checks to see fi there is a newer file when reloading a web page. the KISSmetrics scripts are really unrelated to the example you're citing (other than the fact they make it hard to browse anonymously) But apparently the KISSmetrics is loading it into a share library that is NOT unique to any browser.

This is the part where some of our resident web developers can explain it better than I can, but the way I understand it, javascript & flash scripts are cached in a generic 'flash' or javascript cache that is not unique to a browser. The information there is what is being used to uniquely identify the pc. So if I load up chrome, and now have this tracker in my flash cache, then close it down and load up Firefox, firefox still pulls from the same cache so the website can still uniquely identify my pc. Standard instructions to a browser to clear cache/cookies dont tell it to purge the flash cache, so you're stuck being identified.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Mon Aug 15, 2011 4:52 pm 
Offline
User avatar

Joined: Fri Feb 05, 2010 11:59 am
Posts: 3879
Location: 63368
Reread the section marked "3RD PARTY LINKING AND ENHANCEMENT" and "UNAVOIDABLE 3RD PARTY TRACKING"

_________________
In time, this too shall pass.


Last edited by Taskiss on Mon Aug 15, 2011 4:56 pm, edited 1 time in total.

Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Mon Aug 15, 2011 4:55 pm 
Offline
Web Ninja
User avatar

Joined: Wed Sep 02, 2009 8:32 pm
Posts: 8248
Location: The Tunt Mansion
TheRiov wrote:
This is the part where some of our resident web developers can explain it better than I can...


Not quite. This is the part where the resident web developer tells you that you don't really know what you're talking about. When there are redundant copies of your cookies saved in multiple locations, some of which you do not have access to, your saved variables (practically) become "undeletable". They're not tied to your computer, they're not tied to your browser, they're tied to your USER and they're updated every time you visit.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Mon Aug 15, 2011 4:58 pm 
Offline
User avatar

Joined: Fri Feb 05, 2010 11:59 am
Posts: 3879
Location: 63368
Quote:
the unique identifiers are included [in] the actual URL and not the cookie headers


Unless all log data is immediately deleted or truncated, it’s likely that this cross-domain browsing history is available on their systems, unhashed


The request itself includes cookie type unique user identifiers and is kept on their server.

_________________
In time, this too shall pass.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Mon Aug 15, 2011 5:37 pm 
Offline
User avatar

Joined: Thu Sep 03, 2009 3:08 am
Posts: 6465
Location: The Lab
Wow, a low level format? That.is.awesome! I haven't done one of those since the mid-90's.

Thankfully, I've upgraded hard drive technology a few times since then.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Mon Aug 15, 2011 6:19 pm 
Offline
Bull Moose
User avatar

Joined: Wed Sep 02, 2009 7:36 pm
Posts: 7507
Location: Last Western Stop of the Pony Express
There are a bunch of toll house cookies I wish I could delete.

_________________
The U. S. Constitution doesn't guarantee happiness, only the pursuit of it. You have to catch up with it yourself. B. Franklin

"A mind needs books like a sword needs a whetstone." -- Tyrion Lannister, A Game of Thrones


Top
 Profile  
Reply with quote  
 Post subject: Re:
PostPosted: Wed Aug 17, 2011 2:48 am 
Offline
User avatar

Joined: Sun Sep 20, 2009 5:31 pm
Posts: 1532
TheRiov wrote:
Did read the links.
It wasn't a criticism of you. I'm just pointing out that major-pain-in-the-ass-to-eliminate doesn't mean impossible.

Low level format works nicely ;-)
To be clear there are 'undeletable' methods which rely on uniquely identifying hardware, (which mercifully can be turned off these days) or tracking can be instituted at other locations not associated with the PC itself which I would consider 'undeletable' because no action on the PC would clear the the tracking.



I'd hate to have to low level format my hard drive every time i visit a certain website

_________________
Ron Paul 2012


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Aug 17, 2011 8:21 pm 
Offline
User avatar

Joined: Thu Sep 03, 2009 3:08 am
Posts: 6465
Location: The Lab
oh man... :roll:


Top
 Profile  
Reply with quote  
 Post subject: Re:
PostPosted: Wed Aug 17, 2011 10:07 pm 
Offline
Home of the Whopper
User avatar

Joined: Thu Sep 03, 2009 8:51 am
Posts: 6098
Micheal wrote:
There are a bunch of toll house cookies I wish I could delete.


Heh, I hear that!

_________________
"Therefore do not worry about tomorrow, for tomorrow will worry about itself. Each day has enough trouble of its own." Jesus of Nazareth


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 23 posts ] 

All times are UTC - 6 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 53 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group