Please protect against evercookie!

RESOLVED DUPLICATE of bug 598925

Status

()

Firefox
Security
--
major
RESOLVED DUPLICATE of bug 598925
7 years ago
6 years ago

People

(Reporter: donrhummy, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

7 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10

There is a way for data to be stored about a user that persists even from private browsing into regular browsing and even after a user has deleted all cookies, HTML5 storage and other cached items.

This is a VERY dangerous thing, and I believe these "cookies" can even be read from sites other than the ones creating them (e.g. the cached PNG data).

Reproducible: Always

Steps to Reproduce:
1. Start Private browsing
2. Visit http://samy.pl/evercookie/
3. Leave private browsing
4. Visit http://samy.pl/evercookie/
Actual Results:  
The data persists after leaving private browsing.

Expected Results:  
Nothing should have been stored. There should not be any identifying data from the private brwosing that is viewable in normal browsing.

Comment 1

7 years ago
Use TorButton. We won't have a way to do this in-browser until we do something like an anonymous browsing mode, but in the meantime, TorButton is basically the same thing.
(Reporter)

Comment 2

7 years ago
(In reply to comment #1)
> Use TorButton. We won't have a way to do this in-browser until we do something
> like an anonymous browsing mode, but in the meantime, TorButton is basically
> the same thing.

When you say you won't have a way to do this in-browser, do you mean even with future code changes to firefox? Because that is NOT correct. For example, you can change the way flash cookies are handled by firefox and make it so that firefox can delete flash cookies. As well, you can make it easier to delete/manage HTML5 storage. I have not looked at all the code and other methods this evercookie uses, but I'd bet that all of it CAN be stopped and at least made so that it cannot go across private/regular browsing boundaries.
(Reporter)

Comment 3

7 years ago
(In reply to comment #1)
> Use TorButton. We won't have a way to do this in-browser until we do something
> like an anonymous browsing mode, but in the meantime, TorButton is basically
> the same thing.

Oh, also, TorButton would not protect against this at all.

Comment 4

7 years ago
(In reply to comment #2)
> When you say you won't have a way to do this in-browser, do you mean even with
> future code changes to firefox?

Nope, I meant what I said, which is that we won't have a way to do this in-browser until we do something like an anonymous browsing mode. Dealing with plugins is necessary to solve the evercookie problem, and that's something that we can only achieve with a more concerted approach to the problem than just "add a bit here and there to HTML5, cache, etc".

(In reply to comment #3)
> Oh, also, TorButton would not protect against this at all.

Sure it does. They've tested it.
(Reporter)

Comment 5

7 years ago
Just for additional info: according to an interview with the developer, Safari's private browsing does stop this from working:
http://arstechnica.com/web/news/2010/09/evercookie-escalates-the-zombie-cookie-war-by-raising-awareness.ars

"I found that using 'Private Browsing' in Safari stops all evercookie methods," he said.
(Reporter)

Comment 6

7 years ago
> (In reply to comment #3)
> > Oh, also, TorButton would not protect against this at all.
> 
> Sure it does. They've tested it.

Well, sort of yes, sort of no. It stops it only if you NEVER use flash. If you enable flash for any sites, those sites (and anything they have javascript sourced from) can still make use of the evercookie. Since Flash is used by 97% of web surfers, this is not a real solution.

Comment 7

7 years ago
(In reply to comment #5)
> "I found that using 'Private Browsing' in Safari stops all evercookie methods,"
> he said.

I think I misunderstood the original question. Our PB mode should do that too -- have you tested one of the Firefox 4 betas?

Comment 8

7 years ago
Isn't Bug 598925 a dupe of this one?

Comment 9

7 years ago
Yes. I'll mark this a DUP, because it's UNCONFIMED, mine has a bit more factual data, and I'm biased :). Thanks for the report, though!

> anonymous browsing mode

Dan, as I said on my bug, PB or any other special modes don't cut it. I fear being tracked during my *normal* browsing, not when I do nasty stuff. I don't want to be tracked ever, unless I allow it.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 598925
(In reply to comment #9)
> Dan, as I said on my bug, PB or any other special modes don't cut it. I fear
> being tracked during my *normal* browsing, not when I do nasty stuff. I don't
> want to be tracked ever, unless I allow it.

How is that different than "anonymous" and what does it have to do with "nasty stuff"? If you don't want to be tracked then "dont-track-me-mode" is exactly what you want.

Maybe you're arguing that should be the default mode--and maybe you're right--but that's a completely different argument. It is not a zero-cost trade-off. Tracking uses features that were added for good functional reasons, and preventing tracking also means giving up (some of?) the benefits of those features.

Comment 11

7 years ago
Maybe I should put it in a different way: I want the identification to be opt-in, not opt-out.
For some sites, I get value from them remembering certain settings, and I want to allow them to store these settings or even have a login. (This maybe ties nicely with the new identification UI in the URLbar, BTW.)
For all others, I want all identification and tracking to be purged regularly (e.g. daily, when I close all pages of that site, on request or similar).
This prevents ad networks from tracking me all over the web (which IMHO they have no right to do), but still allows me to get the comfort for those sites that I care about.

I do not see this as a "mode" of the browser at all. It's a mode of the site. I see the reason for Private Browsing mode, or anonymous mode or whatever, but that's not what the use case I mean. I am concerned about everyday browsing.

Comment 12

7 years ago
> For all others, I want all identification and tracking to be purged regularly

Note: This should be possible with the current UI: We have "forget cookies when I close Firefox". That's what I use and more or less what I want. (It doesn't work right, but that's another bug already filed.)

The problem in *this* bug is that this doesn't work for the other mechanisms like HTML5 etc.. Basically, we need the same as "forget cookies when I close Firefox" for *all* means to store site data, otherwise that cookie setting is useless. That's what this bug is about.

Comment 13

7 years ago
OK, sorry, I was talking about the bug that I filed.
I see that this bug spoke specifically about Private Browsing. Sorry.
(Feel free to reopen, but I think one bug is enough and the other bug will probably fix PB as a side-effect.)
(In reply to comment #12)
> Note: This should be possible with the current UI: We have "forget cookies when
> I close Firefox". That's what I use and more or less what I want.

And that's what we have. If you switch your cookie settings to session-only, globally or for a specific domain, then your LocalStorage will actually get a session storage implementation and the data goes away when your cookies do.

The new HTML5 database doesn't do that, yet, but we haven't shipped.
You need to log in before you can comment on or make changes to this bug.