Closed Bug 598925 (forevercookie) Opened 10 years ago Closed 4 years ago

Prevent obnoxiously persistent cookies (forevercookie)

Categories

(Core Graveyard :: Tracking, defect)

Other
All
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED INCOMPLETE

People

(Reporter: BenB, Unassigned)

References

(Depends on 2 open bugs, Blocks 1 open bug, )

Details

(Keywords: privacy)

Some sites *really* want to track. They don't accept when a user explicitly deleted cookies, and try to restore them.

This is a tracking bug to give the user an easy and straightforward way to remove any and all of these traces, so that nasty sites cannot track me.

(Ideally without removing wanted storage like login and cookies of sites I do want to stay logged-in.)
(Private Browsing mode is not relevant here, this bug is against tracking my normal browsing behavior.)


Here are descriptions and/or implementations:
http://samy.pl/evercookie/

- Standard HTTP Cookies
- Local Shared Objects (Flash Cookies)
- Storing cookies in RGB values of auto-generated, force-cached
  PNGs using HTML5 Canvas tag to read pixels (cookies) back out
- Storing cookies in and reading out Web History
- Storing cookies in HTTP ETags
- Internet Explorer userData storage
- HTML5 Session Storage
- HTML5 Local Storage
- HTML5 Global Storage
- HTML5 Database Storage via SQLite

Some are really nasty and amazing, like the PNG storage. We'd have to flush the cache, but "Clear Recent History..." already does that.
Some are standards, like HTML5 stuff. For some we have UI, but I think not for all of them?

The Flash storage is common, but interesting, because a) we have no API to delete them (to my knowledge, we might have to request an API) and b) they are available on all browsers on the user's system.

Even Google identifies me after deleting my cookies (I have no idea how, might be per static IP address, so there's little we can do there).

We need an answer to all of these methods, and any new methods they come up with, to continue to protect the user's privacy and deliver what the "delete cookies" UI promises - reset to factory.
> The Flash storage is common, but interesting, because a) we have no API to
> delete them (to my knowledge, we might have to request an API)

workaround: rm -rf %APPDATA%/MacromediaFlash Player
Workaround for people who don't like the one in Comment 1: The BetterPrivacy extension provides whitelist-based end-of-session deletion for Flash LSOs.

Probably also a good idea to use NoScript with "Apply these restrictions to whitelisted sites too" since the evercookie roadmap includes the use of SilverLight's LSO equivalent and Java's ability to read MAC addresses.
Duplicate of this bug: 598678
Depends on: 599294
Keywords: privacy
Duplicate of this bug: 601530
Regarding ETags: are ETags actually in wide use on the Internet, or is their use mostly limited to respawning cookies?  If the latter is the case, since ETags are an optional feature of HTTP, would any harm be done by removing support for ETags completely?
A toggle to disable ETags may be a good idea, but I wouldn't want them flat-out unsupported.

If it's not already done, it'd probably also be a good idea to flush the ETag for a page when the associated cache entry is deleted. That way, there'd be a clear and technically sensible way to flush ETags from the "Clear Recent History" dialog without any additional adverse effects.
Depends on: 231852
Article about a use of the technique in the wild:

http://www.wired.com/epicenter/2011/07/undeletable-cookie/
(In reply to comment #7)
> A toggle to disable ETags may be a good idea, but I wouldn't want them
> flat-out unsupported.
> 
> If it's not already done, it'd probably also be a good idea to flush the
> ETag for a page when the associated cache entry is deleted. That way,
> there'd be a clear and technically sensible way to flush ETags from the
> "Clear Recent History" dialog without any additional adverse effects.

Yes. And this toggle should be automatically set when in "Private Browsing" mode. The code should simply ignore the ETags EVEN IF this would impact cache performance.
> Yes. And this toggle should be automatically set when in "Private Browsing"
> mode. The code should simply ignore the ETags EVEN IF this would impact
> cache performance.

Hadn't thought of that one. Good point. 

I tend to forget that Firefox even HAS a private browsing mode because it's easier to open a copy of Chromium and launch an Incognito Window than to wrestle Firefox into giving me simultaneous regular and private browsing without external links opening in the private window half the time.
(In reply to Stephan Sokolow from comment #10)
> > Yes. And this toggle should be automatically set when in "Private Browsing"
> > mode. The code should simply ignore the ETags EVEN IF this would impact
> > cache performance.
> 
> Hadn't thought of that one. Good point. 
> 
> I tend to forget that Firefox even HAS a private browsing mode because it's
> easier to open a copy of Chromium and launch an Incognito Window than to
> wrestle Firefox into giving me simultaneous regular and private browsing
> without external links opening in the private window half the time.

Hi Stephen,

I saw your post in https://bugzilla.mozilla.org/show_bug.cgi?id=598925

You said it is easier to launch an Incognito Chrome window. Firefox has ctrl+shift+P to open a Private Browsing window. I also customized the toolbar to include the Private Window icon for convenience. I also use "Cookie Manager Button 1.0.1.6" add-on to quickly look at my cookies.

That said, I'm having problem with Google setting a persistent cookie that can only be removed by deleting the Firefox cookie file (cookies.sqlite). I keep a good "master copy" to replace the cookies.sqlite file when I do.

I use Chrome for anything involving Google and wipe everything in Chrome at the end of the session if using a regular Chrome window. I try to remember to use a Chrome Incognito window but I occasionally forget.

-- Teri
(In reply to moz.tfl2 from comment #11)
> (In reply to Stephan Sokolow from comment #10)
> > > Yes. And this toggle should be automatically set when in "Private Browsing"
> > > mode. The code should simply ignore the ETags EVEN IF this would impact
> > > cache performance.
> > 
> > Hadn't thought of that one. Good point. 
> > 
> > I tend to forget that Firefox even HAS a private browsing mode because it's
> > easier to open a copy of Chromium and launch an Incognito Window than to
> > wrestle Firefox into giving me simultaneous regular and private browsing
> > without external links opening in the private window half the time.
> 
> Hi Stephen,
> 
> I saw your post in https://bugzilla.mozilla.org/show_bug.cgi?id=598925
> 
> You said it is easier to launch an Incognito Chrome window. Firefox has
> ctrl+shift+P to open a Private Browsing window. I also customized the
> toolbar to include the Private Window icon for convenience. I also use
> "Cookie Manager Button 1.0.1.6" add-on to quickly look at my cookies.
> 
> That said, I'm having problem with Google setting a persistent cookie that
> can only be removed by deleting the Firefox cookie file (cookies.sqlite). I
> keep a good "master copy" to replace the cookies.sqlite file when I do.
> 
> I use Chrome for anything involving Google and wipe everything in Chrome at
> the end of the session if using a regular Chrome window. I try to remember
> to use a Chrome Incognito window but I occasionally forget.
> 
> -- Teri

At the time I posted that, Firefox only allowed a given process (and, hence, a given user profile) to be all-normal or all-private at a given moment.

Once Firefox internals were reworked to support both private and non-private within the same user profile like Chrome does, Firefox became the easier option... especially with the Private Tab extension letting me mix private and non-private tabs in the same window.

I now only use Chrome for things which get broken by my usual ultra-paranoid Firefox tweaks (like Duolingo's audio record/playback Flash applet and one site which requires 3rd-party cookies to login) and I simply converted all of my Chrome-launching mechanisms to pass --incognito when starting it.

That Google persistent cookie does worry me though. I usually login to Google stuff in private tabs and don't think I have that problem, but I do occasionally forget the private tabs and I'm usually so busy that I could easily have missed it. Could you describe the cookie's characteristics in enough detail for me to craft an SQL SELECT query to check for it? 

(I'd be very surprised if it didn't respond to "sqlite3 cookies.sqlite 'DELETE FROM ...'" in a Firefox-launching wrapper script and, if it really did refuse to die, I could resort to using `sqlite3 .dump`, grep to filter out the offending line in the raw SQL, restoring it as a brand new database, and then overwriting the old one with it before launching Firefox.)
Marking all tracking bugs which haven't been updated since 2014 as INCOMPLETE.
If this bug is still relevant, please reopen it and move it into a bugzilla component related to the work
being tracked. The Core: Tracking component will no longer be used.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → INCOMPLETE
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.