Cookie conundrum
in [UK Mac]
|
From: James Taylor on 31 Jan 2010 21:54 Phil Taylor wrote: > James Taylor wrote: > >> My goodness! I had no idea there was a hidden client making outbound >> connections without the knowledge or permission of the user. Under what >> circumstances do things get added to the pubsub fetch database? > > Fascinating isn't it? I suspect that you get such subscriptions by > inadvertently clicking the RSS button on a web site. Since nothing > visible happens, you forget about it. It's just yet another example of Apple not caring about user security. They only care about giving the impression of security. It's dishonest. > My friend had four such subscriptions running, one of which was indeed > to the BBC News. However, none of these appeared in Safari when she > tried the above method. Three of them she could delete using pubsub in > Terminal, but one simply reported "URL not found" and remained > stubbornly in the pubsub list. Eventually she just set the time > interval to "never" in Safari. Or you could just delete the ~/Library/PubSub folder. I'd even be tempted to symlink ~/Library/PubSub to /dev/null in order to guarantee that nothing can reinstate these in the future. > She's still worrying about the Google.com cookie though I use Firefox with the CS Lite extension: <https://addons.mozilla.org/en-US/firefox/addon/5207> and I keep cookies disabled on all but a few whitelisted sites where I actually need them for my own convenience. I also recommend the AdBlock Plus extension: <https://addons.mozilla.org/en-US/firefox/addon/1865> which prevents Firefox from even visiting ad sites such as doubleclick.net (owned by Google) or similar. This not only has privacy benefits, but also considerable security benefits given that many exploits come in via those advertisers because the advertisers themselves get hacked. Safari is an Apple product, so it favours user enjoyment over user privacy or security. Firefox has an extensible architecture that allows people who really do care about user privacy and security to make the browser respect those things. If your friend cares about this she should definitely not be using an Apple browser, she should use Firefox. Other essential security extensions for Firefox include NoScript: <https://addons.mozilla.org/en-US/firefox/addon/722> and RequestPolicy: <https://addons.mozilla.org/en-US/firefox/addon/9727> These extensions require some configuration and knowledge to use effectively, but your friend will enjoy the learning process if she cares about security enough to want to look into it. -- James Taylor
From: Phil Taylor on 1 Feb 2010 05:39 In article <7smu43FcqbU1(a)mid.individual.net>, James Taylor <usenet(a)oakseed.demon.co.uk.invalid> wrote: > Phil Taylor wrote: > > > James Taylor wrote: Some useful suggestions. Passed on to the lady concerned, ta. Phil Taylor
From: Rowland McDonnell on 1 Feb 2010 11:23 James Taylor <usenet(a)oakseed.demon.co.uk.invalid> wrote: > Phil Taylor wrote: > > > James Taylor wrote: > > > >> My goodness! I had no idea there was a hidden client making outbound > >> connections without the knowledge or permission of the user. Under what > >> circumstances do things get added to the pubsub fetch database? > > > > Fascinating isn't it? I suspect that you get such subscriptions by > > inadvertently clicking the RSS button on a web site. Since nothing > > visible happens, you forget about it. > > It's just yet another example of Apple not caring about user security. > They only care about giving the impression of security. It's dishonest. *ALL* the firms are dishonest, when it comes to this sort of thing. In the case of Apple, experience shows that in the past, Apple's security policy has resulted in no widespread problems for users. The best we can expect from *ANY* of these damned rip-off con-men who flog us this kit is `practically speaking, it's not too bad'. If you were using MS, you'd be having a much worse time - MS's attitude towards security has in the past cause widespread problems for its users, has done so for decades, and continues to do so now. Apple's attitude stinks - but practically speaking, we've got it a lot better than the Windoze people. <shrug> > > My friend had four such subscriptions running, one of which was indeed > > to the BBC News. However, none of these appeared in Safari when she > > tried the above method. Three of them she could delete using pubsub in > > Terminal, but one simply reported "URL not found" and remained > > stubbornly in the pubsub list. Eventually she just set the time > > interval to "never" in Safari. > > Or you could just delete the ~/Library/PubSub folder. > > I'd even be tempted to symlink ~/Library/PubSub to /dev/null in order to > guarantee that nothing can reinstate these in the future. It seems that Safari comes with those subscriptions activated as standard. > > She's still worrying about the Google.com cookie though > > I use Firefox with the CS Lite extension: > <https://addons.mozilla.org/en-US/firefox/addon/5207> > and I keep cookies disabled on all but a few whitelisted sites where I > actually need them for my own convenience. <devilsadvocate> Yes, but that's an untrustable download - how can you be sure that your security is uncompromised by that unverifiable extension? </devilsadvocate> > I also recommend the AdBlock Plus extension: > <https://addons.mozilla.org/en-US/firefox/addon/1865> > which prevents Firefox from even visiting ad sites such as > doubleclick.net (owned by Google) or similar. This not only has privacy > benefits, but also considerable security benefits given that many > exploits come in via those advertisers because the advertisers > themselves get hacked. I use FlashBlock as well as what you recommend below. <https://addons.mozilla.org/en-US/firefox/addon/433> > Safari is an Apple product, so it favours user enjoyment over user > privacy or security. Not *exactly* - that's the wrong way of looking at it, I think. It's an attitude expressed by Mac-haters, I do know that. > Firefox has an extensible architecture that allows > people who really do care about user privacy and security to make the > browser respect those things. Which is pretty poor, since privacy and security should be of high quality by default, without the need to add the security risk that comes with any extensible architecture being operated without some sort of - oh dear, am I writing this? - authority, ensuring good quality. >If your friend cares about this she should > definitely not be using an Apple browser, she should use Firefox. Firefox has its flaws. I read an article covering an interview with a heavy modern hacker. His advice if you wanted a secure browsing experience? No Firefox. Opera, with Javascript off. <shrug> > Other essential security extensions for Firefox include NoScript: > <https://addons.mozilla.org/en-US/firefox/addon/722> Yes. very handy, that one. You'd be *amazed* the number of times I've seen a Google script being blocked. Is there anywhere on-line where Google isn't poking around? Probably not... > and RequestPolicy: > <https://addons.mozilla.org/en-US/firefox/addon/9727> I've not met that one before. Good one, though. Ish. Hmm - like a lot of these extensions, this is one that it's not easy for someone who's not a Web security expert to make good use of. Still, I expect I'll get the hang of it. I've wanted this sort of control for *ages*. > These extensions require some configuration and knowledge to use > effectively, but your friend will enjoy the learning process if she > cares about security enough to want to look into it. In general, any computer security add-on that requires knowledgable configuration is unusable by anyone except a computer security specialist. Without the sort of contacts that sort of person has, you can forget being able to learn what's needful /in the *general* case of computer security software/. But in the case of NoScript, I've made intelligent use of it. I need information that's not available to me to use it optimally, but I'm used to that... RequestPolicy is somewhat similar - one needs information that is inaccessible other than to well-connected computer security specialists, and the rest of us can go hang. But again, I'm able to make some sort of intelligent use of it. I don't trust the suggested whitelist entries. Rowland. -- Remove the animal for email address: rowland.mcdonnell(a)dog.physics.org Sorry - the spam got to me http://www.mag-uk.org http://www.bmf.co.uk UK biker? Join MAG and the BMF and stop the Eurocrats banning biking
From: Rowland McDonnell on 1 Feb 2010 11:23 James Taylor <usenet(a)oakseed.demon.co.uk.invalid> wrote: > Phil Taylor wrote: > > > GD wrote: > > > >> Does your friend's paranoia extend to deleting Flash cookies? These > >> seem to get accepted even if you have the 'Accept no cookies' option > >> turned on, at least in Safari and Firefox. Worse yet, if they get > >> placed in one browser, they are available to others. > > > > Unless you use iCab and tell it to use local cookie storage. It seems > > to be the only browser which has this option. > > Or there's Firefox with the BetterPrivacy extension: > <https://addons.mozilla.org/en-US/firefox/addon/6623> Does the illiteracy of the author not concern you? It's a worry to me - do I really want to trust software written by someone that ill-educated? (It doesn't read like the English of someone with a non-English mother tongue. I'm often wrong). I've just installed the thing. Ye gods! There's *hundreds* of these bloody local storage objects lurking! And did I really visit all those sites? Oo-er. The first time I quit Firefox after BetterPrivacy configuration (that is, installing BP and then re-starting Firefox, then re-starting Firefox *again*), BP didn't delete any LSOs. The second time, it did. Rowland. -- Remove the animal for email address: rowland.mcdonnell(a)dog.physics.org Sorry - the spam got to me http://www.mag-uk.org http://www.bmf.co.uk UK biker? Join MAG and the BMF and stop the Eurocrats banning biking
From: Geoff Berrow on 1 Feb 2010 11:35
On Mon, 1 Feb 2010 16:23:15 +0000, real-address-in-sig(a)flur.bltigibbet.invalid (Rowland McDonnell) wrote: >I've just installed the thing. > >Ye gods! There's *hundreds* of these bloody local storage objects >lurking! And did I really visit all those sites? Cookies can be very useful to the user as well as the site operator. Some cookies are simply stored in memory and disappear when the browser is closed. It's wrong to treat them all as works of the devil. -- Geoff Berrow (Put thecat out to email) It's only Usenet, no one dies. My opinions, not the committee's, mine. Simple RFDs www.4theweb.co.uk/rfdmaker |