Cookie conundrum
in [UK Mac]
|
From: Woody on 2 Feb 2010 07:26 Jack Campin - bogus address <bogus(a)purr.demon.co.uk> wrote: > >>>> The problem with cookies generally is that the user doesn't know and > >>>> can't find out what they are for, in general, nor what information is in > >>>> them, nor how that information might be used. > >>> Pretty easy to find out. > >> I've never been able to figure out how, so I'm certain that you're > >> wrong about that. > > In Firefox you can view the cookies and their content. > > The content is usually a string of gibberish and there is no publicly > documented way to find out what it means. > > The commonest kinds of cookie I see are called "_utma" and "_utmz". > Lots of sites leave them, so I presume they are usually in some > standard format, but I've never seen it described even for this simple > case. And there's nothing to stop a site from using those filenames > to store whatever it wanted. There really is. I don't know how this 'sky is falling in' thing hapened, but a cookie just contains two items, a key and a value. So if your key is 'id', it will return (say) af3873682976af, which you then look up in your database (the servers) and find the user name that corresponds to that. That is all you can do with them. That number means nothing to anyone else, it is just in index into a database somewhere else. You delete it and you just have to log in again. If you want to delete them, fine, not a problem. -- Woody
From: Geoff Berrow on 2 Feb 2010 07:33 On Tue, 02 Feb 2010 12:01:03 +0000, Jack Campin - bogus address <bogus(a)purr.demon.co.uk> wrote: >> In Firefox you can view the cookies and their content. > >The content is usually a string of gibberish and there is no publicly >documented way to find out what it means. Because they could be anything. Password may be stored using one way encryption. > >The commonest kinds of cookie I see are called "_utma" and "_utmz". >Lots of sites leave them, so I presume they are usually in some >standard format, but I've never seen it described even for this simple >case. And there's nothing to stop a site from using those filenames >to store whatever it wanted. They are placed there by Google analytics and are there to gather general statistics about your visit. Basically, so you don't get counted twice. > >(I have cookies enabled for sites I have reason to trust, and I draw >that boundary quite widely - I'm not messianic about this). > > >>>>> So we have methods of dealing with cookies - i.e., not letting them >>>>> persist beyond browser sessions. >>>> Suits me. :) >>> But since the average user has no idea these Flash cookies exist, it's >>> not possible for the typical user to even contemplate doing anything >>> about 'em. >> Flash cookies? When did we start talking about Flash? > >Flash cookies are not subject to management by the browser - they will >always persist indefinitely. And since they're stored somewhere rather >obscure, they provide a much better trace of what the user has been >looking at than the browser's own caches. > >I've no idea what sort of data Flash cookies encode, anybody know? >I'd bet a police forensics team could call on somebody who does. I don't write Flash programs so don't use Flash cookies. But I imagine they store the same kinds of things that ordinary cookies do, program states, visit stats, etc. -- Geoff Berrow (Put thecat out to email) It's only Usenet, no one dies. My opinions, not the committee's, mine. Simple RFDs www.4theweb.co.uk/rfdmaker
From: Chris Ridd on 2 Feb 2010 08:25 On 2010-02-02 12:01:03 +0000, Jack Campin - bogus address said: > The content is usually a string of gibberish and there is no publicly > documented way to find out what it means. This is because their meaning is *entirely* up to the developer of the web application you're talking to. All a cookie is is a defined way of moving arbitrary data from the browser to the web server. > I've no idea what sort of data Flash cookies encode, anybody know? > I'd bet a police forensics team could call on somebody who does. Again, the data is *entirely* up to the Flash developer. There's no way to find out except by talking to them, or if you're desperate disassembling the Flash code. -- Chris
From: James Taylor on 2 Feb 2010 09:33 Woody wrote: > Jack Campin wrote: > >> The commonest kinds of cookie I see are called "_utma" and "_utmz". That's Google Analytics; the ultimate Big Brother watching you as you browse the web regardless of whether you use Google as your search engine or not. >> Lots of sites leave them, so I presume they are usually in some >> standard format, but I've never seen it described even for this simple >> case. Not exactly a full description, but here's a starting point: <http://helpful.knobs-dials.com/index.php/Utma,_utmb,_utmz_cookies> >> And there's nothing to stop a site from using those filenames >> to store whatever it wanted. Sure, but why would they bother? The global omniscience of Google Analytics is already scary enough, so anything a site might hide in a cookie by that same name couldn't be worse. IF a site did want to hide the purpose of a cookie they'd name it something innocuous instead. > There really is. I don't know how this 'sky is falling in' thing > hapened, but a cookie just contains two items, a key and a value. > So if your key is 'id', it will return (say) af3873682976af, which > you then look up in your database (the servers) and find the user > name that corresponds to that. Yes, so even a short ID number is sufficient to build up a vast database of browsing history, IP address history, search history, etc. > That is all you can do with them. That's all they *need* to be able to do with them to know more about you than you might feel comfortable about. Not only can Google tie your Google cookie to your search history and Gmail identity (or indeed any of their other popular services: YouTube, Picassa, Google Groups, etc) but they can also tie your browsing history as collected by Google Analytics together with all the other sources. From all this data is it likely possible for them (or their business partners) to know just about everything; who you are, where you live, who your friends are, what your interests are, and indeed almost what you're thinking. We already know (as part of the fallout from the Chinese attack that exploited them) that Google have dedicated data-mining servers they make remotely accessible to law enforcement and governments around the world for their ultimate convenience, after all they must be queuing up to access data on "suspected" criminals and terrorists so it obviously makes sense to automate this process. > That number means nothing to anyone else, it is just in index into a > database somewhere else. You delete it and you just have to log in > again. If you want to delete them, fine, not a problem. Cookies belonging to sites you knowingly use and login to anyway, are perfectly sensible. It's the third-party cookies designed to track you across the web and build up a profile on you that people object to. The Firefox extension "CS Lite" allows you to selectively allow cookies of the first kind while blocking all other cookies by default. The message for site owners is that people will increasingly get wise to the dangers of cookies and JavaScipt, so you need to design to allow your site to function without them, and be open about the benefits to the user of enabling cookies and/or JavaScript, or indeed Flash. The caution I have for users who care about their privacy and hate the idea of being tracked, is that this is just the begining of a long struggle. As more people clear their browser cookies, Flash cookies, and disable JavaScript, the sites whose business it is to profile you will get smarter. For example, it is already possible to use browser fingerprinting techniques to (almost) uniquely identify you even without any kind of cookie. There is a uniqueness test from the EFF here: <http://panopticlick.eff.org/about.php> Go to the homepage and click the "Test Me" button. It would be interesting to see what kind of results Apple users get. I get a uniqueness rating of one in 256,032, but then I'm using Linux and have my browser fairly heavily locked down, which is unusual. It seems the more securely configured you are the more trackable you are, so you can't have both security and privacy at the same time. Damn. :-( -- James Taylor
From: Elliott Roper on 2 Feb 2010 09:54
In article <7sqrehFuljU1(a)mid.individual.net>, James Taylor <usenet(a)oakseed.demon.co.uk.invalid> wrote: > There is a uniqueness test from the EFF here: > > <http://panopticlick.eff.org/about.php> > > Go to the homepage and click the "Test Me" button. It would be > interesting to see what kind of results Apple users get. I get a > uniqueness rating of one in 256,032, but then I'm using Linux and have > my browser fairly heavily locked down, which is unusual. It seems the > more securely configured you are the more trackable you are, so you > can't have both security and privacy at the same time. Damn. :-( I think your last observation may not be quite right. I was completely unique in their whole population and my machine is relatively wide open. They were able to score me uniquely on plugins and again on fonts. If I had Javascript off, they would not have been able to see the fonts. Still, I can always don a disguise when I have to. Muck about with fonts and plugins installed and active. Simples! -- To de-mung my e-mail address:- fsnospam$elliott$$ PGP Fingerprint: 1A96 3CF7 637F 896B C810 E199 7E5C A9E4 8E59 E248 |