Who Left Open the Cookie Jar? A Comprehensive Evaluation of Third-Party Cookie Policies: [PDF 342KB]
Abstract: Nowadays, cookies are the most prominent mechanism to identify and authenticate users on the Internet. Although protected by the Same Origin Policy, popular browsers include cookies in all requests, even when these are cross-site. Unfortunately, these third-party cookies enable both cross-site attacks and third-party tracking. As a response to these nefarious consequences, various countermeasures have been developed in the form of browser extensions or even protection mechanisms that are built directly into the browser.
In this paper, we evaluate the effectiveness of these defense mechanisms by leveraging a framework that automatically evaluates the enforcement of the policies imposed to third-party requests. By applying our framework, which generates a comprehensive set of test cases covering various web mechanisms, we identify several flaws in the policy implementations of the 7 browsers and 46 browser extensions that were evaluated. We find that even built-in protection mechanisms can be circumvented by multiple novel techniques we discover. Based on these results, we argue that our proposed framework is a much-needed tool to detect bypasses and evaluate solutions to the exposed leaks. Finally, we analyze the origin of the identified bypass techniques, and find that these are due to a variety of implementation, configuration and design flaws.
(Score: 2) by Nuke on Saturday August 18 2018, @11:44AM (6 children)
From time to time I go through and delete every one of them, except a few I recognise and don't mind.
(Score: 2) by BsAtHome on Saturday August 18 2018, @12:02PM (2 children)
Yes, that is the only way at the moment to limit the impact a bit (do it myself too).
However, it is a real pain in the arse. I long for the days when a straight line actually was a straight line and the web was feature-poor.
(Score: 0) by Anonymous Coward on Saturday August 18 2018, @12:51PM (1 child)
And never leave the browser or internet connection on... come back and the memory's all gone and I usually have to reboot Windows.
(Score: 0) by Anonymous Coward on Sunday September 09 2018, @09:50AM
Use Linux?
Ha. I'm kidding. This happens in Firefox too. Firefox loves to spawn subprocesses that chew up memory.
(Score: 0) by Anonymous Coward on Saturday August 18 2018, @01:51PM
It's best to not accept cookies in the first place. Depending on your browsing habits you might only benefit from a dozen cookies or so. The rest will only harm you.
(Score: 0) by Anonymous Coward on Saturday August 18 2018, @03:40PM
I have pretty much blocked every known way to track me anywhere. On shitty sites this means I block over 200 items. On pretty good sites, there is nothing to block. Stupidest thing about this is that I only visit about a dozen of the same sites, so really there is nothing they can gleam from spying on me, but I know that will never stop them.
(Score: 2) by Joe Desertrat on Sunday August 19 2018, @10:43PM
If you are using Firefox, make the last page you visit each browsing session about:preferences#privacy. Then clear history (make sure all the boxes are checked) and clear data. It is alarming how much crap is stored on your PC in only a single browsing session, even using Noscript, Privacy Badger, AdBlock and others that should be protecting you. You should probably close your browser and start over each time you use a site you log into as well.
(Score: 0) by Anonymous Coward on Saturday August 18 2018, @12:50PM (6 children)
I run multiple browsers. Some are always in private mode, with no cookies, no local storage, purge cache on exit, no location (or any other) services, etc. At times I have six or seven browsers open.
I have one that is just for social media (to interact with extended family) that accepts cookies until I exit. I also have one that accepts cookies until I exit for any ecommerce. Each uses a different proxy service.
I try to make it as hard as possible to track me because ... well ... fuck 'em. I'm not a bear in the wild, and I don't have a tag in my ear.
(Score: 4, Touché) by RS3 on Saturday August 18 2018, @01:27PM
To "them", you are and you do.
(Score: 0) by Anonymous Coward on Saturday August 18 2018, @02:41PM (2 children)
Why consider keeping location on in the browser at all?
(Score: 0) by Anonymous Coward on Saturday August 18 2018, @03:45PM (1 child)
I don't have it on. It is disabled in every browser I use. I can't remove the code from the browser so disabling it (and other services) is my only alternative.
(Score: 0) by Anonymous Coward on Saturday August 18 2018, @04:03PM
Unless you are running on an iPhone, you can.
(Score: 1, Interesting) by Anonymous Coward on Saturday August 18 2018, @02:58PM (1 child)
I have a VPN service (Go Nord!), a VM for each major function, and multiple browsers each with assorted plugins etc
What I need is a way to fire up the same browser in a container with each website only seeing it's own junk. I don't care about caching of javascript files or images. Every site can do whatever, so long as it is in its own space and is destroyed when the browser is closed.
Except SN. I trust SN.
(Score: 0) by Anonymous Coward on Saturday August 18 2018, @05:13PM
You can leverage Firefox/Palemoon profiles to get that effect. Whilst I've not gone as far as automating this, since I don't require that level of separation and that many profiles to make it worth the hassle (I manually clone profiles instead), I can see this can almost be easily scripted as follows:
(Score: 0) by Anonymous Coward on Saturday August 18 2018, @06:52PM (1 child)
i disable third party cookies. no non piece of shit site needs that. i clear my cookies every time the browser gets closed. if you don't, you're just a lazy fuck.
(Score: 0) by Anonymous Coward on Saturday August 18 2018, @08:50PM
yeah like i have been setting the "always reject third party cookies" since... forever, I think.
only ignorant clowns allow third party cookies to be stored.
you guys really have to go through your browser cache and look at the files in there. not the pictures--i know there are good naked lady ones you didnt realize you hadn't saved-as. happens to me, too.
i mean the stuff written in javascript. you thought your porn was sick, check out that stuff.