SoylentNews is people
SoylentNews
The Freedom to Tinker has a post on using Javascript to facilitate the exfiltration of personal data by session-replay scripts.
You may know that most websites have third-party analytics scripts that record which pages you visit and the searches you make. But lately, more and more sites use "session replay" scripts. These scripts record your keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit, and send them to third-party servers. Unlike typical analytics services that provide aggregate statistics, these scripts are intended for the recording and playback of individual browsing sessions, as if someone is looking over your shoulder.
The stated purpose of this data collection includes gathering insights into how users interact with websites and discovering broken or confusing pages. However the extent of data collected by these services far exceeds user expectations [1]; text typed into forms is collected before the user submits the form, and precise mouse movements are saved, all without any visual indication to the user. This data can't reasonably be expected to be kept anonymous. In fact, some companies allow publishers to explicitly link recordings to a user's real identity.
Though the post refers to scripts added by the web server intentionally, if third party, such an ISP, competiting company, or government agency, is in control of a certificate already loaded into a target's browser, either overtly or covertly, a Man-in-the-Middle attack is trivial with SSL/TLS and exfiltration scripts can be sent as payload. If you want to see the latency burden that even ostensibly well-behaved scripts cause, press ctrl-shift-i in the browser, select "network" and then reload the page.
(Score: 2) by Arik on Sunday November 19 2017, @10:47AM (2 children)
Not exactly. Not just cookies by themselves, at least.
Of course companies that run multiple websites (Google obviously, but any hosting provider could qualify to some extent) could do this. But they don't need cookies to do that. Your IP address works just fine.
And, of course, there are *third party* cookies which are used in this way, I was assuming everyone here blocks those of course.
Blocking regular cookies doesn't really do much other than keep you from using the 'stay logged in' feature on websites in general.
If laughter is the best medicine, who are the best doctors?
(Score: 3, Informative) by maxwell demon on Sunday November 19 2017, @11:55AM
For sites where you log in, that may be true (your login already identifies you). But for sites where you don't log in, persistent cookies can provide an identity across sessions, which you may not want.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Snotnose on Sunday November 19 2017, @01:02PM
As I said before, sites I visit often are whitelisted. But most of those sites are aggregators (soylent, /., fark, etc), when you click on a link to the story you're going god knows where. I probably visit a couple hundred web sites a day, only 3-4 of those sites are allowed to set a cookie.
When the dust settled America realized it was saved by a porn star.