
Who Left Open The Cookie Jar? - pmoriarty
https://wholeftopenthecookiejar.eu
======
kodablah
This WontFix made me sad [0]:

> Yes, this is accurate - extensions cannot intercept requests from PDFium.
> PDFium, in Chrome, is (partially) implemented as a component extension, and
> extension requests cannot be monitored or manipulated by other extensions.
> The behavior of protecting component extension requests is critical for
> security reasons, and we are unlikely to change it.

Ug, not exactly sure what triggers PDFium vs PDF download, but this is
especially bad if I could load a PDF in an iframe and get around any of your
ad blocking. I also question why it's considered an extension at the user
level. Anything installed and enabled by default should be considered part of
the core browser and not an extension (regardless of the mechanisms, such as
the extension one, they are implemented with). I understand the levels of
separation and implementation difficulty fixing this entails, I really do, but
the practicalities of your on-by-default PDF renderer making web requests
different than a web page is too bad to ignore.

This goes to show that you can not count on extensions to filter web requests
in your browser. You must do it at the network level or have a dedicated
browser for it (e.g. Tor Browser). Unfortunately it's often extensions that
have all the contextual information needed to make the decisions you want.

0 -
[https://bugs.chromium.org/p/chromium/issues/detail?id=824705...](https://bugs.chromium.org/p/chromium/issues/detail?id=824705#c4)

~~~
smallnamespace
One can imagine building a hierarchy of permissions so some extensions can
have higher privileges over others. One more step in the slow march of
browsers taking on more functionality of an OS.

~~~
saidajigumi
Not-so-tounge-in-cheek corollary: software with a sufficiently rich and
desirable attack surface will evolve to become indistinguishable from an OS.

~~~
bigiain
"Every program attempts to expand until it can read mail. Those programs which
cannot so expand are replaced by ones which can." \-- jwz

~~~
drb91
I don’t get this quote. Why is mail reading considered an obvious forward step
for a program? That fad seemed to die with the browser Mozilla (or SeaMonkey
these days, if it still exists).

~~~
bigiain
Heh - for the record, that quote is from the guy who's responsible for open-
sourcing Netscape into Mozilla, and is from around about that time/era...

These days I wonder if the functional equivalent is expanding to include a
Slack-bot?

~~~
justinator
He also wrote an email client for Netscape.

~~~
bigiain
Email and usenet client - which was the only client that ever got message
threading right...

------
js2
I use Safari 11 as my primary browser. This is promising:

> _Safari’s Intelligent Tracking Prevention managed to mitigate all third-
> party cookies to a tracking domain, apart from redirects. However, we found
> that future completeness can be undermined by having this option disabled
> for even a short interval. Third-party cookies set in this interval by
> tracking domains, which otherwise would have been prevented, will still be
> included in cross-site requests after enabling the option again, identical
> to the results when the option is disabled. Luckily, this option is enabled
> by default, so future completeness can only be affected through explicit
> disabling by the user._

I'd also like to know whether that applies to iOS, but the paper didn't
perform any mobile browser testing.

That said, every so often I view my stored cookies and I'm always shocked at
the number of domains that I've never heard of that have stashed cookies. :-(

~~~
kulahan
I never wanted to "waste money" on a mac, but I feel like Apple takes user
privacy seriously, and I'm genuinely considering making the switch from
Windows just to support that practice. I dunno, maybe that's silly, but it
seems like the whole world stopped caring about user security and privacy, and
this is refreshing to see fairly consistently.

~~~
beenBoutIT
Warm feelings aside, security experts are typically more objective than
Apple's keynote bullet points.

The key thing to remember is that there is no privacy without security.
Factually speaking, ChromeOS is far more secure than either Windows or macOS.
[https://www.cnet.com/news/how-google-chromebooks-became-
the-...](https://www.cnet.com/news/how-google-chromebooks-became-the-go-to-
laptop-for-security-experts/)

~~~
peterwwillis
> there is no privacy without security

This is factually incorrect. You can have privacy without security, and you
can have security without privacy. Security keeps things safe, privacy keeps
things hidden.

Also, ChromeOS devices ship with a rootkit called the Play Store. There are
also hundreds of apps on the play store that install malware on Android
devices. You may not need to install an anti-virus, but you may also very
easily install what looks like a fun game, and then find your funds being
drained from your bank account.

~~~
acaibowl
> This is factually incorrect. You can have privacy without security, and you
> can have security without privacy. Security keeps things safe, privacy keeps
> things hidden.

Uh that's not factually incorrect. You can definitely have security without
privacy, but not the other way around. Without security that means your
privacy can't be protected.

~~~
checkyoursudo
The fact that your privacy isn't secured doesn't automatically mean that it is
automatically compromised, does it? I mean, sure, maybe you assume it is for
any real purpose, but that doesn't mean your privacy is actually compromised.

For example, my first iPhone, I didn't have a password (I think -- maybe that
was my first ipad). It was insecure, but I'm reasonably sure that everything
on there was private (in that more physical sense; I have no idea about
internal security of those first generations of iphone/ipad).

A weaker claim that is probably true might be: you cannot _guarantee_ your
privacy without security. That you _cannot_ have privacy seems like too strong
of a claim?

~~~
hvidgaard
I think it's bit of a nitpick, but the iPad was under physical security.

I do agree with you though. Privacy is having your information to yourself.
You don't need security for that, just that everyone else keep their nose to
them self. But if you want to guarantee your privacy, you need some form of
security.

~~~
checkyoursudo
If you knew my kids, you might not say that my iDevices are always under the
best of physical security.

------
mgliwka
I have to disagree with the statement, that those techniques are not being
used in the wild. I‘ve observed a porn advertising network delivering some js
once, which opened a third-party domain served pdf with cookies in the
background and then closed the popup immediately again. I was wondering what
that was about. Now it’s clear to me.

~~~
blattimwind
A friend of mine might have noticed something similar (on a news site, of
course).

~~~
tomvangoethem
It would be very useful if you could point us to such examples! (I'm an author
of the paper)

~~~
blattimwind
Pornhub. It could of course be a popup playing a different role (e.g. being
part of a "you need to upgrade your vulnerable software naow!1"-scheme) that's
only visible if no blockers at all are used.

------
kevin_thibedeau
Self destructing cookies will mostly defeat these problems unless trackers get
clever about cross-correlating cookies from different sessions. Restricting
JavaScript makes that even harder for them to accomplish.

For most purposes there's little benefit to keeping old cookies hanging
around. Just whitelist the sites you want to stay logged in to.

~~~
pvorb
That has been my strategy lately, but it keeps getting more annoying because
of all those cookie banners that now can’t remember to not show up – quite
absurd and probably not intended by regulators.

~~~
quiq
There is an extension called "I don't care about cookies" [1] that takes care
of those.

[1] [https://addons.mozilla.org/en-US/firefox/addon/i-dont-
care-a...](https://addons.mozilla.org/en-US/firefox/addon/i-dont-care-about-
cookies/)

~~~
jjeaff
Or, if you already use ublock origin there is a blacklist in the setting that
you can turn on to block all cookie banners.

------
abtinf
Is there a privacy-maximizing combination of browsers and extensions that
keeps the web mostly usable?

I'm currently running chrome with uBlock Origin and uMatrix. uMatrix is a bit
of a hassle, but I didn't realize the scope of the threat landscape until I
saw the huge number of (potential) trackers called out by almost every site.

~~~
FridgeSeal
Maybe swap from Chrome to Firefox?

If nothing else, Firefox isn’t built by a literal advertising company.

~~~
abtinf
Is there a meaningful distinction between a browser built by an advertising
company, and a browser built by another company that earns almost all of its
revenue from the advertising company?

~~~
move-on-by
* Well, Firefox being fully open source is certainly a distinction that counts with me.

* Their built-in tracking protection is also another distinction [1].

* Ability to modify core settings to improve privacy is also really nice, but not viable for the average user [2].

* Firefox on android is the only mobile browser that allows you to install add-ons. I'm not talking special mobile-made add-ons. Any add-on that you can install on desktop, you can install on the mobile version. Although usability will definitely vary. uBlock Origin, Privay Badger, Decentraleyes, Cookie AutoDelete - all available on Firefox mobile for android

I'm not going to go as far as saying Firefox deserves your 100% trust. They
have definitely made some missteps along the way. However, as far as
meaningful distinction, yes I think that is well earned.

[1] [https://support.mozilla.org/en-US/kb/tracking-
protection](https://support.mozilla.org/en-US/kb/tracking-protection)

[2]
[https://www.privacytools.io/#about_config](https://www.privacytools.io/#about_config)

------
linguistbreaker
It's funny this is posted on Boingboing.net - I stopped reading years ago
because their monetization attempts made their site unusable...

------
pbreit
I always wondered if it was possible to embed JavaScript in a PDF for tracking
or other purposes.

The article suggests: "The techniques allowed them to track users across sites
by means of Javascript in PDF tables"

Has anyone done this? Is there any literature about it (I didn't find any
after a quick look).

------
chopin
Again a reason to block at least third party JavaScript.

------
cm2187
I wish browsers had an option to make all cookies and site data local to the
domain visited in the url of the browser. So if you are domain on “x”, and
there is an iframe into domain “z”, the data would be local to domain “x.z”.
When you would visit domain “y” which also has an iframe to domain “z”, its
data would be local to “y.z” and therefore you couldn’t be tracked by “z” when
going from “x” to “y”.

Of course that would probably break google analytics, so I don’t expect this
on chrome.

~~~
joking
Not really, it would break adwords but for google analytics you don't need to
correlate the users between x.z and y.z, and if you need as you control both
sites, you can do changing the link between both to include de google
analytics session id (watch for gid parameter on urls).

~~~
cm2187
But how can google analytics tell the demographics of a site if it can not
identify its users and correlate it with what it knows on them?

------
delidumrul
I hope there could be more tests on Brave browser, too, which aims to improve
privacy. But its most lovely feature imo is opening any kind of tab (normal,
private, private on Tor network) on the same window. I wonder if this causes
some backdoors, though. I support so that it can become better.

------
k__
I worked for a web analytics company and they simply used reverse proxies.

~~~
orf
Mind elaborating?

~~~
k__
A company has multiple websites and all of them use a reverse proxy for
tracking. (a webserver that is between clients and the real webserver and just
"proxies" requests and responses between them, logging all that happens)

This is completely transparent from the outside.

~~~
greenshackle2
This is rather offtopic but it bothers me how most people in IT seem to use
'transparent' to mean 'opaque'.

When I hear PMs say "this change will be completely transparent to clients"
what they mean is, the client will see no difference, which means really, the
details are hidden in a black - opaque - box.

~~~
mehrdadn
It should make sense if you realize "transparent" means "no visible
difference".

~~~
jasonbarrah
Transparent has a unique meaning in the context of computing And a different
one in design, business and physics.

Importantly however; Tech people can claim they are being 'transparent'. To
them this can mean no visible difference to the user- and to everyone else
means visible/public and available for scrutiny.

So yes, I am sure Zuckerberg is focused on 'transparency'.

~~~
NeedMoreTea
Quite so. A less intentionally disingenuous word for the computing context
would be "hidden".

------
w0mbat
From the awkward grammar of the name, this project must have been named by a
German.

------
phjesusthatguy3
Browsers don't automatically attach cookies to all HTTP requests by default.

------
lainga
If you don't want to visit BoingBoing,

[https://wholeftopenthecookiejar.eu/static/tpc-
paper.pdf](https://wholeftopenthecookiejar.eu/static/tpc-paper.pdf)

~~~
efficax
do we hate boingboing now?

~~~
ldarby
There is a popup. Remember when browsers added popup blockers? They've worked
around them now with JS & CSS...

~~~
ColanR
umatrix with first-party scripts disabled had no problem.

~~~
djsumdog
I was running uMatrix with first-party scripts disabled by default for a
while, but I found a lot of pages I needed 3 or 4 refreshes to get content. It
opened my eyes to how much simple static stuff in dependent on Javascript;
stuff that really shouldn't be.

~~~
smichel17
I did the same, but instead decided most of those sites weren't worth my time.
(For the few that I cared about, I whitelisted the bits needed to function).

------
bankspot
Would it be possible to change the link from bb to the source:

[https://wholeftopenthecookiejar.eu/](https://wholeftopenthecookiejar.eu/)

~~~
sctb
Sure, we've updated the link from [https://boingboing.net/2018/08/16/who-left-
open-the-cookie-j...](https://boingboing.net/2018/08/16/who-left-open-the-
cookie-jar.html).

------
fake-name
"Currently Unblockable"

Unless you don't allow jerberscript. Which blocks all of them.

Hyperbole, much?

~~~
benbristow
Don't allow 'jerberscript' and don't expect the web to work properly. Simple
as.

~~~
wwweston
If it doesn't work w/o js, it's not actually the web, the de facto truth of
your statement notwithstanding.

It's an eminently defensible descriptive statement; the trend is certainly
away from building the web and towards treating the browser as the VM to rule
them all. It is not a particularly well-defensible normative statement.

~~~
jrockway
I don't know if I agree that. It's pretty standardized. Every user-agent
includes it.

You _can_ give people documents without scripts, but it's not mandatory for
them to work. And it's not like Javascript is some obscure single-vendor
extension, it's widely supported.

------
zaroth
Wait, I’m confused. These all seem like basic unit testing bugs?

Unit testing cookie read/write permissions isn’t “a thing?”

I’m going to say something crazy; At least some of the major browser vendors
are violating a warranty with this.

An entirely fake privacy crucial setting?! Obviously they knew and left it
there deceptively, because the alternative is even worse.

------
Y_Y
Despite the title, they do not actually host the techniques.

~~~
tango24
The definition of “host”, in this case, just means “many”.

~~~
eyeownyde
Collection

