
Cookies, Supercookies and Ubercookies: Stealing the Identity of Web Visitors - randomwalker
http://33bits.org/2010/02/18/cookies-supercookies-and-ubercookies-stealing-the-identity-of-web-visitors/
======
randomwalker
There was an article here recently titled "Sniff browser history for improved
user experience" <http://news.ycombinator.com/item?id=1125777>

tptacek commented that it was a "batshit crazy idea," and that is exactly
right. This article is an example of how to (really) abuse history stealing.
As promised, a stronger variant I've been working on is coming soon.

------
tptacek
One way to look at this is, "Look how bad this browser behavior is for users!
We should eliminate it to protect them."

Another way to look at it is, "Imagine how horrific the impact of this problem
is going to become as researchers and criminals weaponize it. There is _no
way_ this browser behavior is going to survive. Therefore, it is a very bad
idea for us to rely on it in any way."

It's also a nice clean example of how weaponization, exploit development, and
full disclosure can move security forward. The worse this problem gets, the
more likely it is that it will get fixed.

~~~
randomwalker
A few security researchers, myself included, are getting together with one or
two Mozilla devs tomorrow at Mountain view to talk about this and other
related issues.

------
wvenable
Because of this article I installed the BetterPrivacy Firefox extension. Looks
like a good no effort solution; I have it set to silently clear Flash cookies
and super cookies when the browser closes.

<https://addons.mozilla.org/en-US/firefox/addon/6623>

~~~
randomwalker
BetterPrivacy is good; it blocks Flash cookies, but I don't think it does
anything against browser fingerprinting, which is also a type of supercookie
(at least the way I use the term in the article.)
[http://www.boingboing.net/2010/01/27/panopticlick-effs-
to.ht...](http://www.boingboing.net/2010/01/27/panopticlick-effs-
to.html#comment-699959)

~~~
teeja
Ever since I replaced the Macromedia folder with a file called Macromedia,
BetterPrivacy hasn't erased a single LSO. Everything works.

------
shalmanese
Can anyone tell me why a user's identity is so important? Sure, with perhaps a
whole lot of algorithmic work, they might be able to serve me slightly better
ads but is that all it's good for? It seems like a whole lot of furor over
nothing.

~~~
randomwalker
I plan to address this in a future article, but here are two examples of many,
many things that can go wrong: 1. throw up a customized phishing page
mimicking a Google or FB login page where you've already filled in their
username, fill in stars in the password box along with a message saying
"Welcome back, shalmanese. Incorrect password." or something like that. The
percentage of people falling for this will be _dramatically_ higher than a
naive phishing attempt (and there are studies on this.) 2. Surveillance will
become greatly easier: the government can subpoena just about anyone to get
information about you.

------
statictype
> The first for all the social networking sites to change their URL patterns
> by randomizing them so that point 4 above (predictable URL identifying that
> you belong to a group) is no longer true

Wouldn't this break one of the fundamentally nice things about the web? Being
able to refer to a page by a known fixed identity that can be bookmarked and
passed around?

Wouldn't it be a far better solution to fix the history sniffing issue at the
browser level, even if it means that css\javascript that relies on being able
to read a:visited (or whatever else) no longer work?

------
jderick
Frankly, I rarely ever use my browser history anyway. I think I will just
disable it entirely now.

------
proemeth
And the nice concept of cookie stuffing:
<http://en.wikipedia.org/wiki/Cookie_stuffing>

