Hacker News new | past | comments | ask | show | jobs | submit login
Google Warns Against Blocking Cookies Entirely, Triggering Criticism (wsj.com)
43 points by dominik 53 days ago | hide | past | web | favorite | 34 comments

I recall PHK's humble proposal for replacing cookies. Instead of the server sending cookies to the browser, the browser sends an ED25519 key, a "Browser Identity", to the server. Anything that the server wishes to personalize for that identity can be encrypted with the identity's key. At the same time, the browser user is free to choose whichever identity they like, including a fresh/nonce identity.

Never trust anything from the client.

[1] https://research.kudelskisecurity.com/2017/10/04/defeating-e...

Oh, the intent is to share the key across devices, right?

Right. The server knows a user by their identity key, not necessarily by the device that the key is on. Since keys are lightweight, synchronizing them across devices is akin to managing metadata.

Further, servers are free to keep private information on identities, with the understanding that identities are so flimsy that any single identity profile is not worth data-mining. This won't prevent tracking from truly big players, like Google, AWS, or Cloudflare, but it greatly cuts down on their ability.

This reminds me of moot's concept of prismatic identity.

Google wants to get out ahead of the shift in consumer sentiment on data privacy and ad targeting. No doubt they only have their own best interests in mind. They shouldn’t have a seat at the table when the legislation is being written.

Does it really matter what Google wants?

I use laptops for coding and ML (one of my laptops has a 1070 GPU). I use Firefox with containers, one for each major site (Twitter, Google properties, HN, etc.). I only delete all cookies in Firefox about once a month - probably not nearly often enough, even using containers.

I do most of my web browsing on an iPad Pro and I delete all cookies on Safari very frequently.

I pay Google for Play Music, buy books and movies, and use GCP - that is enough revenue for them, so I feel like they still make money from me. Twitter makes money by showing me ads. Anyway, I feel just fine about frequently nuking cookies.

I only delete all cookies in Firefox about once a month - probably not nearly often enough, even using containers.

I recommend Cookie auto delete if you haven't considered it before: https://addons.mozilla.org/en-US/firefox/addon/cookie-autode...

Yes, because that is probably not the setup/workflow that the majority of internet users are using.

Also, I'm not sure how useful deleting cookies is today if the new cookie can immediately be re-linked with the old profile the moment you log into your Google account.

List of installed plugins, screen size, IP, and User-Agent are probably far more effective than cookies anyways.

The propaganda machine that is WSJ. I'm glad that I don't pay $300 / year for that. Here is a quote from the article:

> Cookies are small text files stored in internet browsers that let companies follow users around the internet, gathering information such as which sites they visit and what ads they view or click.

Compare that to the definition from Wikipedia:

> An HTTP cookie (also called web cookie, Internet cookie, browser cookie, or simply cookie) is a small piece of data sent from a website and stored on the user's computer by the user's web browser while the user is browsing. Cookies were designed to be a reliable mechanism for websites to remember stateful information (such as items added in the shopping cart in an online store) or to record the user's browsing activity (including clicking particular buttons, logging in, or ...

I don't see how the wsj quote is misleading or wrong.

It's a close enough approximation for laypersons reading a non-technical newspaper. It's also a definition that's more closely aligned with the article's subject.

I don't know about you but if I didn't know what Gluten was and an article simply defined it as "Gluten is a protein that causes diseases such as celiac disease" for its audience to further its argument I'd consider that misleading and wouldn't trust the author anymore.

They both describe pretty identical things. The WSJ article describes in a more practical way what scenarios cookies (as defined on the Wikipedia's page you cited) enable.

So, in many ways WSJ did a superb job here in describing what the actual implications are.

See my comment above.

Ah, what fantastic reporting. They don't bother to mention that cookies can be used for things other than ad-tracking....

A cookie (or any fingerprinting) shouldn't be necessary for a search query. Yes, the results might be "less relevant". That's fine, acceptable, and even _desired_.

That's irrelevant. Cookies are used for tons of things besides search personalization and "user tracking" (in the nefarious sense). Blocking all cookies is throwing the baby out with the bathwater.

Neither Firefox nor Safari have claimed we should block all cookies. They've committed to taking large steps towards blocking 3rd-party cookies.

I don't think Google is intentionally confusing that distinction, and I wouldn't accuse them of that. As much as I find their arguments on this subject disingenuous and distasteful, they haven't claimed anything on that scale.

However, whenever Google proposes a privacy/security change, HN has a habit of accidentally conflating their specific arguments with the broadest, most general terms. Debates about specific policies become debates about whether or not broad, sweeping statements are true: Statements like, "all cookies are bad", or "browser extensions should be able to do whatever they want."

Google's argument here isn't even really about cookies at all, it's about tracking and advertising in general. Google is arguing that whatever privacy improvements we add to browsers, we need to make sure that advertisers can still serve personalized ads that follow users around the web. They are proposing separate standards from Mozilla and Safari that they say would improve privacy while allowing them to continue their current business model.

The confusion between Safari's actual cookie policy and this fictional "get rid of all cookies" policy that no browser has proposed is adding a lot of noise to the discussion. I assume this confusion is accidental, but it has the potential to really derail conversations.

Blocking all third-party cookies would suit me just fine.

Well that's a very different case from blocking all cookies!

If you blocked all cookies, you can't establish a session on any sites at all. If can accept that,what's the problem with blocking them?

If you can accept that you won't be able to login, buy stuff, or save settings on websites, then I guess there is nothing wrong with blocking cookies.

Why? Why can't I have the browser maintain an in-memory session that is reset if the browser instance dies? When I login, the browser creates an in-memory session that is used just as today for session identification purposes. The only issue would be that if the browser crashes, or I close that window/tab, I'll have to relogin, which I'm totally fine with.

Conceptually similar to using a private/incognito mode all the time?

Every problem has a solution.

> Why can't I have the browser maintain an in-memory session that is reset if the browser instance dies?

But... you're describing 1st party cookies. You can already set Firefox to delete all cookies whenever the browser is closed. It's not just that this problem has a solution, the solution is already implemented and live today in every major browser.

It's also not 'conceptually' similar to private/incognito mode, it literally is private/incognito mode. Private mode is just Firefox storing all of your session/cookie data in RAM so that it will get deleted when the browser closes. The main difference is that private mode is more aggressive, because it includes downloads/history in the deleted session, and takes extra steps to make sure the data won't accidentally get cached even in temporary files.

The big reason browsers are getting more aggressive about 3rd-party cookies is that they can be used to track you across domains even during browsing sessions, so there's often a good reason to block known tracking cookies outright. Additionally, most ordinary users want cookies to persist between browser sessions, so to enable that behavior we have to be more creative about figuring out which cookies are harmful -- then we can remove them even for ordinary users. It turns out that blocking 3rd-party cookies can sometimes be a useful way to filter "good" and "bad" session data.

But if you don't fall into that category of user, and you're OK with needing to re-log into sites when you open the browser, then go wild. Switching to temporary cookies will definitely help with your privacy, and Firefox even includes ways for you to whitelist any sites where you do want cookies and localstorage to be persistent.

Fair enough.

Except that some websites now refuse to let you see their content unless you explicitly let them set cookies first.

I discovered this because I use uMatrix and block first-party cookies by default.

Amen to this!


It greatly depends on what you do. For example, I have spent last hour reading HN, and visited dozens of different websites. None of them needed cookies at all, except HN itself (for user login).

A cookie could store the session id from a load balancer or app server, designed to beneficially route your return traffic back to the same warm appserver to reduce disk load times or whatnot. Blocking that cookie has no observable benefit/drawback to you, but possibly impacts the backend in a negative manner by triggering a fresh session on every visit/hit.

> I have spent last hour reading HN, and visited dozens of different websites. None of them needed cookies at all, except HN itself (for user login).

> A cookie could store the session id from a load balancer or app server

These two are not mutually exclusive. The exact same cookie used for logging can also be used to store your session id for internal routing.

So, good for the user, who can't know what its session tracking cookie is used for, but bad for the server, who will have to come up with a better routing-and-whatnot scheme than relying on the user to willingly provide information they have a very real incentive not to provide.

What is your opinion on explicit whitelisting? I disabled all cookies by default and added sites to a white list as needed, and it turns out that most sites really don't use cookies for anything that's useful to the user.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact