W3C home > Mailing lists > Public > public-privacy@w3.org > January to March 2015

Re: Super Cookies in Privacy Browsing mode

From: Robin Wilton <wilton@isoc.org>
Date: Fri, 9 Jan 2015 10:44:11 +0000
To: Wenning Rigo <rigo@w3.org>
CC: "public-privacy mailing list) (W3C" <public-privacy@w3.org>
Message-ID: <655F5DA7-1B54-4869-BE4F-2372E1E5DA6E@isoc.org>
Thanks Rigo - interesting article. 

If I read it correctly, the offending flag is set when the browser is in “normal” mode, and the vulnerability introduced by it is that it persists if the user switches to private browsing mode without first flushing the cookies accumulated while in “normal” mode. Doing that when you switch modes is a hassle, but then, so is cleaning your teeth - and both are good hygiene ;^)

Presumably another workable option is to have multiple browser instances, and to ensure that at least one is always set to private mode (so that you’re not switching from normal to private in the same browser).

R

Robin Wilton
Technical Outreach Director - Identity and Privacy
Internet Society

email: wilton@isoc.org
Phone: +44 705 005 2931
Twitter: @futureidentity

On 8 Jan 2015, at 20:56, Rigo Wenning <rigo@w3.org> wrote:

> And here is the link after popular demand :( Sorry that I missed it..
> 
> http://arstechnica.com/security/2015/01/browsing-in-privacy-mode-super-cookies-can-track-you-anyway/
> 
> On Thursday 08 January 2015 21:13:27 Rigo Wenning wrote:
>> Happy New Year!
>> 
>> Interesting article about how HTTP Strict Transport Security can be used to
>> circumvent the protections in the private browsing mode. But it seems to be
>> fixed in firefox >34. I don't know about the other browsers.
>> 
>> --Rigo


Received on Friday, 9 January 2015 10:44:43 UTC

This archive was generated by hypermail 2.3.1 : Friday, 9 January 2015 10:44:43 UTC