Re: Evercookie: Indestructible cookies

  I think we need more powerful cookie deletion facilities in the browser.
Alan Ruttenberg pointed to some third-party mechanisms to expunge all cookies.
Would be better if you could invoke these from the browser.
All the best, Ashok

On 9/25/2010 8:03 AM, Noah Mendelsohn wrote:
> Maybe the "private browsing" modes of user agents should address some of these, e.g. by clearing DNS caches, or perhaps selectively obscuring the availability certain fonts, etc.
>
> Yes, it's an arms race, but that seems to be a business that "private browsing" is already in?
>
> Noah
>
> On 9/25/2010 10:55 AM, Bjoern Hoehrmann wrote:
>> * Noah Mendelsohn wrote:
>>>      Specifically, when creating a new cookie, it uses the
>>>      following storage mechanisms when available:
>>>       - Standard HTTP Cookies
>>>       - Local Shared Objects (Flash Cookies)
>>>       - Storing cookies in RGB values of auto-generated, force-cached
>>>          PNGs using HTML5 Canvas tag to read pixels (cookies) back out
>>>       - Storing cookies in Web History (seriously. see FAQ)
>>>       - HTML5 Session Storage
>>>       - HTML5 Local Storage
>>>       - HTML5 Global Storage
>>>       - HTML5 Database Storage via SQLite"
>>
>> Note that it primarily exploits various methods for data storage which
>> are relative well known, but does not use much other information that
>> browsers and popular plugins volunteer to web sites, which tend to be
>> less well-known. The combination of fonts installed on my system for
>> instance is almost certainly unique, and the list can be obtained using
>> Flash, Silverlight, Java, and so on, and you can get reasonably close
>> to obtaining it through probing well-known names through JavaScript.
>> If it's not sufficiently unique, you can always exploit that I rarely
>> clear the DNS caches between browser and tracking sites, or whatever
>> else floats your boat.
>

Received on Saturday, 25 September 2010 17:09:37 UTC