Persistent Tracking using Supercookies and Evercookies
The concept of supercookies and ubercookies is not entirely new, but has been refined recently to turn them into digital cockroaches – very hard to permanently get rid of. Supercookies are basically an amalgamation of different software features that can be used to create a uniquely identifying token, usually one that is hard or too convoluted to delete. Now that HTML5 is becoming more widespread, there are even more options than before.
Modern supercookies comprise a number (or all) of the following:
- Standard HTTP Cookies
- Local Shared Objects (Flash Cookies)
- Silverlight Isolated Storage
- Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out
- Storing cookies in Web History
- Storing cookies in HTTP ETags
- Storing cookies in Web cache
- window.name caching
- Internet Explorer userData storage
- HTML5 Session Storage
- HTML5 Local Storage
- HTML5 Global Storage
- HTML5 Database Storage via SQLite
Ultimately, I wouldn’t panic and stop surfing the web just yet, but this goes to show how the evolution of the browser (and countless plugins that now go with it) is having an effect on privacy and security (which can’t quite keep up the pace set by innovation). Dominic White describes how to delete the Evercookie when using Safari on OSX. Others have written about how to do the same on Firefox and Chrome. One reddit user has created a pseudo lockdown-script which improves the security and privacy of Firefox by making some configuration changes (eg. disabling prefetching, geolocation, caching, etc).
This post by Christopher Soghoian provides a good argument for why privacy (and security, I would add) should be adopted in web browsers by default, instead of letting users fend for themselves. Some browsers are making an effort by adding features such as private browsing, cross-site scripting protection, and Google SafeSearch (although this impacts privacy by sending Google every URL you browse to), however all too often browser plugins and add-ons are given too many privileges.
Browser security and user awareness are becoming more important than ever as traditional programs are phased out and replaced by web applications. Unfortunately both of these are still lagging a bit behind.
<strong><strong> - Standard <a href="http://en.wikipedia.org/wiki/HTTP_cookie">HTTP Cookies</a>
- <a href="http://en.wikipedia.org/wiki/Local_Shared_Object">Local Shared Objects</a> (Flash Cookies)
- Silverlight <a href="http://www.silverlight.net/learn/quickstarts/isolatedstorage/">Isolated Storage</a>
- Storing cookies in RGB values of auto-generated, force-cached
PNGs using HTML5 Canvas tag to read pixels (cookies) back out
- Storing cookies in <a href="http://samy.pl/csshack/">Web History</a>
- Storing cookies in HTTP <a href="http://en.wikipedia.org/wiki/HTTP_ETag">ETags</a>
- Storing cookies in <a href="http://en.wikipedia.org/wiki/Web_cache">Web cache</a>
- <a href="http://en.wikipedia.org/wiki/HTTP_cookie#window.name">window.name</a> caching
- Internet Explorer <a href="http://msdn.microsoft.com/en-us/library/ms531424%28VS.85%29.aspx">userData</a> storage
- HTML5 <a href="http://dev.w3.org/html5/webstorage/#the-sessionstorage-attribute">Session Storage</a>
- HTML5 <a href="http://dev.w3.org/html5/webstorage/#dom-localstorage">Local Storage</a>
- HTML5 <a href="https://developer.mozilla.org/en/dom/storage#globalStorage">Global Storage</a>
- HTML5 <a href="http://dev.w3.org/html5/webdatabase/">Database Storage</a> via SQLite