Weekly Edition
Return to the Front page
| |||||||||||||
Mozilla versus the cookie monsterBack in February, Mozilla implemented a new cookie policy for Firefox, designed to better protect users' privacy—particularly with respect to third-party user tracking. That policy was to automatically reject cookies that originate from domains that the user had not visited (thus catching advertisers and other nefarious entities trying to sneak a cookie into place). The Electronic Frontier Foundation (EFF) lauded the move as "standing up for its users in spite of powerful interests," but also observed that cross-site tracking cookies were low-hanging fruit compared to all of the other methods used to track user behavior. But as it turns out, nipping third-party cookies in the bud is not as simple as Mozilla had hoped. The policy change was released in Firefox nightly builds, but Mozilla's Brendan Eich pointed out in May that the domain-based approach caused too many false positives and too many false negatives. In other words, organizations that deliver valid and desirable cookies from a different domain name—such as a content distribution network (CDN)—were being unfairly blocked by the policy, while sites that a user might visit only once—perhaps even accidentally—could set tracking cookies indefinitely. Consequently, the patch was held back from the Firefox beta channel. Eich commented that the project was looking for a more granular solution, and would post updates within six weeks about how it would proceed. Six weeks later, Eich has come back with a description of the plan. Seeing how the naïve has-the-site-been-visited policy produced false positives and false negatives, he said, Mozilla concluded that an exception-management system was required. But the system could not rely solely on the user to manage exceptions—Eich noted that Apple's Safari browser has a similar visited-based blocking system that advises users to switch off the blocking functionality the first time they encounter a false positive. This leaves a blacklist/whitelist approach as the "only credible alternative," with a centralized service to moderate the lists' contents. Perhaps coincidentally, on June 19 (the same day Eich posted his blog entry), Stanford University's Center for Internet and Society (CIS) unveiled just such a centralized cookie listing system, the Cookie Clearinghouse (CCH). Mozilla has committed to using the CCH for its Firefox cookie-blocking policy, and will be working with the CCH Advisory Board (a group that also includes a representative from Opera, and is evidently still sending out invitations to other prospective members). Eich likens the CCH exception mechanism to Firefox's anti-phishing features, which also use a whitelist and blacklist maintained remotely and periodically downloaded by the browser. Codex cookiusAs the CCH site describes it, the system will publish blacklists (or "block lists") and whitelists (a.k.a. "allow lists") based on "objective, predictable criteria"—although it is still in the process of developing those criteria. There are already four presumptions made about how browsers will use the lists. The first two more-or-less describe the naïve "visited-based" approach already tried by Safari and Firefox: if a user has visited a site, allow the site to set cookies; do not set cookies originating from sites the user has not visited. Presumption three is that if a site attempts to save a Digital Advertising Alliance "opt out cookie," that opt-out cookie (but not others) will be set. Presumption four is that cookies should be set when the user consents to them. The site also notes that CCH is contemplating adding a fifth presumption to address sites honoring the Do Not Track (DNT) preference. Obviously these presumptions are pretty simple on their own; the real work will be in deciding how to handle the myriad sites that fall into the false-match scenarios already encountered in the wild. To that end, CCH reports that it is in the initial phase of drawing up acceptance and blocking criteria, which will be driven by the Advisory Board members. The project will then hammer out a file format for the lists, and develop a process that sites and users can use to challenge and counter-challenge a listing. Subsequently, the lists will be published and CCH will oversee them and handle the challenge process. The site's FAQ page says the project hopes to complete drawing up the plans by Fall 2013 (presumably Stanford's Fall, that is). The details, then, are pretty scarce at the moment. The Stanford Law School blog posted a news item with a bit more detail, noting that the idea for the CCH grew out of the CIS team's previous experience working on DNT. Indeed, that initial cookie-blocking patch to Firefox, currently disabled, was written by a CIS student affiliate. Still, this is an initiative to watch. Unlike DNT, which places the onus for cooperation solely on the site owners (who clearly have reasons to ignore the preference), CCH enables the browser vendor to make the decision about setting the cookie whether the site likes it or not. The EFF is right to point out that cookies are not required to track users between sites, but there is no debating the fact that user-tracking via cookies is widespread. The EFF Panopticlick illustrates other means of uniquely identifying a particular browser, but it is not clear that anyone (much less advertisers in particular) use similar tactics. To play devil's advocate, one might argue that widespread adoption of CCH would actually push advertisers and other user-tracking vendors to adopt more surreptitious means of surveillance, arms-race style. The counter-argument is that ad-blocking software—which is also purported to undermine online advertising—has been widely available for years, yet online advertising has shown little sign of disappearing. Then again, if Firefox or other browsers adopt CCH blacklists by default, they could instantly nix cookies on millions of machines—causing a bigger impact than user-installed ad blockers. The other challenges in making CCH a plausible reality include the overhead of maintaining the lists themselves. The anti-phishing blacklists (as well as whitelists like the browser's root Certificate Authority store) certainly change, but the sheer number and variety of legitimate sites that employ user-tracking surely dwarfs the set of malware sites. Anti-spam blacklists, which might be a more apt comparison in terms of scale, have a decidedly mixed record. It is also possible that the "input" sought from interested parties will complicate the system needlessly. For example, the third presumption of CCH centers around the DAA opt-out cookie, but there are many other advertising groups and data-collection alliances out there—a quick search for "opt out cookie" will turn up an interesting sample—all of whom, no doubt, will have their own opinion about the merits of their own opt-out system. And that does not even begin to consider the potential complexities of the planned challenge system—including the possibility of lawsuits from blacklisted parties who feel their bottom-line has been unjustly harmed. Privacy-conscious web users will no doubt benefit from any policy that restricts cookie setting, at least in the short term. But the arms-race analogy is apt; every entity with something to gain by tracking users through the web browser is already looking for the next way to do so more effectively. Browser vendors can indeed stomp out irritating behavior (pop-up ads spring to mind), but they cannot prevent site owners from trying something different tomorrow. (Log in to post comments)
Tracking Protection Posted Jun 27, 2013 1:24 UTC (Thu) by michaelr (subscriber, #73025) [Link] When I first heard of the Cookie Clearinghouse, it sounded a lot like Internet Explorer's Tracking Protection Lists:
In fact, back when Microsoft introduced TPLs in IE 9, the EFF expressed many of the same concerns in this article, and some other ones (example: how is the end user supposed to figure out which whitelists and blacklists to trust?). The EFF blog post on TPLs and how they complement DNT is well worth reading.
Mozilla versus the cookie monster Posted Jun 27, 2013 3:38 UTC (Thu) by pabs (subscriber, #43278) [Link]
I block all cookies and temporarily enable cookies for one site when I login, post/read something and then log out again. Mostly I don't see any issues. Is the web really so reliant on cookies?
I would like to see much more fine-grained and creative ways for browsers to deal with cookies. Why can't I get my browser to ask me for each cookie? Or warn me that this site sets cookies even though I didn't login (and this is probably tracking me)? Or not accept cookies not sent over https? Or isolate cookies to the current window or tab? Or automatically expire cookies after I close the tab, click a link to another site or switch to another tab? Or automatically expire cookies after 5 minutes. Or disable sending cookies but store them and have options to whitelist some after the fact? Or keep that one cookie forever because it holds some settings I need enabled on the site.
Mozilla versus the cookie monster Posted Jun 27, 2013 6:56 UTC (Thu) by viiru (subscriber, #53129) [Link]
> I would like to see much more fine-grained and creative ways for browsers
> to deal with cookies.
I actually use a Firefox extension called Cookie Monster, which allows some of the policies you mention. I have it setup to reject cookies by default, and allow session cookies for specific sites (the ones I login to).
As far as I can see the internet isn't actually reliant on cookies at all, very few sites have any problems with this setup.
Mozilla versus the cookie monster Posted Jun 27, 2013 16:34 UTC (Thu) by wookey (subscriber, #5501) [Link]
I find when using links (which asks about every cookie by default) that the net rapidly gets very tedious because many many sites/pages deliver 3-5 cookies. I assume that a session cookie will benefit me, but most of the others are not for my benefit, but a few are, and some are important to site operation, but I found it very hard to determine what was a 'good cookie' and what was a 'bad cookie', not knowing much about the subject. Things like shops/buying transport tickets, seem to break if all cookies are disabled, but maybe things have changed recently. In the end I just enabled them all for an easy life but I'd verty much like some of the things pabs mentioned. Guess I should try Cookie monster.
Mozilla versus the cookie monster Posted Jun 27, 2013 7:55 UTC (Thu) by ballombe (subscriber, #9523) [Link]
I would welcome a browser extension that help users to modify cookies. This is a practice that should be much more widespread that it is now. There is place for lot of fun.
Mozilla versus the cookie monster Posted Jun 27, 2013 9:51 UTC (Thu) by copsewood (subscriber, #199) [Link]
There are a couple of Firefox add ons which address this requirement, including Cookies Manager + and Edit Cookies.
Mozilla versus the cookie monster Posted Jul 6, 2013 13:08 UTC (Sat) by oldtomas (guest, #72579) [Link] I would welcome a browser extension that help users to modify cookies There you go. And a very creative idea indeed :-) It's enlightening to watch this Slashdot discussion, especially all those "the sky is falling" and "the Net will crumble if you don't look at ads" posts. Can you say "professional bias"? BTW, vortex reminds me of a story I heard about one Norvegian village, where the supermarket introduced one of those discount cards (you pay a bit less and they track your behaviour for that). The customers decided to use the cards, but to swap them regularly.
Mozilla versus the cookie monster Posted Jun 27, 2013 7:17 UTC (Thu) by micka (subscriber, #38720) [Link]
> organizations that deliver valid and desirable cookies from a different domain name—such as a content distribution network (CDN)
I thought CDN where mostly for static content. Is there any need for cookies from CDNs ?
Mozilla versus the cookie monster Posted Jun 27, 2013 18:46 UTC (Thu) by dtlin (✭ supporter ✭, #36537) [Link] Suppose you run my-site.com but serve user-uploaded images from [0-9].insecure-content.net, for speed and/or security reasons. (Browsers have per-domain connection limits so you can load faster from many domain names; same-origin policies can help prevent malicious content from targeting your main domain.) Those images might be ACLed. So how do check which my-site.com user is accessing an image on insecure-content.net? With third-party cookies. If the user hits insecure-content.net with no cookies, it redirects to my-site.com (because that's where the real login cookies are). If the user is logged into my-site.com, it sets a third-party cookie and redirects back to insecure-content.net (so that it serves from the correct domain), otherwise it 403's. Even if the content itself is unchanging, permission checks aren't necessarily static. Some CDNs can handle this.
Mozilla versus the cookie monster Posted Jun 27, 2013 19:29 UTC (Thu) by rwmj (subscriber, #5474) [Link] How about you add a DNS record for cdn.my-site.com? Browsers have per-domain connection limits so you can load faster from many domain names -- and maybe they have this for a reason? I don't have much sympathy for sites that try to be aggressive with the bandwidth which I'm paying for. Rich.
Mozilla versus the cookie monster Posted Jun 27, 2013 20:31 UTC (Thu) by jimparis (subscriber, #38647) [Link]
> How about you add a DNS record for cdn.my-site.com?
Then the browser would consider it the same origin as www.my-site.com, and so you are losing the security benefits. By serving potentially malicious content from cdn.other-site.com instead, DOM access between the two domains is limited (among other things). For example, http://www.google.com/about/appsecurity/reward-program/ discusses how "*.googleusercontent.com" is Google's "sandbox" domain.
> Browsers have per-domain connection limits so you can load faster from many domain names -- and maybe they have this for a reason? I don't have much sympathy for sites that try to be aggressive with the bandwidth which I'm paying for.
It's a question of being aggressive with the server, not your bandwidth. The RFC2616 says you shouldn't have more than 2 persistent connections. If the server owner wants to increase that by adding more hostnames, that sounds fine to me.
Mozilla versus the cookie monster Posted Jun 30, 2013 15:11 UTC (Sun) by robert_s (subscriber, #42402) [Link]
This practice does really annoy me too. Especially those who serve direct from cloudfront, akamai etc domains. As a NoScript user, I have scripts from external domains blocked by default (speeds up the web no end). People putting critical site javascript on these common domains means I have to blanket-allow them, because unfortunately NoScript doesn't have the granularity to block/allow individual cloudfront/akamai subdomains.
And while I might trust the code that bitbucket may have decided to place on cloudfront, I don't necessarily trust the code Random Site XYZ has placed on cloudfront.
Mozilla versus the cookie monster Posted Jun 30, 2013 20:39 UTC (Sun) by apoelstra (subscriber, #75205) [Link]
> This practice does really annoy me too. Especially those who serve direct from cloudfront, akamai etc domains. As a NoScript user, I have scripts from external domains blocked by default (speeds up the web no end). People putting critical site javascript on these common domains means I have to blanket-allow them, because unfortunately NoScript doesn't have the granularity to block/allow individual cloudfront/akamai subdomains.
A (perhaps extreme) solution is to install RequestPolicy as well as noscript. This controls what domains can connect to what, although it is a bit irritating to use -- specifically it has no support for blacklists. So you will see the Usual Suspects (scorecardresearch, chartbeat, googlesyndication, facebook, twitter, ...) in the menu for most every site, which makes it hard to see the legitimate CDNs.
(I understand the next version will contain a complete redesign of the domain relationship handling, but who knows when/if that will be released.)
Mozilla versus the cookie monster Posted Jul 1, 2013 8:03 UTC (Mon) by TomH (subscriber, #56149) [Link]
NoScript certainly does have the granularity to do that. You just need to turn it on - go to the "Appearance" panel in the options and check "Full Domains" and you will be able to enable specific cloudfront etc subdomains.
Mozilla versus the cookie monster Posted Jul 3, 2013 23:38 UTC (Wed) by robert_s (subscriber, #42402) [Link]
Excellent! Never found that before.
|
|||||||||||||