Zombie Cookies, New Plague In Town ?

[Renk]

The war against persistent zombie cookies—cookies that never seem to lose your data, even when you delete them—rages on, as users learn more about the technology. While awareness is rising thanks to widespread coverage of Flash cookies and, more recently, HTML5's storage capabilities, we have a long way to go before Internet users can avoid persistent tracking. Like all zombie wars, this one will take some time to win; and if you thought things were bad now, they're about to get worse.

Case in point: evercookie, an open source JavaScript API by developer Samy Kamkar. When implemented by a website, evercookie stores a user ID and cookie data in not two, not three, but eight different places—with more on the way. Among them are your standard HTTP cookies, Flash cookies, RGB values of force-cached PNGs, your Web history, and a smattering of HTML5 storage features. In addition, Silverlight Storage and Java are apparently on the way.

So, when you delete the cookie in one, three, or five places, evercookie can dip into one of its many other repositories to poll your user ID and restore the data tracking cookies. It works cross-browser, too—if the Local Shared Object cookie is intact, evercookie can spread to whatever other browsers you choose to use on the same machine. Since most users are barely aware of these storage methods, it's unlikely that users will ever delete all of them.

"Simply think of it as cookies that just won't go away," reads the evercookie FAQ.

Zombie cookie wars: evil tracking API meant to "raise awareness"

evercookie - virtually irrevocable persistent cookies

Has someone some idea to effectively fight that sh*t (apart from running my browser in VM such as Returnil with only RAM session allowed, because what if Iwant to save some stuff to my HD ?)

I need an addon named "Alice" or something like that....

[anon]

Opera's private tabs appear to work against this. Once all such tabs are closed, that site can no longer read any of the evercookies it set last time.

[tokiodrift1]

U may use BetterPrivacy in FF.

[Instab]

this one can do it offline. not a browser plugin tho
BleachBit | BleachBit

[Renk]

U may use BetterPrivacy in FF.

I have BetterPrivacy, but it monitors only flash cookies, in Application Data\Macromedia directory.

this one can do it offline. not a browser plugin tho
BleachBit | BleachBit

Thanks. I didn't know this soft. It's claimed here that the last prerelease version of Bleachbit (BleachBit 0.8.1 beta 2) get rid of evercookies.

More cautiously, the Bleachbit's beta test site asks beta testers to verify that this version truely defeats evercookies.

[Renk]

For those interested: Bruce Schneier covered this subject recently:
Schneier on Security: Evercookies

[Renk]

Apart from BleachBit 0.8.7, FF user can fight Never Cookies with a new addon, Anonymizer Nevercookie. It requires you first select private browsing:


As the author claim:

Introducing Anonymizer Nevercookie™, a FREE Firefox plugin that protects against the Evercookie API. The plugin extends Firefox’s private browsing mode by preventing Evercookies from identifying and tracking users.

Evercookie is a new, more persistent cookie form that enables the storage of cookie data in a number of different locations, such as Flash cookies and various locations of HTML5 storage. This allows websites to track user behavior even when users have enabled private browsing. Because an Evercookie stores data in locations outside of where standard cookies are stored, an Evercookie can rebuild itself unless users go through a number of steps to completely clear and reset their local storage.

Anonymizer Nevercookie simplifies this process and eliminates the manual steps required to completely remove Evercookies. And it does so without also removing all of the necessary cookies that a user actually wants to keep, such as those for browsing history and remembered logins. When Anonymizer Nevercookie is engaged along with Firefox’s private browsing mode, it quarantines an Evercookie and removes it after the browsing session.

Nevercookie™ - The Evercookie Killer | Anonymizer

EverCookie, a cookie that you cannot delete; maybe with BleachBit and Anonymizer Nevercookie | The Windows Club

[anon]

These are the results I get using a hardened Firefox, temporarily allowing the whole page in NoScript:



The window.name can be cleared by running javascript:window.name="";alert("done");, and then no traces of the cookie are left.