Posted on 01/08/2015 3:04:25 PM PST by Swordmaker
A security flaw means that users of almost every modern web browser can be surreptitiously tracked online without their knowledge, Ars Technica reports, even when they make use of “private browsing.”
Apple users are particularly vulnerable, as their devices do not have a function that lets users delete super cookies from their browsers.
Most websites place what’s called a “cookie” on visitors’ computers, which is used to track them and record their preferences. It’s how websites can remember your password, for example. Like your web-browsing history, cookies are easy to delete. If you use your browser’s “private browsing” mode, they’re never saved in the first place. As a result, advertisers can't track you and other computer users can't go back and see what you looked at.
However, a flaw in a modern web-security feature called “HTTP Strict Transport Security” (HSTS) allows websites to plant “super cookies” that can be used to track web users’ browsing habits even when private browsing is enabled.
Here’s how it works.
Security researcher Sam Greenhalgh writes that HSTS “allows a website to indicate that it should always be accessed using a secure connection that encrypts your communication with the site.” This “flag” is then saved by your web browser, ensuring that any future visits to the website are secure. But websites can also abuse this power by using the feature to store a unique number that can be used to track your web browser.
And because HSTS carries over into private browsing, it means the “super cookie” can be used to track you whether you’re attempting to cover your steps or not.
(Excerpt) Read more at businessinsider.com ...
Exactly. There is no harm in periodically wiping out all your cookies. Just login again to your favorite sites and provide your password. Besides, it gets you to remember your password. Too many people rely on the passwords being remembered by "the system" until one day you need to manually enter it but have to scramble to find out where you wrote it down. Another thing you can do is to use multiple browsers, some with private security and allowing nothing to be kept, and delete and reload them as needed. Others can allow cookies and only be used for the trusted sites. Too many people only use a single browser for everything they do. You want security, you need to stay on top of it just like guarding your home.
I also noticed on some sites, those that were cookie heavy ,the site loads faster and smoother now that the cookies are gone.
I notice that effect after blocking most of the trackers on a site. Folks would be astonished at how many trackers most sites put on your computer. I've seen as many as 20 for a single site.
Apparently, if you use Internet Explorer, you are OK. . . because it doesn't use the "Super Cookies" at all. . . which may be a good thing, or a bad thing. . . partly because it is not fully compatible with the latest standards.
On the other hand, this whole thing is a "proof of concept" and really NOT an exploit at all. . . but a potential that IF a SECURE website really wanted to track your comings and goings with the Super Cookie, which is not really its designed purpose, they could with special code on their website. According to the article, no one is doing this, but they could. However, if you delete the Super Cookie, you also turn off the ability to use encryption to these sites when you are in Privacy Mode connection. . . and any data being sent is in clear text. . . and you will be susceptible to a man-in-the-middle attack. If you trust the site with your Financial information and investments, you should be OK with them knowing it's you connecting and tracking when you connect.
Good question. . . I sincerely hope that there are none out that will. . . but it was a scenario that was brought up in discussion of the pros and cons of the Super Cookie's uses. . . and what could happen if you delete them and why you may not want to. Once you've deleted the cookie, it is gone, even for the next session when you are NOT in Privacy Browsing mode. . . along with the data the bank may need, requiring you to input more information each time you log in.
That's not to say that every contrary article is a malicious hit piece - just that there are opinions pro and con about everything out there.
From the article at your link:
...you've heard us mention Ghostery. It's a solid privacy tool, but Mashable reports that you should stay away from its opt-in "GhostRank" feature, which sells data on the ads you block to the ad companies themselves.
Basically, their 'GhostRank' is an opt-in feature that I've never enabled, so at the very least I'm not participating in their data gathering campaign. Secondly, what GhostRank does, doesn't directly affect your personal privacy anyway - it simply gathers bulk information on ad blocking, which is then sold to advertisers to help them understand the ad blocking behavior of consumers in general.
No one at Ghostery is selling my private browsing info to anyone.
Here's a response from Adam DeMartino at Ghostery:
"The data we collect in GhostRank doesn't contain any information about the actual ads that were seen by panel members. Rather, we simply report on the technologies that are used to deliver those ads, the performance characteristics of the URLs those technologies were seen on, and if the user blocked that particular technology company. GhostRank can't see the actual ads or anything about the criteria that were used to target them."
I still like Ghostery and think it's a great tool, though I'm aware that there are other tracker blocking tools out there.
So much for activating the porn mode on your browser. ;-)
I use Chrome.
HTPPS Everywhere doesn’t give me secure sites when it says htpps?
I just installed it though I do have Webroot which I thought handles everything....will have to see how this goes...do i just let it do it’s think then?
It does. . . but if you delete these Super Cookies, and the go to private browsing, it may mean that HTTPS will not work as advertised. The data sent will be in the clear and in text format instead of encrypted. It depends on how the browser handles it. This is built into the way the web works in HTML5.
Both Chrome and Safari are very HTML5 compliant.
Thanks for that info - many of us do not always grasp the real implications of some of the “techno-babble” and you generally clear it up for us non-nerds.
Ghostery will install a little icon on your browser's toolbar. When you visit a webpage it will show how many trackers are active on it. Just click on the icon and a drop-down menu will open up which displays the names and descriptions of every tracker it's found.
You'll see a little slider switch next to each of these names. If the switch is blue, then the tracker is active. Just click on the slider to move it to red, which turns the tracker off. Do that for each tracker, widget, beacon, advertiser, etc.
You can leave trackers enabled if you feel they're harmless or benign. You can also temporarily enable a tracker if having it turned off keeps you from opening a video, etc.
Hope that helps.
Not yet. But properly configured, the 32 bit software works like a charm.And its fast and thorough.
Its been vetted world wide for years. No problemo.
Okely dokely. Think I'll pass, just the same.
It won’t install on 64 systems, right?
ok I see it...thanks so much...I also have adblock and do not track me.....might be overdone? or will one override the other?
I just am not that computer literate when it comes to programs and such.
I'm more of a driver than a mechanic, so I'm probably not the best qualified person to answer that question.
I do know that similar programs can sometimes get into conflicts with each other. It's why I never use two programs of similar type simultaneously on my computer.
I'd say as long as you don't have Do Not Track Me automatically running in the background, you should be fine.
Just out of curiosity - is Ghostery showing any active trackers on any of the sites you've visited? That would be a good indicator of how well the other program is stopping them (or not stopping them).
Oh my gosh...Ghostery is showing one site had 16 trackers on it! Some 4 to 6 others in the teens. Can’t believe how “loaded” sites are with trackers. Seems like everything has trackers on it! WoW!....So it doesn’t appear the other Ad Block is interferring.
Google seems to track on every site in one form or another. Lots of ad types.
Maybe I sould turn the do not track me off???
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.