by Eric Pettifor
Yea, though ye have taken to heart the teaching that all men shall be as friendly smurfs one unto another, know that not all smurfs are as they seem, and trust no one.
I believe that’s from the Book of Ecclesiastes. Or possibly Saturday morning cartoons. X-Files? It’s hard to keep things straight after so many years of filling my head with junk. But one thing I’ve known for sure since the earliest days of the popular internet is that it’s risky to allow strangers to run code on your computer.
That said, I’m not excessively paranoid. I remember the hype regarding the danger of cookies when the public got wind of that, claims that cookies could spy on you, and such, when in actuality they’re just a hack to web standards to allow something called persistance.
A web server is like someone with serious, perpetual amnesia, unable to maintain a dialogue beyond a query and a response (okay, not quite as bad as that, but close). Reload the page, and once again you are a stranger. Cookies are like notes the amnesiac writes on your forehead. They can be as simple as a key which allows the amnesiac to look up more detailed notes, and thereby effectively remember. If you register for a site and get a user name, and then visit a week later and get a personalized greeting, that’s cookie magic — the server hadn’t a clue who you were until it looked it up from information on a key that you (or more accurately, your browser) provided.
Cookies were intended to be site specific, with only the domain that set them being allowed to read them. The problem there was that if an image or some other content was included from a third party domain, that domain could set a cookie as well, opening the door to tracking across domains.
Suddenly the humble cookie began to look a little less innocuous. It still couldn’t spy on you, being little more than a digital post-it note, but it could be used by others to spy on you, thus subverting the original intention of the cookie which was simply to serve as a cure for server amnesia.
Are you still with me? Good, you’re my kind of people, then, ones who care about their online security. We’ll have lost those readers who became bored and went off to download more malware-infested shareware to install on their already poxy Windows machines, so I may not need to mention that most browsers have means whereby you can turn off third-party cookies, because you probably already know that. Just as you know that it’s pretty trivial to clear cookies from your browser, either en masse or individually. You know how to protect yourself from the worst abuses of cookies which nefarious web Gargamels might throw your way.
But what if there was a cookie you couldn’t delete? Worse than a flash cookie or local shared object, because those have become but individual heads on a multiheaded monster cookie. No longer a creature of theory or the lab, it’s alive! Chop off all but one of its eight heads, and the others will grow back again!
Are we doomed? Well, not really. The “evercookie” was created not by cyber-evil doers, but by security researcher Samy Kamkar who has provided the information for it quite openly. (Check this overview here.) Rest assured: browser developers everywhere are making certain their next release is safe against the evercookie. So far, it looks like the creature may be more of a problem for mobile devices than regular computers.
But you can’t keep a good monster down. How long after this is nailed will we see the marquee “EVERCOOKIE II: Just when you thought it was safe to surf again…”. Which brings me all the way back to my original point: Trust no one, and don’t let strangers run code on your computer.
No matter how old your browser is, you can defeat evercookie right now very simply. Just turn off javascript. That’s right, it is totally javascript dependent. If a site can’t get your browser to run some javascript, it can’t set an evercookie.
When I first started using the NoScript plugin for Firefox, I wondered if perhaps I wasn’t approaching a theoretical level of paranoia where paranoia becomes a bad thing. I had heard that this was possible. Was I in danger of crossing the line, especially given that I was already running Linux, thus largely invulnerable to most threats against Windows machines?
Apparently not. When it comes to standards, it doesn’t matter what OS you use, the old rule remains the same — be wary of letting strangers run code on your machine. You can ignore the rule, but if you do, be aware that you are like a naked person wandering a land where everything is set very close to the ground. I would explain that analogy, but there may be children reading, so I’ll just summarize it by saying if you cover your virtual behind in a general way, you won’t need to be as concerned about a whole class of threats where new ones emerge every day.
The NoScript plugin makes it very easy to allow scripts from sites you trust, either permanently or just for the current session. I highly recommend it, not just for the evercookie, but for all the script dependent evercookies and their kind to come.