Canada's online magazine: Politics, entertainment, technology, media, arts, books: backofthebook.ca

Politics, tech, media, culture and more, from a Canadian point-of-view

  • Politics
  • Media
  • Culture
  • Science and Tech
  • Living
  • Arts and Books
  • Features
  • The Video
You are here: Home / Science and Tech / Beware the Evercookie!

Beware the Evercookie!

10/19/2010 by backofthebook.ca Leave a Comment

smurfby Eric Pettifor

Yea, though ye have taken to heart the teaching that all men shall be as friendly smurfs one unto another, know that not all smurfs are as they seem, and trust no one.

I believe that’s from the Book of Ecclesiastes. Or possibly Saturday morning cartoons. X-Files? It’s hard to keep things straight after so many years of filling my head with junk. But one thing I’ve known for sure since the earliest days of the popular internet is that it’s risky to allow strangers to run code on your computer.

That said, I’m not excessively paranoid. I remember the hype regarding the danger of cookies when the public got wind of that, claims that cookies could spy on you, and such, when in actuality they’re just a hack to web standards to allow something called persistance.

A web server is like someone with serious, perpetual amnesia, unable to maintain a dialogue beyond a query and a response (okay, not quite as bad as that, but close). Reload the page, and once again you are a stranger. Cookies are like notes the amnesiac writes on your forehead. They can be as simple as a key which allows the amnesiac to look up more detailed notes, and thereby effectively remember. If you register for a site and get a user name, and then visit a week later and get a personalized greeting, that’s cookie magic — the server hadn’t a clue who you were until it looked it up from information on a key that you (or more accurately, your browser) provided.

Cookies were intended to be site specific, with only the domain that set them being allowed to read them. The problem there was that if an image or some other content was included from a third party domain, that domain could set a cookie as well, opening the door to tracking across domains.

Suddenly the humble cookie began to look a little less innocuous. It still couldn’t spy on you, being little more than a digital post-it note, but it could be used by others to spy on you, thus subverting the original intention of the cookie which was simply to serve as a cure for server amnesia.

Are you still with me? Good, you’re my kind of people, then, ones who care about their online security. We’ll have lost those readers who became bored and went off to download more malware-infested shareware to install on their already poxy Windows machines, so I may not need to mention that most browsers have means whereby you can turn off third-party cookies, because you probably already know that. Just as you know that it’s pretty trivial to clear cookies from your browser, either en masse or individually. You know how to protect yourself from the worst abuses of cookies which nefarious web Gargamels might throw your way.

But what if there was a cookie you couldn’t delete? Worse than a flash cookie or local shared object, because those have become but individual heads on a multiheaded monster cookie. No longer a creature of theory or the lab, it’s alive! Chop off all but one of its eight heads, and the others will grow back again!

Are we doomed? Well, not really. The “evercookie” was created not by cyber-evil doers, but by security researcher Samy Kamkar who has provided the information for it quite openly. (Check this overview here.) Rest assured: browser developers everywhere are making certain their next release is safe against the evercookie. So far, it looks like the creature may be more of a problem for mobile devices than regular computers.

But you can’t keep a good monster down. How long after this is nailed will we see the marquee “EVERCOOKIE II: Just when you thought it was safe to surf again…”. Which brings me all the way back to my original point: Trust no one, and don’t let strangers run code on your computer.

No matter how old your browser is, you can defeat evercookie right now very simply. Just turn off javascript. That’s right, it is totally javascript dependent. If a site can’t get your browser to run some javascript, it can’t set an evercookie.

When I first started using the NoScript plugin for Firefox, I wondered if perhaps I wasn’t approaching a theoretical level of paranoia where paranoia becomes a bad thing. I had heard that this was possible. Was I in danger of crossing the line, especially given that I was already running Linux, thus largely invulnerable to most threats against Windows machines?

Apparently not. When it comes to standards, it doesn’t matter what OS you use, the old rule remains the same — be wary of letting strangers run code on your machine. You can ignore the rule, but if you do, be aware that you are like a naked person wandering a land where everything is set very close to the ground. I would explain that analogy, but there may be children reading, so I’ll just summarize it by saying if you cover your virtual behind in a general way, you won’t need to be as concerned about a whole class of threats where new ones emerge every day.

The NoScript plugin makes it very easy to allow scripts from sites you trust, either permanently or just for the current session. I highly recommend it, not just for the evercookie, but for all the script dependent evercookies and their kind to come.

Filed Under: Science and Tech

Subscribe to BoB by e-mail or RSS

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Google+
  • Living
  • Politics
  • Media
  • Culture
  • Arts and Books
  • Features
  • The Video
Fire sale sign

Fort McMurray: Shopping time!

By Brady Tighe We’re now officially in the aftermath phase of the northern Alberta wildfire crisis. The fire is long gone, and everyone with a home to return to is back in its … [Read More...]

Nathan Cullen

Electoral reform: Hashtag fresh thinking

By Alison@Creekside The most interesting and innovative idea to come out of the first meeting of the all-party Special Committee on Electoral Reform, or ERRE, was Nathan Cullen's suggestion, … [Read More...]

Trudeau on quantum computing

The Trudeau gush fest is getting old

By Jim Henshaw There have been several bewildered as well as angry accounts coming out of the USA lately about how little media time has been spent covering the Democratic Presidential Primary … [Read More...]

Rick Meyers in Nanaimo Pride Parade

My friend, Rick, at the Pride Parade

By Frank Moher On this dreadful day, I don't want to write about the shootings in Orlando. I want to write about my friend, Rick. Rick lives just outside of Nanaimo, a city of about 80,000, … [Read More...]

Stephen Colbert on Late Night set

Triumph of the drama nerds

By Frank Moher Two drama nerds have recently moved into high profile positions. Before I name them (or perhaps you’ve already guessed who they are; or perhaps you’d like to scroll down and look at … [Read More...]

From “Our Rape Blog”: Shooting the Moon

Originally published on Our Rape Blog, the author's account of the aftermath of a violent sexual assault. By Mary Fraughton Have you ever played Hearts? It’s a card game. For our purposes, … [Read More...]

First Nations defending Lelu Island

The video: Lelu Island: “They will come.”

From Creekside: The B.C. provincial government is trying to green light the construction of a massive LNG terminal on Lelu Island in the Skeena Estuary -- Pacific Northwest LNG, backed by Malaysian … [Read More...]

Google

Follow Us!

  • Email
  • Facebook
  • RSS
  • Twitter

RSS CBC News



Recent Posts

  • Fort McMurray: Shopping time!
  • From “Our Rape Blog”: Shooting the Moon
  • Electoral reform: Hashtag fresh thinking
  • The fish hotel
  • Hatred on an Alberta golf course
  • The video: Lelu Island: “They will come.”
  • My friend, Rick, at the Pride Parade
  • Our selective sympathy
  • The Water Bomber, The Frogman and The Great Canadian Novelist
  • Komagata Maru: The story behind the apology

Tags

9/11 Afghanistan Alberta bad behaviour books British Columbia business Canada Canadian military Canadian politics CBC celebrity computers Conservatives crime environment family film G20 Globe and Mail internet Jason Kenney journalism Justin Trudeau law Liberals Maclean's music National Post NDP newspapers oil sands online media Ontario Quebec RCMP religion sports Stephen Harper television theatre Toronto U.S. Vancouver women

Archives

The Video: Lelu Island: “They will come.”

Pages

  • About
  • Privacy

Copyright © 2023 · News Pro Theme on Genesis Framework · WordPress · Log in