Worried about Super Cookies? Here Is How To Protect Yourself

With Verizon’s $1.35 million FCC fine over violating net neutrality by using Super Cookies, consumers have become aware of a new breed of Cookies.

Cookies that store large amount of tracking information on the user’s machines and that the browser cannot block, even in privacy mode.
Such Cookies can track users across the web and allow capturing of personal information even if Cookies have been cleared or disabled on the browser.

In this article, I will try and explain the different types of browser storage Supper Cookies use and how to erase them from your machine.

To understand what Super Cookies are, first we need to learn what a Cookie is.

What is Cookie?

An HTTP cookie is a small piece of data sent from a website and stored in the user’s web browser while the user is browsing.

There are several types of Cookies: Session, Persistent, Secure and HttpOnly.

Cookies can be limited to the website that sent them or be visible to third parties.

As an example, suppose a user visits http://www.invertedsoftware.com. This web site contains an advertisement from ad.banners.com, which, when downloaded, sets a cookie belonging to the advertisement’s domain (ad.banners.com). Then, the user visits another website, http://www.yardsale-finder.com, which also contains an advertisement from ad.banners.com, and which also sets a cookie belonging to that domain (ad.banners.com).

Eventually, both of these cookies will be sent to the advertiser when loading their advertisements or visiting their website.

The advertiser can then use these cookies to build up a browsing history of the user across all the websites that have ads from this advertiser.

Cookies can pose a significate security risk if they claim an origin of a Top-Level Domain For example: .com as they can now be shared across every .com website, potentially sharing information.

Top level domain cookies are automatically blocked by the browser.

Flash Cookies

A Flash cookie (Local Share Object, or LSO) is a collection of cookie-like data that a Web site running Adobe Flash can place on your hard drive. Just like regular cookies, Flash cookies contain tracking information about you.

Flash cookies are stealthier than regular cookies and Flash can install cookies on your computer without your permission.
For security reasons, Inverted Software recommends disabling the Flash and JAVA plugins on your browser.

Super Cookies and HTML5

With HTML5, browser storage has evolved beyond simple Cookies and as web applications transform to SPA (Single Page Applications), they utilize more client side computing and make use of modern APIs to store information.

I will expand more on Single Page Applications at a later post.

Here are the major HTML5 storage APIs

Session Storage

Data stored in Session Storage gets cleared when the page session ends.

A page session lasts for as long as the browser is open including page reloads and restores.

Opening a page in a new tab or window will cause a new session to be initiated.

Local Storage

Local Storage is an internal browser key value pair store.

Unlike cookies, the storage limit is far larger (at least 5MB) and information is not transferred with HTTP requests unless requested by the server.

Storing and retrieving data is extremely simple and looks like:

localStorage.setItem(“lastname”, “Smith”);
localStorage.getItem(“lastname”);

Web SQL

Web SQL Database is a web page API for storing data in databases that can be queried using a variant of SQL.

Web SQL is a real, relational database implementation on the client (SQLite) and contains relational tables, however, the spec is somewhat controversial and the W3C Web Applications Working Group ceased working on the specification in November 2010, citing a lack of independent implementations.

Indexed DB

IndexedDB is a transactional database embedded in the browser.

The database is organized around the concept of collections of JSON objects similarly to NoSQL databases MongoDB or CouchDB.

Each object is identified with key generated during insert. An indexation system allows optimizing access to objects.
The Indexed Database API, or IndexedDB (formerly WebSimpleDB), is a W3C recommended web browser standard interface for a transactional local database of JSON objects collections with indices. W3C issued its final recommendation for the IndexedDB interface on January 8, 2015.

Fallbacks with localForage

As not all browsers fully support all the three persistent storage APIs mentioned above, some JavaScript libraries provide a unified development API with fallbacks to the browser’s supported storage.

Developing with those libraries means a website doesn’t need to check for browser capabilities, instead it can just use the libraries APIs.

Such library is Mozilla’s own localForage.

localForage is a fast and simple storage library for JavaScript.

localForage improves the offline experience of your web app by using asynchronous storage (IndexedDB or WebSQL) with a simple, localStorage-like API.

localForage uses localStorage in browsers with no IndexedDB or WebSQL support.

Here is an example of how to use localForage:

localforage.setItem(‘key’, ‘value’, function (err) {
// if err is non-null, we got an error
localforage.getItem(‘key’, function (err, value) {
// if err is non-null, we got an error. otherwise, value is the value
});
});

Clearing Offline Data

To see what your browser stores for a website simply open the Developer Tools by pressing F12.
Click on the Resources tab and you will see localStorage’s content. From there you can add/edit/delete entries manually.

LocalStorage

So how can we clear Super cookies off our computer?

On your browser, navigate to clear history.

As storage does not an expiration date, select clear everything from the beginning of time.

This will clear all of your cookie and offline storage data.

ClearLocalStorage

For advance users: type localStorage.Clear() in your browser’s console window to clear the data in its entirety.

ClearLocalStorageScript

Conclusion

As technology evolves, so are the capabilities of your browser and the web applications it runs.

Net neutrality insures Internet service providers should enable access to all content and applications regardless of the source, and without favoring or blocking particular products or websites.

If you are worried about Super Cookies tracking your web habits, remember: many websites rely on Local Storage to operate correctly.
For increased privacy, delete your complete browser history after every session, or use a plug in such as uBlock Origin and others to help with blocking unwanted content.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s