Jim Verard
November 1st, 2007, 10:05 PM
Third-party cookies are a threat to privacy, no matter if they are season or persistent cookies and are deleted after the browser is closed, because after you leave a specific website, another one different can read the same cookie and identify you.
Let's say Google used a cookie for one of their services - Blogger (or even Orkut). There's another cookie which leads to Google.com himself. If I leave Orkut/Blogger without erasing myself the season/persistent cookie, each time I came into a different website which is using any of Google services, Google might be identifying myself, even if I am using a browser like XeroBank. Is that right?
I am asking you this because XB has a extension called PrefBar which allows me to place a button called "Clear Cookies" and always I am pushing that button after I left each website. It has become a habit for me.
And let's say some company owns different websites, different boards like Wilders Security and we don't know that. Is it possible for them, by only reading a cookie created on a different domain, knowing that I am Jim Verard from Wilders?
People are usually affraid of being traced by the same website, but what about them tracing the others?
Possible host-services which are quite different (using a lot of different names and domains) but in the end are always the same company?
Anyway, I can't find any option here on Firefox to block third-party cookies. Perhaps this option was removed? Where is it? I remember it was possible to accept only cookies related to that specific domain. Not now.
Some useful information from Wikipedia about third-party cookies (http://en.wikipedia.org/wiki/HTTP_cookie):
{QUOTE-> Images or other objects contained in a Web page may reside in servers different from the one holding the page. In order to show such a page, the browser downloads all these objects, possibly receiving cookies. These cookies are called third-party cookies if the server sending them is located outside the domain of the Web page.
This condition is common with on-line advertisement. Indeed, web banners are typically stored in servers of the advertising company, which are not in the domain of the Web pages showing them. If third-party cookies are not rejected by the browser, an advertising company can track a user across the sites where it has placed a banner.
In particular, whenever a user views a page containing a banner, the browser retrieves the banner from a server of the advertising company. If this server has previously set a cookie, the browser sends it back, allowing the advertising company to link this access with the previous one.
By choosing a unique banner URL for every Web page where it is placed or by using the HTTP referer field, the advertising company can then find out which pages the user has viewed. The same technique can be used with web bugs. These, unlike the obvious banners, are images embedded in the Web page that are undetectable by the user (e.g. they are tiny and/or transparent)
Third-party cookies are used to create an anonymous profile of the user. This allows the advertising company to select the banner to show to a user based on the user's profile. The advertising industry has denied any other use of these profiles.
Many modern browsers, such as Mozilla Firefox, Internet Explorer and Opera block third party cookies if requested by the user. Internet Explorer version 6 allows a mild form of blocking, called leashing. A leashed cookie is a third-party cookie that is sent by the browser only when accessing a third-party document via the same first-party.
For example, if third.com sets a cookie when an image is requested, and this cookie is set for the first time when the user views a document from first.com, the same cookie is not sent if the user downloads a document that contains the same image but the document is on another site other.com, if the cookie is leashed.
A leashed cookie is different from a blocked cookie in that it is sent, in this example, if the image is contained in another document from the same site first.com. <-QUOTE}
Let's say Google used a cookie for one of their services - Blogger (or even Orkut). There's another cookie which leads to Google.com himself. If I leave Orkut/Blogger without erasing myself the season/persistent cookie, each time I came into a different website which is using any of Google services, Google might be identifying myself, even if I am using a browser like XeroBank. Is that right?
I am asking you this because XB has a extension called PrefBar which allows me to place a button called "Clear Cookies" and always I am pushing that button after I left each website. It has become a habit for me.
And let's say some company owns different websites, different boards like Wilders Security and we don't know that. Is it possible for them, by only reading a cookie created on a different domain, knowing that I am Jim Verard from Wilders?
People are usually affraid of being traced by the same website, but what about them tracing the others?
Possible host-services which are quite different (using a lot of different names and domains) but in the end are always the same company?
Anyway, I can't find any option here on Firefox to block third-party cookies. Perhaps this option was removed? Where is it? I remember it was possible to accept only cookies related to that specific domain. Not now.
Some useful information from Wikipedia about third-party cookies (http://en.wikipedia.org/wiki/HTTP_cookie):
{QUOTE-> Images or other objects contained in a Web page may reside in servers different from the one holding the page. In order to show such a page, the browser downloads all these objects, possibly receiving cookies. These cookies are called third-party cookies if the server sending them is located outside the domain of the Web page.
This condition is common with on-line advertisement. Indeed, web banners are typically stored in servers of the advertising company, which are not in the domain of the Web pages showing them. If third-party cookies are not rejected by the browser, an advertising company can track a user across the sites where it has placed a banner.
In particular, whenever a user views a page containing a banner, the browser retrieves the banner from a server of the advertising company. If this server has previously set a cookie, the browser sends it back, allowing the advertising company to link this access with the previous one.
By choosing a unique banner URL for every Web page where it is placed or by using the HTTP referer field, the advertising company can then find out which pages the user has viewed. The same technique can be used with web bugs. These, unlike the obvious banners, are images embedded in the Web page that are undetectable by the user (e.g. they are tiny and/or transparent)
Third-party cookies are used to create an anonymous profile of the user. This allows the advertising company to select the banner to show to a user based on the user's profile. The advertising industry has denied any other use of these profiles.
Many modern browsers, such as Mozilla Firefox, Internet Explorer and Opera block third party cookies if requested by the user. Internet Explorer version 6 allows a mild form of blocking, called leashing. A leashed cookie is a third-party cookie that is sent by the browser only when accessing a third-party document via the same first-party.
For example, if third.com sets a cookie when an image is requested, and this cookie is set for the first time when the user views a document from first.com, the same cookie is not sent if the user downloads a document that contains the same image but the document is on another site other.com, if the cookie is leashed.
A leashed cookie is different from a blocked cookie in that it is sent, in this example, if the image is contained in another document from the same site first.com. <-QUOTE}