Interesting read on the evercookie!

@ BoerenkoolMetWorst

Yes it's a potential nightmare

@ JRViejo

Thanks for the Security Now! Episode #270 news, good read

*

IE & UserData Persistence

According to SG in there.

In previous versions of IE on the Advanced tab of Internet Explorer you could disable UserData Persistence, and i know it's on IE6 and have it disabled.

But now it's disappeared from the UI !

And you are no longer available to turn it off !

Anybody found a way to disable it in later versions ? Maybe via a registry tweak.

I''m not asking for me, as i don't use later versions of IE, just curious to know, and for others

 

Yes, it is the same author. NYT had an article this week:

http://www.nytimes.com/2010/10/11/business/media/11privacy.html

and @ katio, I had the same question as Hierophant. I appreciate your answer. But legitimacy or illegality aside, and assuming the browser is indeed vulnerable, what is to prevent the script from writing to any available drive? Are you saying there is no possible path? Bear with me, please. I'm just trying to understand the area beyond the "grey" area, the possible scenarios, however unlikely.

 

I'd forgotten about this until reading nix's post.

No, I don't. I'm not a programmer.

So you say. Perhaps even, so everyone says.

Illegal never stopped me, FWIW -- unless it lacked integrity, anyway. And it's what you don't know that you don't know that tends to pwn you, IME.

Anyway, I do get your point. I don't take extraordinary measures unless I'm visiting a site that I really don't trust. And then, I take as few chances as possible.

 

If there is a vulnerability the browser can not only write files but may take over your user account, possibly the whole system or even network. There are lot's of ways to prevent and mitigate this, like white-listing scripting, LUA, permissions and ACL, execution prevention, HIPS, sandbox... but that's really getting off topic so I'll leave it at that and direct you to the numerous other threads going into detail.
The distinction between legal and illegal matters a lot when it comes to the scope of such tracking. Exploits will sooner or later get patched, infected sites will be cleaned, rogue sites taken down and and both likely trigger a warning in the built-in phishing and malware protection of the major browsers.
There's a time window of a few days to maybe some weeks. If we are talking about pervasive tracking such tactic obviously isn't very effective.
In your (benign) example one could set a cookie to a non-standard path but after the next browser update the site won't be able to read it out again.

With evercookie put something into the TOS and you are on the safe side, no one is going to take you down because it's all perfectly legal and there are no "exploits" involved which browser vendors could fix. Some of these cookies expire after 20, 30 years, might survive backup and restore or migration to a new PC, that's the kind of tracking sites and advertisers are interested in.

 

Found it MS had it moved, now it's configurable per zone, go to Security tab -> chose custom level for the zones you wish to disable it for, its in the list under miscellaneous.

 

You're right, of course. The distinction between legal and illegal matters and I love to rip apart a TOS

But I was interested in a value neutral analysis, which you admirably presented. Thanks for that. Cookies that survive migration to a new pc, really?

 

On the link that by ronjor just posted - http://www.h-online.com/security/news/item/Killing-the-zombie-cookie-1123151.html - is this.

I don't have Silverlight and i don't use the Flash Website Storage Settings panel page either

Did two tests, for the first test i had regular 1st & 3rd party cookies disabled





Cleaned with FCC & revisted - http://samy.pl/evercookie -





The second test i had regular 1st & 3rd party cookies enabled



After running FCC & FF's clear recent history fully & revisting i see ALL undefined

So it seems as if just running normal tools eliminates the SC's, at least on my comp.

FYI unless you have scripting enabled, the test doesn't work

 

See, that's what I told you a month ago. evercookie is absolutely harmless once you know about it.

 

@ katio

Yes Sir looks like you were right We can all relax now, well we on here can anyway

Not sure about when HTML5 comes on stream though ? guess we'll have to test again

 

It is possible to kill the evercookie.

-- Tom