The Evercookie: Like trying to kill Steven Seagal

The Evercookie: Like trying to kill Steven Seagal

 

Good article. I've taken to using QuickJava in Firefox myself, along with blocking 3rd party cookies and having ABP and TrackerBlock in place. I feel safe without Noscript, as I have Returnil set to only trust programs already on my drive. That means no script malware for me..though of course Panda Cloud and MBAM stand by

 

While I generally agree with that, I don't if it comes to Noscript: If you perform the anonymity test on, e.g., http://ip-check.info/?lang=en it makes a big difference if javascript is enabled or not.

Cookies (incl. flash coookies/LSOs) are not a problem since there are solutions for them. Another idea is using the FF addon UAControl to manipulate the useragent (which can be bypassed if javascript is enabled, though).

The only issue for which I haven't found a real solution is ETags. Disabling caching in Firefox (which would help) worsens its performance too much. Some addons which are sometimes recommended (like ModifyHeaders) don't work as they only change request headers but ETags are reply headers.

 

QuickJava allows you to switch Javascript, Java, Flash, Images and CSS on/off with the push of a button, so there's no issue there. Noscript isn't the only way to deal with Javascript, in fact, it's probably the most cumbersome way.

 

I don't understand. If you have javascript et al. switched on by default in QuickJava you don't have any protection. If you have it switched off by default it's the same with Noscript - one mouseclick is enough to enable it. There are still differences, though: Even if you allow a site in Noscript you still have its protection against XSS, Clickjacking etc. - things not offered by QuickJava.

 

A lot of the "extras" are covered (however lightly) by browsers. Even Firefox has some cross-script protection. As far as more dangerous Javascript, well, that's covered by sandboxing, anti-execution, and so on. There's really nothing NoScript provides that can't be found with other methods, and without having to walk in a Javascript minefield, meaning there's 10 scripts on a website, 4 need to be loaded for full functionality, and you get to decide which 4 of the 10 are the needed ones, and which ones are tracking servers or drive-by exploits.

 

Well, each to his own However, I understand that by switching on JS with QuickJava also 3rd party scripts (often by the tracking servers you mentioned) are enabled (correct me if I'm wrong). That's problematic from a privacy perspective (which we are discussing here). Yes, in Noscript you have to decide what to allow. But in most cases that's no problem: If I open site xyz.com it's pretty obvious that you allow scripts from that domain first in order to make it work - and usually that's sufficient. Besides, you can add trackers to the Noscript blacklist. After a while, most of them simply don't appear in the "normal" list anymore.

Regarding the "extras": Sandboxing and AE don't help against XSS and ClearClicking. And the browser built-in protection against these threats (if any) is inferior at best.

Again, each to his own. But you can't get security and privacy without paying a price. The price of using Noscript is low enough for me.

 

Actually the built in XSS is fine - both Chrome and Firefox have reflective XSS filters and I imagine they all work in a similar fashion.

http://en.wikipedia.org/wiki/Clickjacking

Basically, you click a link, you actually end up clicking an invisible button, and you're taken to an exploit page. Sandboxing would protect against this.

If it tries to initiate a download any browser will warn you first saying "this is a .exe, you sure you want to download it?"

There are other possibilities with ClickJacking but none are as severe as leading to an exploit page.

Still, NoScript can add that extra layer especially if there isn't sandboxing or if the XSS auditor isn't up to snuff in some way. As you said, there's a price for this.

I see NoScript as having really only a few issues, some obvious and some less-so:

1) The obvious issue of having to whitelist sites every time you visit a new one, selectively figuring out which javascript/ site is safe to whitelist. Some sites have dozens of scripts with vague names.

2) Once a site is whitelisted it's whitelisted for everything (all tags)

3) The fact that it's entirely up to the user to determine which sites are trusted/untrusted.


I've actually found it very easy to use ScriptNo on Chrome but only to block certain tags (Frames and Noscript tags) this way I don't have to whitelist sites and instead I have every site limited.

I mostly just use it because I like the referer spoofing, which I think is broken as of now anyways.

 

Actually we're getting OT in this thread. But anyway:

According to the Noscript site, NS protects also against DOM based XSS and most types of persistent XSS. Besides, I'm not sure if the built-in protection in the browsers against reflective XSS is as good. And my question in another thread (if the XSS auditor in Chrome is enabled again - it was disabled earlier because of performance considerations) was never answered.

By Clickjacking also scripts can be executed, and if your filesystem is not affected, sandboxing doesn't help.

See the remark in my previous post regarding trackers and blacklist. Besides: In QuickJava this problem isn't solved at all. See also 3) below.

True (although this behavior can be changed). The upcoming Noscript version will change that.

True, but you have this problem with other solutions, too. At least, in Noscript you can middle-click the respective site in the Noscript menu to get a site that looks like this. A great help IMHO.

 

We've had several Very good threads on how to defeat this. Plus in at least one of those threads are links to www's to test to see if you're bacon, or not

Do a search on here for them & let us know how you shaped up, or not !

 

All you do is close your browser and then clear cookies and this "evercookie" is gone!

I went to http://samy.pl/evercookie and had an evercookie created,i saw it in 3 places... then i cleared cookies AND STILL SAW IT..

Then i closed my browser and cleared cookies again and then went back to http://samy.pl/evercookie and IT WAS GONE!! (All said undefined)

 

KISSmetrics and life of an ETag:

http://lifecs.likai.org/2011/07/kissmetrics-and-life-of-etag.html


HKEY1952

 

For Etags, see this thread. The filter is for Proxomitron but might be adaptable.