Defending Firefox from Interest-based Ad Cookies: Page 3
To disable third party cookies, do Tools -> Options -> Privacy tab. Then turn off the "Accept third party cookies" checkbox as shown below.
Interestingly, blocking third party cookies does not interfere with the opt-out preference you set for Yahoo, Microsoft and Google. Instead of using a yieldmanager.com cookie to store your preference, Yahoo stores it in a Yahoo.com cookie. Likewise, Microsoft uses a live.com cookie when it's prevented from creating an atdmt.com cookie.
Google, however, seems to have figured out a way around the third party restriction. In a test, I removed all cookies, disabled third party cookies, then visited the Google ads preferences page.
The page worked normally. That is, it created and updated a doubleclick.net cookie. Beats me how Google does this.
Manual Over-ride for Firefox Cookies
Firefox users also have a manual over-ride that can, for example, force the browser to never accept a cookie from a particular website. This seems to be the only way to prevent Google from writing Doubleclick cookies.
Manual over-ride is configured with: Tools -> Options -> Privacy tab -> Exceptions button. When entering the address of a website, use just the domain name. That is, enter "doubleclick.net" rather than "www.doubleclick.net" or "*.doubleclick.net".
The Allow button always allows a website to place cookies (white listing), the Block button is likewise self-explanatory. When you Allow, for example, nytimes.com to set cookies you may end up with cookies from nytimes.com, blogs.nytimes.com, movies.nytimes.com, travel.nytimes.com, wt.o.nytimes.com or anything that ends with "nytimes.com". This is normal.
The Allow for Session button doesn't strike me as particularly useful. It allows cookies from the website initially, but then removes them when Firefox is shut down. The term "session," when applied to cookies, refers to the time between when you start your web browser and when you shut it down.
You can verify that blocking doubleclick.net cookies blocks Google by visiting the Google Ads Preferences page. The page will, incorrectly, object that cookies are disabled. They're not, only cookies from Doubleclick are disabled.
Protecting your privacy one website at a time, however, is probably not practical. There are many different advertising networks and their names aren't always self-explanatory.
White Listing in Firefox
You may be thinking, why not have Firefox remove all cookies when it shuts down, except for those that are white-listed using the Allow button as described above? This scheme was, in fact, proposed by a listener on the April 16th episode of Steve Gibson's Security Now podcast. Despite the approval this idea got on the podcast, it's not possible.
White-listing a website means that Firefox will accept cookies from the site. It does not mean that Firefox will keep those cookies forever. When you tell Firefox to remove all cookies when it shuts down, that's just what it does. I tested this on both Windows XP and Ubuntu and Firefox deleted all cookies, even white-listed ones, when it shut down.
Deny All Firefox Cookies
Almost every website sets cookies, some depend on them. Is it practical to start out denying all cookies (first and third party) and then allowing them in on a site by site basis?
Good question, and one that can't be answered without trying it for an extended period of time, which I'm going to embark on soon.
Human nature being what it is, this approach needs a fast, quick, easy way to change the Allow/Deny status of a given website. The Permit Cookies extension also mentioned on the same Security Now, episode, is perfect for this.
After installing the extension, a "C" is displayed in the bottom right corner of the Firefox window. If the "C" is gray, then there is no Allow/Deny rule for the currently displayed website. Since we're defaulting to deny everything, gray means cookies are not accepted.
If the "C" is green, then there is an Allow rule and cookies are being accepted. Changing the Allow/Deny status of a website is accomplished by clicking on the "C". It couldn't be much easier.
Authorizing a website to set cookies accepts cookies from just the currently displayed domain. Any third party cookies that website might otherwise set are not allowed.
Installing the extension is the hardest part. For instructions, see the transcript of the April 16th Security Now podcast. It was the last listener question.
A Firefox Clean Slate
Where does this leave us?
The biggest bang for the buck comes from disabling third party cookies. This only takes a second, blocks almost all tracking cookies and still enables good cookies. It's hard to see a down side.
But what about existing tracking cookies? You could try to remove them individually, but it'll probably prove cumbersome. The best way to start clean is to remove all cookies.
Considering that Google can create doubleclick.net cookies even when third party cookies are disabled, I would create a specific block rule for doubleclick.net.
A clean slate, combined with blocking new third party cookies, should offer sufficient privacy with no ongoing maintenance on your part.