Modernizing Authentication — What It Takes to Transform Secure Access
Date: 12/14/2017 @ 1 p.m. ET
However, when Google started the rollout of a new cookie-based tracking system last month, it seemed time to take a new look at cookies with the goal of protecting privacy.
Let's start by defining both cookies and how they are used to track your online behavior.
Cookies are small, plain-text files that reside on your computer and are managed by a web browser. If you have multiple web browsers installed on a single computer, each one maintains its own independent cache of cookies.
Cookies that come from the web page you are viewing (the one whose address is displayed by your web browser) are referred to as first party cookies. Those that come from other sources, be they ads on the web page or small independent pages (IFRAMES) included in what appears to you to be a single page, are third party cookies.
(For more on this see my blog What are Cookies. The terms commonly applied to undesirable cookies are "tracking" cookies or, more technically, "third party persistent" cookies.)
Cookies are used as the foundation of interest-based advertising (a.k.a behavioral targeting). This type of advertising recognizes things you care about and shows you ads that relate to your interests, even when you are viewing an unrelated web site.
For example, someone interested in dogs, will be shown dog related ads, even while reading news stories about financial topics.
Personally, this is where I draw the line.
Google is merely the latest company using cookies for interest-based advertising. Yahoo and Microsoft were already doing it. Each company offers a web page where you can opt-out. Google also offers an explanation of their system, see "Advertising and Privacy"
Yahoo's opt out page sets a cookie for ad.yieldmanager.com when you ask to opt out.
Just viewing Microsoft's opt-out page sets cookies for live.com and msn.com. Checking the first box, to opt out of web browser targeting, causes it to create a new cookie for atdmt.com. With Firefox, it also resulted in a security error "You have requested an encrypted page that contains some unencrypted information..."
I first viewed the Google ads preferences page after removing all cookies and restarting Firefox. Simply viewing the page created two cookies, one for google.com and one for doubleclick.net.
Interestingly, the page asked me to opt in so that I could tell Google the topics I wanted to see ads about. Most likely, you'll be presented with an opt-out option instead. After visiting a couple web sites that created doubleclick.net cookies, I returned to the Google ads preferences page and was then given the option to opt out.
To be clear, all three companies opt you in by default.
As these examples make clear, opting out just sets more cookies. The problem with this is trust. A cookie is just a plain-text file. The actions that happen based on the data in the cookie today could be different form the actions taken next week.
In each case, we are trusting the company that a cookie with certain values in it will be treated a certain way. Even if you trust Google, Microsoft and Yahoo, there are many other advertising networks that also set tracking cookies.
Dealing with Firefox Cookies: Options
Most people, I assume, would like to prevent the creation of tracking cookies, while still enabling good cookies. There is more than one way to accomplish this, plus there are other different approaches.
I recently wrote about Defending IE7 from Google interest-based advertising cookies and now I'll take a look at the options Firefox offers for dealing with cookies.
Testing was done with Firefox 3.0.9 on Windows XP with no extensions enabled. I would have tested with no extensions installed but the Java Quick Starter and Microsoft .NET Framework Assistant Add-ons can't be removed, at least not in the usual manner.
Show Me the Cookies
Firefox does a great job, compared to Internet Explorer 7, of displaying the installed cookies. Click Tools -> Options -> Privacy tab -> Show Cookies button. As shown below, many cookies come from advertising networks.
Cookies from individual websites can be removed by highlighting them, then clicking on the Remove Cookie button.
Remove All Firefox Cookies
A well-used copy of Firefox may contain cookies from hundreds of websites, including many you never visited, at least not explicitly. Cookies from sites such as Doubleclick.net and advertising.com are the tracking cookies that concern people.
To start fresh, Firefox offers two ways to remove all cookies, one manual, one automatic. The manual approach is the Remove All Cookies button, shown above. The automatic approach, one not offered by IE7, is to remove all cookies every time the browser shuts down.
Thus you can allow all cookies, yet the entire browsing history that any advertising network has on you is limited to the time between when Firefox starts and when it shuts down.
Every day, you'll start fresh; think Groundhog Day. To configure daily removal of all cookies, choose: Tools -> Options -> Privacy tab. Then turn on the checkbox shown below, to "Always clear my private data when I close Firefox".
Finally, click on the Settings button to make sure cookies are in the list of private data (shown below).
After having this configured, you can clear cookies, and any other private data you opted for in the window shown above, with Tools -> Clear Private Data.
Removing all cookies, however, is probably overkill - there are many good cookies. For example, cookies can be used with websites to remember who you are so that you don't have to repeatedly login. I personally benefit from this at the sites of The New York Times and The Wall Street Journal.
Cookies can also be used to save website preferences such as a color scheme or a font size. You can see an example of this at the preferences page of Karen Kenworthy's website. While you're there take a look at her software, it's first rate and free.
Why not just block all cookies? Because some websites may not function correctly without cookies. For example, if cookies are globally disabled, you can't log in to The New York Times website, even if you have a valid account.
So, if you care about the potential privacy issues that cookies pose and are willing to do without the conveniences offered by good cookies then remove all cookies when Firefox shuts down. This is one way to protect against any advertising network building up a long-term profile of your web browsing habits.
Disable Third Party Firefox Cookies
A less drastic approach, and one that should appeal to many people, is simply to disable third party cookies.
To illustrate what this does consider the home page of The New York Times.
Viewing the home page with third party cookies enabled may create cookies from pointroll.com, advertising.com, atwola.com, bluestreak.com, doubleclick.net and/or tacoda.net. Disabling third party cookies restricts it to only setting cookies for nytimes.com. The ads still display.
To disable third party cookies, do Tools -> Options -> Privacy tab. Then turn off the "Accept third party cookies" checkbox as shown below.
Interestingly, blocking third party cookies does not interfere with the opt-out preference you set for Yahoo, Microsoft and Google. Instead of using a yieldmanager.com cookie to store your preference, Yahoo stores it in a Yahoo.com cookie. Likewise, Microsoft uses a live.com cookie when it's prevented from creating an atdmt.com cookie.
Google, however, seems to have figured out a way around the third party restriction. In a test, I removed all cookies, disabled third party cookies, then visited the Google ads preferences page.
The page worked normally. That is, it created and updated a doubleclick.net cookie. Beats me how Google does this.
Manual Over-ride for Firefox Cookies
Firefox users also have a manual over-ride that can, for example, force the browser to never accept a cookie from a particular website. This seems to be the only way to prevent Google from writing Doubleclick cookies.
Manual over-ride is configured with: Tools -> Options -> Privacy tab -> Exceptions button. When entering the address of a website, use just the domain name. That is, enter "doubleclick.net" rather than "www.doubleclick.net" or "*.doubleclick.net".
The Allow button always allows a website to place cookies (white listing), the Block button is likewise self-explanatory. When you Allow, for example, nytimes.com to set cookies you may end up with cookies from nytimes.com, blogs.nytimes.com, movies.nytimes.com, travel.nytimes.com, wt.o.nytimes.com or anything that ends with "nytimes.com". This is normal.
The Allow for Session button doesn't strike me as particularly useful. It allows cookies from the website initially, but then removes them when Firefox is shut down. The term "session," when applied to cookies, refers to the time between when you start your web browser and when you shut it down.
You can verify that blocking doubleclick.net cookies blocks Google by visiting the Google Ads Preferences page. The page will, incorrectly, object that cookies are disabled. They're not, only cookies from Doubleclick are disabled.
Protecting your privacy one website at a time, however, is probably not practical. There are many different advertising networks and their names aren't always self-explanatory.
White Listing in Firefox
You may be thinking, why not have Firefox remove all cookies when it shuts down, except for those that are white-listed using the Allow button as described above? This scheme was, in fact, proposed by a listener on the April 16th episode of Steve Gibson's Security Now podcast. Despite the approval this idea got on the podcast, it's not possible.
White-listing a website means that Firefox will accept cookies from the site. It does not mean that Firefox will keep those cookies forever. When you tell Firefox to remove all cookies when it shuts down, that's just what it does. I tested this on both Windows XP and Ubuntu and Firefox deleted all cookies, even white-listed ones, when it shut down.
Deny All Firefox Cookies
Almost every website sets cookies, some depend on them. Is it practical to start out denying all cookies (first and third party) and then allowing them in on a site by site basis?
Good question, and one that can't be answered without trying it for an extended period of time, which I'm going to embark on soon.
Human nature being what it is, this approach needs a fast, quick, easy way to change the Allow/Deny status of a given website. The Permit Cookies extension also mentioned on the same Security Now, episode, is perfect for this.
After installing the extension, a "C" is displayed in the bottom right corner of the Firefox window. If the "C" is gray, then there is no Allow/Deny rule for the currently displayed website. Since we're defaulting to deny everything, gray means cookies are not accepted.
If the "C" is green, then there is an Allow rule and cookies are being accepted. Changing the Allow/Deny status of a website is accomplished by clicking on the "C". It couldn't be much easier.
Authorizing a website to set cookies accepts cookies from just the currently displayed domain. Any third party cookies that website might otherwise set are not allowed.
Installing the extension is the hardest part. For instructions, see the transcript of the April 16th Security Now podcast. It was the last listener question.
A Firefox Clean Slate
Where does this leave us?
The biggest bang for the buck comes from disabling third party cookies. This only takes a second, blocks almost all tracking cookies and still enables good cookies. It's hard to see a down side.
But what about existing tracking cookies? You could try to remove them individually, but it'll probably prove cumbersome. The best way to start clean is to remove all cookies.
Considering that Google can create doubleclick.net cookies even when third party cookies are disabled, I would create a specific block rule for doubleclick.net.
A clean slate, combined with blocking new third party cookies, should offer sufficient privacy with no ongoing maintenance on your part.