back to article I wish I could quit you, but cookies find a way: How to sidestep browser tracking protections

Browsers' built-in tools that crumble web cookies that track you around the internet can be bypassed or rendered ineffective by malicious websites. In a paper presented at the USENIX Security Symposium this week, a trio of researchers from KU Leuven in Belgium describe how they developed a framework to analyze the enforcement …

  1. Anonymous Coward
    Anonymous Coward

    JavaScript code embedded in the PDFs

    What could possibly go wrong?!!

  2. onefang

    That's the way the cookie crumbles.

    1. Crisp

      We need more than a cookie cutter approach.

      1. Version 1.0 Silver badge

        Kill them all - it's time to admit that cookies are causing the death of the reason that we use the Internet. Cookies are just another way of giving your PC VD.

        1. Richard 12 Silver badge

          Going a bit too far

          Session cookies are necessary for a lot of purposes.

          Otherwise you can't log into anything as the server can't identify you.

          Cookies that last longer than a session are of very limited utility to an end user. I had my browser set to barf all cookies when closing for a long time, and it worked really well.

    2. sbivol

      We need better protections baked in.

  3. onefang

    Oreo serious?

    Dough! That one's really bad, I should come up with a batter one.

    1. onefang

      El Reg writes a serious article about security, and the best we commentards can do is go an a cookie punning binge. We are all crackers, especially Graham.

  4. Anonymous Coward
    Anonymous Coward

    Edge

    >> the researchers found that the option to block third-party cookies in Microsoft's Edge browser simply didn't work.

    So an option affecting security and privacy in an MS product doesn't work - what a surprise!

    1. DJV Silver badge
      Trollface

      Re: Edge

      They probably could have just abbreviated that sentence to "Microsoft's Edge browser simply didn't work" - which would have been more accurate.

  5. MJI Silver badge

    I get very aggressive.

    As many as possibly admonger domains are in hosts, combined with ABP and NoScript.

    Why? Because ads started to move, popup, make noises, and not just sit there as a banner.

    1. Pascal Monett Silver badge

      Re: I get very aggressive.

      Not to mention they're also malware vectors.

      1. MJI Silver badge

        Re: I get very aggressive.

        One forum I use moved from local adverts to ones supplied by a banned admonger (due to malware), so I lost the adverts on a site I was happy to see as they were VERY targetted.

        They were targetted at people performing that hobby.

        Another forum has a banner ad for GLASS

        That was interesting.

    2. Snake Silver badge

      Re: I get very aggressive.

      Firefox: NoScript, ad domains JS blocked; do not accept unvisited third-party cookies; delete all cookie upon exit of browser; Google, Bing, Doubleclick et al completely cookie blocked.

      Have always done so. For most people, why does it take a threat being discovered before taking reasonable precautions?

  6. Avatar of They
    Pint

    To summarise.

    Technology moves on.

    Security holes found.

    People are made aware.

    Google do something about it.

    MS don't and their bug page doesn't work.

    So business as usual then?

  7. Cuddles

    Multiple layers

    "For each one, there was at least one way to bypass promised protection."

    Which is why it's a good idea to use more than one approach to blocking things. Firefox with everything disabled that can be, plus uBlock, Ghostery and Noscript is probably relatively safe. Any one of them might be able to be bypassed, but it's unlikely they can all be bypassed in the same way.

    1. Wade Burchette

      Re: Multiple layers

      I use uBlock and NoScript. For any tracking cookie that breaks through those defenses, I go to my router and make that domain point to 0.0.0.0. Despite being blocked at the router, somehow I still get a doubleclick.net cookie. I have yet to figure out that out.

      1. low_resolution_foxxes

        Re: Multiple layers

        Double Click .net is part of the Google ad infrastructure I believe. It's probably perma-included as part of Android or some other Google product

      2. Updraft102

        Re: Multiple layers

        Some routers won't block HTTPS connections to domains on the blacklist. It's also possible that the site was accessed by IP directly and not by hostname.

  8. Rol

    If I'd sold out my nation's future, I'd probably turn to drink too!

    Imagine a world where Winston Churchill was just the prime-minister of Britain and not also America's undercover agent.

    He gave away many British pioneered technologies, while at the same time stopping all further development so that America might better dominate the market.

    If the UK could have kept a hold of the advances in computing, how different might the world look today?

    Clearly being left in the hands of monopoly chasing capitalists has proven disastrous, like the unnecessarily inefficient x86 architecture that Intel wound into a knotted mess to frustrate competition.

    I honestly think the UK would have been a much better place to nurture computing, well at least in defining standards in favour of security and the common good.

    Instead we have a free for all grab that has the whole industry rocking from calamity to disaster, and all the while the users are trading their self away for a few extra bells and whistles.

    1. cd

      Re: If I'd sold out my nation's future, I'd probably turn to drink too!

      But they let him walk on the moon, so it paid off.

    2. Throatwarbler Mangrove Silver badge
      WTF?

      Re: If I'd sold out my nation's future, I'd probably turn to drink too!

      Are you okay? Do you smell burning toast? Blink if you need help!

  9. clocKwize

    Re: Contractor rights

    Its very hard to apply these wide sweeping policies. "Third party" cookies are not all bad. My company builds software which our clients embed in their site. That makes it hard for us to place cookies on the users browser, even though we have every right to be there, we have permission to do so as the user has agreed to cookies on the site, which we are a integral part of. We have workarounds in place, but its worrying that totally legitimate cookies are being dropped due to ever moving policies.

    1. Anonymous Coward
      Anonymous Coward

      Re: Contractor rights

      >> That makes it hard for us to place cookies on the users browser, even though we have every right to be there

      and we have the right to zap your cookies off our machines to preserve our security and privacy.

    2. Anonymous Coward
      Anonymous Coward

      Re: Contractor rights

      "Third party" cookies are not all bad.

      How about no? If we trust you, we trust 'only' you. Not some third party nobodies you invited off the street. Hell, this is exactly how STD is spread in real life (and how computer virus / malware is spread).

  10. Pandora LB

    " but its worrying that totally legitimate cookies are being dropped due to ever moving policies."

    Legitimate? If I say I dont want cookies - thats it!

    FO!

    If I cant access your site because I wont accept a cookie I dont visit it.

    There are very few sites I *MUST* visit....and mostly they have acceptable cookie policies

    It's my PC and I am the consumer/customer. I decide (moslty) what is stored on my PC and whether (or not ) I *need* your content ...."Not" usually wins

    1. Anonymous Coward
      Anonymous Coward

      That's like saying you're entitled to block the ads that show up on TV or the junk mail that arrives in your mailbox or skip the muzak when you're put on hold. As they, price of admission. You don't have to visit, and they don't have to serve, either. Makes you wonder what you'll do if the exclusive content you MUST have is stuck behind an obnoxious ad-wall. Suck up or walk on the Sun?

      1. Richard 12 Silver badge

        I am and I do.

        I get very little junk mail.

      2. MJI Silver badge

        TV What ads?

        I record and watch those.

        Most channels I watch no ads or just a set of irritating ones. ( I HATE the brexit ad). The others I skip over.

        Modern adverts to me are as known as soap actors and reality show participants.

  11. Nick Kew

    Third-party cookies and El Reg

    Debating point: does El Reg not implicitly preach what it manifestly fails to practice?

    Anecdote: I recently ordered a "big-ticket" item of furniture, from a big-shed retailer on a big retail park. As part of that, I checked online, including a visit to the retailer's website from my 'phone.

    That was using plain ol' Chrome. Given my very limited use of the web from the 'phone, and the fact I don't expose anything of value on it, I've never been arsed to fine-tune it against ads and such nonsense.

    Sometime after, I visited El Reg from the phone. And found that every bloomin' ad on the Reg pages is now that same furniture retailer! If I visit the Reg front page, more than one ad. will appear as I scroll down, and it's always the same: the retailer whose page I visited! Click to another page, it's the same ad. OK, enough, this is just annoying: delete effing cookie!

    1. Richard 12 Silver badge

      Re: Third-party cookies and El Reg

      That's because advertisers are idiots.

      Eventually they'll realise that advertising a product that someone has already purchased is stupid.

      Some are already starting to realise that following someone around the internet with the same advert is creepy and people will actively avoid buying it when they so that.

  12. Registered Register Registrant

    Imprison your browsers: Firejail on Linux, Sandboxie on Windows.

  13. Claverhouse Silver badge

    "Must Is Not A Word To Be Used To Princes, Little Man"

    Actually, just say fuck them, and find better sellers.

    1. Charles 9

      Re: "Must Is Not A Word To Be Used To Princes, Little Man"

      But if they're the ONLY seller or it's a case where EVERYONE uses the same tactic? Do you just go without?

      1. Richard 12 Silver badge

        Re: "Must Is Not A Word To Be Used To Princes, Little Man"

        Yes.

        Nice straw man though. That's only true in monopoly markets, and there aren't many of those.

        Mostly phone operating systems, computer operating systems and search.

        1. Charles 9

          Re: "Must Is Not A Word To Be Used To Princes, Little Man"

          Or obscure device drivers. I speak from firsthand experience.

  14. Anonymous Coward
    Anonymous Coward

    Spoof cookies, spoof GPS ... spoof all tracked data ...

    If you make it useless ...

    Anyone here spoofed a journey into Google Maps ? If you think Google searches have become a bit shit of late, it's because they've put a shit load of AI into their tracking algorithms. They won't let you cross a continent in 1 second - you need to make it a proper journey.

    But if you can do that, and send your virtual self to 37.4220° N, 122.0841° W ...

  15. MJI Silver badge

    Creepiest ever ads

    Person at work standing near two women discussing adoption, friends of his. For a while and clearly. Phone in pocket.

    Later on went on Facebook and got adverts about adoption.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like