back to article Mozilla security policy cracks down on creepy web trackers, holds supercookies over fire

The Mozilla Foundation has announced its intent to reduce the ability of websites and other online services to track users of its Firefox browser around the internet. At this stage, Moz's actions are baby steps. In support of its decision in late 2018 to reduce the amount of tracking it permits, the organisation has now …

  1. Craig 2

    About time

    You've only got to install something like NoScript to realize all the crazy shit that is going off in the background and how badly broken some websites are if they can't run numerous remote scripts.

    1. Joe W

      Re: About time

      And the cookies... don't forget about them...

      1. Leigh Brown
        Joke

        Re: About time

        Or rather, do forget them, every time you close the browser...

        1. toejam

          Re: About time

          Why wait that long? Extensions such as "Cookie AutoDelete" can purge cookies as soon as a tab is closed.

      2. Neil Barnes Silver badge

        Re: About time

        I think Firefox lacks an option in the options/safety and security section.

        Under cookies, one is offered the possibility to block third party cookies, at the risk of breaking some websites, which is fine, but the 'keep until' options are only until they expire, or until Firefox is closed.

        It strikes me that an option to delete cookies once the last tab currently open on a domain is closed, possibly in association with a whitelist, might actually be more useful to have.

        1. tfb Silver badge

          Re: About time

          I think that's a really clever idea.

  2. Jellied Eel Silver badge

    So.. what's a supercookie?

    Every time I think I'm getting a handle on the abusive practices of web outfits, something new pops up..

    1. GnuTzu Bronze badge

      Re: So.. what's a supercookie?

      Generally a combination of techniques to make it so that you can't delete a cookie. But, what that really means is if you delete the cookie, some other mechanism will bring it back, so they might also be called zombie cookies. This includes the use of Flash cookies. Yes, Adobe decided that Flash needed it's own cookies. Wasn't that nice of them :( Sesame Street's Cookie Monster surely does not like these.

      1. Jellied Eel Silver badge

        Re: So.. what's a supercookie?

        Thanks.. In the UK, unless there's informed consent, methinks with some sharp lawyers, this could fall foul of our Computer Misuse Act. So unauthorised changes to a computer. As for Flash, I terminated that with extreme prejudice after trying out ITV's video player. Which featured ads that would unmute speakers, and an insatiable appetite for cookie storage.

        1. GnuTzu Bronze badge

          Re: So.. what's a supercookie?

          That's been my thinking. If corporations can have the DMCA here in the states, than we should have similar protections against hacks tracking us.

  3. alain williams Silver badge

    Tracking will still happen

    I have fixed IP addresses (IPv4 & IPv6) at home, I live alone - that makes me easy to track from the server, no javascript needed. Even if others lived here it would narrow it down to a few people.

    What is needed is legislation to stop the various sites from sharing tracking information. This might happen in Europe, but I doubt that it will in the USA (no comment on a post brexit UK).

    1. overunder

      Re: Tracking will still happen

      Yep, this is strangely not illegal. Amazon makes this prevalent with the fact they keep showing the same guesstimated ads when you have never logged into Amazon on a machine, and see the same ad on another machine you've never logged into. Amazon, Facebook and Google are notorious at invading privacy, but even smaller sites of similar kin do it (there was 3 I noticed it on, but I'm not disclosing them).

      It also might be worth pointing out the sites that "save a draft" of some sort, as this is a great excuse to retain user data under the guise of functionality (I'm now VERY paranoid of these sites).

      1. Nick Kew Silver badge

        Re: Tracking will still happen

        To save a draft is a conscious action. That mean you're in some kind of consenting relationship with the site, which seems like a different scenario to what this is about.

    2. ecarlseen

      Re: Tracking will still happen

      So your bet is that your pull with legislatures and their capacity to set and enforce rules over time exceeds the amount of pull combined with the legal and technical resources of some of the largest and wealthiest organizations on the planet.

      That's adorable, but good luck with that.

      In practice, even people with dynamic IPs don't change that often (mobile usage being an exception) - sometimes less than once a year, so as a practical matter we're all more or less in the same boat.

      As a general philosophy, the most robust responses to things you don't like are responses that work unilaterally - things you can do where it doesn't matter what the other party does. There are always limits, but the more unilateral your focus the more success you will find in practice. This applies in most areas of life. As to this specific area...

      I block certain domains at the DNS level. I avoid using the services and resources of certain companies whose practices I consider abusive - this really isn't as difficult as it sounds. I use a combination of VPNs, browser and / or VM isolation, onion routing, and pseudonymous accounts in areas where the above measures are insufficient or too restrictive of what I want to accomplish. And in some cases on some days I just accept that I'm giving up a little bit of privacy. You can actually accomplish quite a bit on your own with a reasonable amount of effort if you're conscientious enough.

      In the long run, privacy will be a privilege of the wealthy and those who are both technically astute and disciplined. This can't be fixed legislatively (and arguably may not even be immoral - work with me on this), because there are a lot of people who will gleefully give up all knowledge of themselves for a few minutes of Candy Crush or whatever. If people *want* to make these choices then you really can't save them from themselves and even if you could you'd be inhibiting their learning to make better life decisions (assuming they're not the more rational ones - I personally prefer privacy but I'm not arrogant enough to believe that my choice "is correct" for everyone else on the planet. An argument can be made that for poor people trading privacy for entertainment may be acceptable - again, not my thing, but it's not like I can prove that I'm right).

      1. Charles 9 Silver badge

        Re: Tracking will still happen

        But what happens when (not if) they take everyone else's privacy with them? This puts YOUR skin in the game, even when it's someone else's actions, meaning saving them from themselves also potentially saves YOU.

  4. Ragarath

    Err didn't Microsoft get slapped down for this?

    When Microsoft decided to do a similar thing with IE10 (do not track) did they not get shot down and told it would be ignored?

    I assume the firefox method is going to be more direct. Rather than a request it will outright just block the nasty practices?

    Serves the ad slingers right IMO. Lets's hope they all start blocking it (hmmm Chromium)

    1. matt 83

      Re: Err didn't Microsoft get slapped down for this?

      Microsoft were changing a default option that was supposed to be "no" to "yes". What Moz are doing is attempting to block hacks that get round blocks that various browser options give users.

      EG, user clicks "delete all cookies" but some supercookie system puts back a bunch of those cookies because the operator would rather track you than allow you to give them the slip.

      1. overunder

        Re: Err didn't Microsoft get slapped down for this?

        That and what MS was attempting appeared to be based on an honor system, like robots.txt.

      2. DMcDonnell

        Re: Err didn't Microsoft get slapped down for this?

        Self-destructing cookies... There actually are several addons for Firefox that do exactly this.

        Delete a cookie when a tab is closed or terminate the browser.

    2. JohnFen Silver badge

      Re: Err didn't Microsoft get slapped down for this?

      Do Not Track is different, because it's merely advisory for websites. A website has to actively agree to honor it.

      The things discussed here do not require the cooperation of websites.

    3. devTrail

      Re: Err didn't Microsoft get slapped down for this?

      When Microsoft decided to do a similar thing with IE10 (do not track)

      The "Do Not Track" flag was introduce by Firefox, Microsoft in IE10 chose to override it and change its meaning.

      The "Do Not Track" flag is meant to express an explicit request of the user. Microsoft by overriding the policy and setting the flag by default stated that it wasn't anymore an explicit request of the user and as everyone expected after some time internet sites began to ignore the flag claiming that it any case it didn't express a user request.

      Basically Microsoft made on purpose a choice that backfired.

  5. Rudolph Hucker the Third

    EFF's Panopticlick (as mentioned in a previous Reg article) might still be a useful check:

    https://panopticlick.eff.org/

    (Before and after installing Ublock Origin, Ghostery, DuckDuckGo browser add-in for privacy protection, etc, etc)

    Sadly their Self-Defence page has disappeared.

    (Register link)

    https://panopticlick.eff.org/self-defense.php

    1. TheGriz
      FAIL

      I Guess This Means My Browser Can't Be Tracked?

      LOL, I guess this means my Firefox browser running NoScript is safe.

      Response from https://panopticlick.eff.org/

      Internal Server Error

      The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.

  6. Dave Lawton

    Shame they ruined the brower before they got a clue

    As title.

    1. W.S.Gosset Bronze badge

      Re: Shame they ruined the brower before they got a clue

      Hear hear. Anyone on Firefox, AVOID the last 2 "up"grades offered by the auto-update. Its already-terrible (non)ability to handle more than a couple of simultaneous javascript threads goes to pieces. As in: goes from teeth-grinding to 2 or 3 full restarts per day to recover your ability to get anything done on your machine. As in: mouse frozen for 5mins at a time, etc.

  7. JohnFen Silver badge

    If Mozilla pulls this off

    If Mozilla actually manages to block the things that are effectively impossible for me to block myself (supercookies and fingerprinting are the most obvious things), that might actually convince me to use the new Firefox. Although I strongly dislike the new Firefox because of unfixable usability issues, the ability to stop that sort of thing would likely be enough to make me suffer the UI in exchange for protection I can't get anywhere else.

  8. devTrail

    Expected reaction

    Many internet sites will react by making navigation with Mozilla more difficult. Right now a lot of sites don't bother about your security settings, If you block third party cookies many functions like streaming videos do not work and if you ask them why they don't tell you to enable third party cookies they tell you to use Chrome (which enables third party cookies by default).

    1. Charles 9 Silver badge

      Re: Expected reaction

      So basically all a site has to do is mandate the use of privacy-breaking browsers to force a Walking on the Sun situation that takes everyone else with them.

      1. DMcDonnell

        Re: Expected reaction

        User-Agent plugin for Firefox... Make your copy of Firefox look like MS Edge or Google Chrome browser to them websites.

        1. Charles 9 Silver badge

          Re: Expected reaction

          Bad move. They'll end up using stuff that ONLY works with them, meaning the site breaks with you anyhow.

  9. DougS Silver badge

    Mozilla and Safari are the only hope for browsers to help privacy

    With Google making pretty much all their money from advertising, and Microsoft hoping to, you sure can't expect their browsers will do any more than the bare minimum...they don't want to bite the hand that feeds them!

  10. Rustbucket

    Supercookie

    After you've logged out of Firefox and it's supposedly deleted all your session cookies, see if you've still got a file called SiteSecurityServiceState.txt. (Windows 7)

    1. W.S.Gosset Bronze badge

      Re: Supercookie

      My. Goodness. Me.

      1. W.S.Gosset Bronze badge

        Re: Supercookie

        (%APPDATA%\Mozilla\Firefox\Profiles\[PROFILENAME]\what-he-said.txt)

        (*nix users: %APPDATA% == ~/AppData/Roaming)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019