News Evercookie will track you down

http://www.bit-tech.net/news/bits/2010/09/23/evercookie-will-track-you-down/1

 

Nice to know security researchers are helping to protect us all.
/sarcasm

 

Just because it could be done, doesnt mean it should be done!

His site says "... PRIVACY CONCERN! How do I stop websites from doing this?
Great question. So far, I've found that using Private Browsing
in Safari will stop ALL evercookie methods after a browser restart."

What if I dont want to use Safari?

Not impressed, and what a pointless API for the consumer, great for advertisers, and intelligence use - thanks for that!

 

What a d***.

 

Thanks. Douche.

 

Yes, releasing it into public is a bit of an ***hole move.
His research shows that it is possible, though, and that in itself is interesting. I am sure that browser developers are taking this VERY seriously and increasing security in their upcoming releases as a consequence. Pr0n mode will soon cripple the approach in all new browsers.

 

Next he will release code to steal all your credit card info and send it to Nigeria.

 

well this could increase the use of virtual machines for browsing with a clean image start each time

 

Maybe, but that's a bit of a sledgehammer to crack a nut approach - sometimes you actually *want* some degree of persistence between browser sessions, which is why history, autocomplete etc. were implemented in the first instance. My preference is a strategy involving a combination of Adblock, Noscript and tight browser security settings, with whitelists for trusted sites on each. That seems to work adequately, but there are a lot of vectors listed above that I'm not 100% convinced would be stopped by this method.

Another point is that, with modern "always-on" broadband connections, most people will find that their router is rarely if ever allocated a new IP address - though they may technically be dynamic, to all intents and purposes a server can assume a lot of the time that the same IP address means the same router (not necessarily the same machine, as multiple machines behind one router will share the same public IP address). This means in principle a technique like Evercookie could be extended to track users on the server side by IP address, and use that as another tracking vector even if they did use a VM or even clean installed their OS. You could even track across multiple machines behind the same router, which has huge security implications.

 

yep, that's the magic word, don't allow ANYTHING unless you specifically trust it.

 

I'm glad he relaesed it.
Tear it into the open so a reaction from OS and Browsermanfacturers is forced. More or less a standart procedure.

 

This will certaintly help me track how sucessfull our ad campaigns are.

 

^^ this!

 

Big Brother strikes again! Surely you would need permission from the user to collect such data or is it a legal grey area?

 

I believe Russell Howards Brighton Show justifies this with the prefix of "Just because you can, doesn't mean you should"

"It's legal... it's legal.... So is waking your nan up dressed as Hitler... Have some moral decorum"

Fantastic, but I do give it a few weeks before someone invents "THE EVERCOOKIE PURGEBUSTERLOLZOOKA101" program that totally annihlates the use of an Evercookie.

 

How long until someone incorporates this into a virus that can't be purged?

 

This would unfortunately be another reason that a flash blocker is essential equipment.

 

Greetings!

You read the article?
This Super-cookie can use Flash, HTML5, SQLite, PNG, etc...

 

I'm sure it's not hard to find its signatures and adbock will catch up soon enough.

 

mmmmmmm a cookie that lasts forever...I'll have two please.