Flash Cookies, a Little-Known Privacy Threat 225
Wiini recommends a blog posting exploring Flash cookies, a little-known threat to privacy, and how you can get control of them. 98% of browsers have Macromedia Flash Player installed, and the cookies it enables have some interesting properties. They have no expiration date; they store 100 KB of data by default, with an unlimited maximum; they can't be deleted by your browser; and they send previous visit information and history, by default, without your permission. I was amazed at some of the sites, not visited in a year or more, that still had Flash cookies on my machine. Here's the user-unfriendly GUI for deleting them, one at a time, each one requiring confirmation.
Get Flashblock now. (Score:3, Insightful)
Seriously, get flashblock from the Firefox addons site. You need it. Badly. The number of sites with the equivalent of the pixel.gif tracking or the Google Analytics type JavaScript tracking, but as a small Flash plugin are growing astronomically, and Adobe has no reason to favor your privacy over their customer's demands. These little apps aren't there to serve your needs or improve you're browsing experience, and they just should never run. If you want to run a Flash app, that's fine: click on it to run it.
I use Flashblock and I've been watching Hulu and YouTube and enjoying all sorts of sites that use Flash. I'm also instantly aware of any site that's too lazy to present a standard Web page when I see a giant "click to run" button over the whole page, and I find another site. This is part of the process, and is an important way that neophyte Web developers learn that they can't just throw up Flash and not worry about Web standards.
And this ... (Score:5, Insightful)
This is why I don't install flash on my machines.
Way too much junk and irritating sites. A site which requires flash will be left and promptly forgotten about. If you can't provide an interface to your site without Flash, I don't care what your site has in it.
Cheers
Re:And this ... (Score:2, Insightful)
The parent sounds like the people who still use pine for checking their email. At some point, folks, the world is going to move on to new technology whether or not it is secure or you like it. I guess everyone has to make the decision to continue living life and embracing new technology or completely blocking it out and hoping it will go away. Websites that require flash aren't going to go away, folks: they are going to multiply. We shouldn't try to stop flash, or to ignore it, we should try to work toward helping them secure it. And I would take Flash over Silverlight any day-
Re:Duh department (Score:2, Insightful)
Flashblock does not prevent loading of flash programs. All it does is hide them from view (and sound). Use NoScript instead. Block all 3rd party scripts and enable all 1st party scripts.
Re:And this ... (Score:2, Insightful)
scare-monger (Score:1, Insightful)
Re:And this ... (Score:5, Insightful)
Re:To remove flash cache on Linux (Score:4, Insightful)
srm and shred aren't assured security if you're on a journaled filesystem. More importantly, if the Flash application is rooting through your filesystem looking for deleted data, "secure deletion" should be applied to Flash itself, not just its cache. That would be outrageous.
My point is that you're merely trying to delete cookies to prevent user tracking. Secure deletion on your physical disk is not needed unless you're looking at a very special kind of content. ... Using srm or shred here would be like running your newspaper through the shredder because you never know who might be looking for the smudge marks that indicate what you actually read.
Re:How are Cookies "Privacy Threats"? (Score:1, Insightful)
You'd be surprised how much can be inferred from a few visits that can be linked by "hey you're the same guy who was here that other time". When you can start finding patterns in aggregated data, the whole becomes more than the sum of its parts.
Of course you're right in that there's nothing inherently wrong with FSO's, but there is a need for user education on the subject (much like cookies). FSO's are more problematic in this way since they're less well-known and harder for a non-savvy user to manage.
Incidentally, a threat to anonymity is, by extension, a threat to privacy, since anonymity is a useful privacy tool.
Re:And this ... (Score:1, Insightful)
Calling Flash a "technology" is giving it too much credit.
But that aside, a lot of the world "moved on" to Windows, but the people who didn't do it, mostly all came out ahead. Sometimes going with the flow is just plain stupid. If everyone jumped off a cliff, would you? Maybe. Maybe it makes sense to do that. But really? No, it doesn't.
Bring out the smug bastards! (Score:0, Insightful)
Okay, good, let's shut off another potentially useful feature because there's a fringe chance it can be used to remember who you are, which is Bad(tm) because then zomg Skynet. And better still, let's get rid of Flash entirely, AND be a smug dick about it, too. Brag about it constantly, just like how you don't own a TV.
From there, keep on bragging about how you don't use Javascript, either, and point to an edge case where a friend you knew was out browsing pr0n from his spam and now his entire identity has been erased. Keep pointing to it. Point HARDER. That should convince any sane individual to burn an effigy of the inventor of Javascript. Offer your diagrams to help them build such effigies.
Then all we'd need to do is get rid of images and multimedia, remove graphics from all computers, and before you know it, we'll finally have this "entertainment" flaw fixed. Then we can all get back to posting plaintext reviews of and arguments over Star Trek Battlestar Galactica episodes in peace. Goddamn progress.
Re:Old News (Score:3, Insightful)
My question has always been, are cookies even really that bad? This may just be me, but I am not that concerned - unless a cookie for one site is actually tracking what I am DOING on another site - ie if Slashdot suddenly started tracking what I was doing at my bank. I may be totally ignorant here, but I did not think cookies worked that way. And who actually has time to poll through all that user data? I have a low-traffic website, and just for grins, I will go in sometimes and look at the server logs, but most of these is just kind of curiosity over what countries are visiting me. Sometimes I will look at the terms people typed into search engines to find me (this is not a cookie, just standard Apachee server logs), but that is about it. I do not have the time, nor the desire to look at mroe than that. In fact, I usually do nt have the time to look at even that.
So, let's just say that someone is using a shared object to store browsing history. So what? Unless my church saw that after I went to their website I visited some girl-on-girl site (or vice versa), I really don't care. Of course, it could just be me being ignorant, but cookies are not what I am worried about. I am worried about other people going to Smiley Central or Living Screensavers or Coupon Toolbar or something than about cookies.
Flash Cookies, a Little-Known Privacy Treat... (Score:2, Insightful)
"... all your cookies are belong to us..."
- the Cookie Monster.
Re:And this ... (Score:2, Insightful)
Re:scare-monger (Score:3, Insightful)
So, tell me... How is it that a flash application available on-line (from adobe) is able to delete and assign space to those very elements? You are telling me that it is not, in turn, able to access those very items? And, if it can access those items, is this not a far worse security issue than browser cookies?
Just wondering.
Now, add to this (the configuration panel for flash storage being available on-line, accessible without the need of a password) to the actual (closed source) implementation of flash -- aren't alarm bells going off in your head?
Re:And this ... (Score:5, Insightful)
Why should we all accept a technology that is almost always used inappropriately? It's not being a luddite to expect people to use the right tool for the job. Flash is a technology that's good for vector animations. Stuff like homestar runner benefit from using flash, and nobody is going to complain that such a site uses flash.
But what about all the websites that use flash based navigation? Does flash do anything that they can't do with html/javascript? No. Then what's the point? It's not progress if it doesn't enable you to do anything new. It's just dumb.
And then there's sites like YouTube which use flash to serve up videos. I mean, come on. Embedding a video file in a flash application makes about as much sense as embedding an image in flash. The right thing to do is to send the video over http, and let the browser decide what to do with it. Just like we do with .jpg, .pdf, .mp3, and everything else on the internet.
So don't give me this bullshit about flash haters being anti-progress, because there's really very little that flash actually does that anyone actually needs. It's almost always the wrong tool for the job.
p.s. pine still works great, what's your problem with it?
Re:And this ... *crap is technology agnostic* (Score:4, Insightful)
ffs, there are plenty of irritating html sites as well...
I'm over this repetitive anti-flash argument. (Honesty disclaimer, yes, I develop quite a bit in flash. No, not banner ads, and no, not fully-flash online banking applications either.)
flash != junk
people making junk with flash == junk
(and you can replace 'flash' with plenty of other technologies as well - regexp not supplied.)
If you don't install flash then that's fine and it's your choice, but you can't blame adobe or flash for webcrap. Blame the mofo's making the junk. Same applies for html+javascript badness - you don't blame the w3c and javascript interpreter writers... (or maybe you do, I don't know.)
If you don't want advertising, adblock/whatever the sites hosting it. If you don't like sites that are full of rubbish made in flash, simply don't visit them again etc. If they're pushing what you don't want then why are you there? If they're pushing what you want in a format you don't like then consider letting them know.
Sites that want to deliver rich media experiences, (increasingly) cross-platform interactive experiences, games, video, etc. will continue to use software like flash to deliver their products, messages and services until something better comes along. I don't know much about silverlight, but most articles I've read on slashdot don't exactly endorse it. Anyway, something better will come along and developers will be all over it, web standards or not unfortunately.
And yes, sure, you can jump up and down and complain that your favourite cross-browser javascript api+libraries can deliver what flash can, but currently that's not true in some or even a lot of situations, depending on what you're building. I accept that this statement is pretty broad, everything looks like a hammer or a nail or whatever analogy you prefer...
So, fitness for purpose. I'm sure most of us wish that more developers (ourselves included) used technologies appropriately, but not everyone has the same skills, audience, timeframes, etc. and certainly never the same morals.
Webcrap will continue to be made, no doubt - but I guess my point is that crap is technology agnostic.
Re:How are Cookies "Privacy Threats"? (Score:1, Insightful)
How is this different from tracking based on IP?
And "I can change my ip" isn't an answer, since I can delete my cookies.
Re:Quick fix? (Score:3, Insightful)
Surely the main privacy issue is the site reading back what it wrote? So it should be:
chmod -r ~/.macromedia
Let it write all it wants.
Re:Old News (Score:4, Insightful)
That depends on the level of privacy to which you aspire, online. As far as I'm concerned, my business is my business. Of course, if you're happy living your online existence in a goldfish bowl, that's different.
Data mining programs do. Then people get to see whatever the programs flag up.
Well, all that data goes into databases, and the data gets leaked and sold and demanded by the government, and burned to CD-Rom which then gets lost... and on the way ends up being amalgamated with with other databases. It's already possible to uncomfortably detailed profiles of people using only Google. That's without mining someone's clickstream over a year or so.
Maybe you don't care who's looking over your metaphorical shoulder as you surf; I accept that many people do not. Nevertheless, for what I suspect are the majority of surfers, there's a definite issue here.