Flash Cookies, a Little-Known Privacy Threat 225
Wiini recommends a blog posting exploring Flash cookies, a little-known threat to privacy, and how you can get control of them. 98% of browsers have Macromedia Flash Player installed, and the cookies it enables have some interesting properties. They have no expiration date; they store 100 KB of data by default, with an unlimited maximum; they can't be deleted by your browser; and they send previous visit information and history, by default, without your permission. I was amazed at some of the sites, not visited in a year or more, that still had Flash cookies on my machine. Here's the user-unfriendly GUI for deleting them, one at a time, each one requiring confirmation.
Re:Old News (Score:3, Interesting)
Here's the user-unfriendly GUI for deleting them, one at a time, each one requiring confirmation.
Sounds a little ungrateful considering that many, many people didn't know about this and are now provided and easy way to view and delete these objects without rummaging through menus and settings. If you hate Flash that much then don't use it!
Don't allow sites to store stuff on your machine. (Score:5, Interesting)
I don't allow any site to store any information on my machine, except when it is beneficial to me. That means, Slashdot can store cookies (session only), RevLeft can store cookies for ever, and various email places can store session only cookies.
However, every other site is blocked by default (Firefox plugin called CookieSafe). With Flash, yes I'm using Macromedia's shit plugin, but even then the default (and I'm not going to change it) is to not allow any site to save any information.
Of course, I also use NoScript and AdBlock... Yada yada.
I'm on the web for my benefit, not for the benefit of advertisers and other scum.
I've also heard about a trick to delete the folder where the Macromedia plugin stores the stuff and replace it with a read only blank file of the same name. Look into that if you don't trust Adobe as far as you can kick them...
Welcome (Score:2, Interesting)
My specific comment to this news article and your response is that third party objects always reduce security as they increase features and that is a constant and yes that is not new.
A slight side-note...
You must be new here. Welcome to Slashdot.org where you can get news of many varieties. Some is stale dated, some is duplicated but it's all kinda interesting to talk about and that is why most of us like it here.
Because even if the news is old, the discussion at Slashdot is always new! (well at least the higher rated discussions)
Re:Don't allow sites to store stuff on your machin (Score:3, Interesting)
And a quick follow up to that post. What happens if I hit a site that requires cookies (for no apparent reason)? I leave. The most common website is lyrics websites, and considering the number of them there are, I don't care if I miss out on one more.
The same with JavaScript, there are only a few websites that I've enabled JS by default (Slashdot is one). But for all the rest, unless they have an obvious use for it (and can't provide alternative content), I leave if it's required.
Screw them. I've got better things to do with my time then fuck around with websites that can't degrade gracefully.
Quick fix? (Score:2, Interesting)
Re:Old News (Score:2, Interesting)
Sounds a little ungrateful considering that many, many people didn't know about this and are now provided and easy way to view and delete these objects without rummaging through menus and settings. If you hate Flash that much then don't use it!
/agree
The "Delete all sites" button seemed to have worked pretty well too. The only thing is that I thought it was an image until I read the text under it stating that it wasn't, which is probably why the explanation was put there.
How are Cookies "Privacy Threats"? (Score:5, Interesting)
I can understand if there's a bug that lets one site read or write another site's cookies. But how are properly functioning cookies any threat to privacy? They are indeed a threat to anonymity, only because they let a site ID a browser (or a Flash player or some other client) as "the same as that other time". But what private info other than that you are the same person (or maybe not, on a shared machine) is threatened? The remote site could just store on its server any info about your transactions. It could require that you login to verify that you're that same returning visitor. And even without cookies, a remote site could send any info it got from your transactions over to any other site without notifying you. Cookies have nothing to do with it.
Of course, any info stored on my machine should have a usable UI to manage it. But an inconvenient one isn't really a "privacy threat". After all, what is the threat? What goes wrong when it's abused?
Macromedia? (Score:4, Interesting)
Re:Old News (Score:4, Interesting)
4 - Sure they are useful, but the can and are misued. Best to be informed. Fortunately, you can find the storedobject data in "C:\Documents and Settings\\Application Data\Macromedia\Flash Player\#SharedObjects". Each site that stores data is found in a subdirectory bearing that site's name. You can pick and choose which sharedobjects to keep.
One of the things I discovered a long time ago is that emptying a #SharedObjects subdirectory and setting it to read-only does not work.
Now I just go through every once in a while and clear out the whole thing.
Re:Duh department (Score:5, Interesting)
With Flashblock loaded and active, watching hidden the Macromedia directories, visiting a page with Flash objects created objects in the Macromedia\Flash Player\#SharedObjects and Macromedia\Flash Player\macromedia.com\support\sys directories, without running any of the visible Flash objects.
That would indicate to me that some part of Flash is being activated, despite the presence of Flashblock...
Re:Welcome (Score:5, Interesting)
In geological terms, "here" is new.
(Being pedantic, because I really am a geologist, for most values of "here" and most reasonable meanings of "new". If I were writing on the other coast of Scotland, then my here might be up to half the age of the Earth, which is stretching "new" a bit, but for over 95% of the country and far over 99% of the population, the rocks below are a lot less than a quarter of the age of the planet, which is "new" enough for me.)