Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy Security Your Rights Online

Chrome, IE To Allow Users To Delete Flash Cookies 110

Trailrunner7 writes "The upcoming release of Adobe Flash Player 10.3 will give users of most of the major browsers the ability to delete Flash cookies in much the same way that they're able to erase normal Web cookies, thanks to a better integration with privacy settings in Internet Explorer and Google Chrome. The addition of the ability for users to delete the cookies set by plug-ins and browser add-ons gives them better control of the security and privacy of the content on their machines and is designed to address a serious issue that's been plaguing Flash for some time. Security and privacy experts have warned about the implications of so-called Flash cookies, which are set by Flash and difficult for users to find and delete."
This discussion has been archived. No new comments can be posted.

Chrome, IE To Allow Users To Delete Flash Cookies

Comments Filter:
  • by elucido ( 870205 ) * on Wednesday May 04, 2011 @11:48AM (#36025624)

    http://en.wikipedia.org/wiki/Evercookie [wikipedia.org]
    http://samy.pl/evercookie/ [samy.pl]

    Evercookie is unstoppable, irrevocable, undeleteable, and it represents a new trend. When is Google and Microsoft going to do something about this? Or do they and others conspire to use this evil mega cookie to track us?

    • by The MAZZTer ( 911996 ) <megazzt.gmail@com> on Wednesday May 04, 2011 @11:56AM (#36025718) Homepage
      File a bug on the Chrome bug tracker. The latest I can find [google.com] is that Chrome should be erasing it all if you use Incognito, except for the Flash LSO.
      • Re: (Score:2, Interesting)

        by Anonymous Coward

        In my tests incognito mode was enough to delete the evercookie. I simply quit the browser and restarted.. it didn't know who I was. Try it here http://samy.pl/evercookie/

      • Pretty sure that's not the case anymore about Flash LSO's and Incognito mode. (Could just be the custom version of Chromium called SRWare Iron I'm using, though.)

    • by h4rr4r ( 612664 )

      Seems like it is deletable, hard to find maybe but you can always delete your whole browser profile.

      • by icebike ( 68054 ) on Wednesday May 04, 2011 @12:12PM (#36025892)

        Or run the browser and all of its minions (including flash) in a sandbox, which allows you to snap shot it at some point in time, and flush that sandbox after each browsing session and restore from the snapshot at the start of each new session.

        As long as every program has access to the Windows Registry, you will have to sandbox that as well, allowing access to a shadow copy.

        But the real problem here is that Joe Sixpack is not in a position to be knowledgeable about all of this. Criminal sanctions against users of Evercookie might keep corporate marketing droids from going down that path, but they won't stop the off-shore porn sites or gambling sites from embedding this type of technology.

        • by h4rr4r ( 612664 )

          Windows Registry? I can't find one of those on any of my machines. Install browser in chroot, copy to another location. Then copy before version over after version.

          Joe Sixpack is not in a position to be knowledgeable about anything, no need to worry about it.

          • by icebike ( 68054 )

            Joe Sixpack is not in a position to be knowledgeable about anything, no need to worry about it.

            How very magnanimous of you.

            So in your little provincial world, the only people deserving of protection from cookie mining evil corporations and government spies are long practicing linux users? The rest are just cannon fodder?

            I suppose this means the only people deserving of medical privacy are the doctors themselves? The only ones deserving of police protection are the cops themselves?

            • by h4rr4r ( 612664 )

              Talk about putting words in my mouth.

              Users are not even interested in this, they don't care about their privacy. For a good example of just that go take a look at facebook. No need for anyone to worry about protecting those who do not care to be protected.

              Police protection is a joke. They investigate after, not protect you. The police are 30 minutes away, my own protection is much closer.

              • Talk about putting words in my mouth.

                Users are not even interested in this, they don't care about their privacy. For a good example of just that go take a look at facebook. No need for anyone to worry about protecting those who do not care to be protected.

                Most users (and I'd include myself in this list) are very interested in some aspects of privacy. I care quite a bit if someone access my bank account and takes my money. I don't care at all if someone wants to send me an email, or get in touch with me because of a common interest. Privacy does not have to equate to invisibility.

            • by Intron ( 870560 )

              How very magnanimous of you.

              So in your little provincial world, the only people deserving of protection from cookie mining evil corporations and government spies are long practicing linux users?

              No. Those running Windows on a virtual machine are OK too. As long as they blow away the Windows VM after use.

          • Joe Sixpack is not in a position to be knowledgeable about anything, no need to worry about it.

            Assuming he's literate, he's in a position that is as good as yours or mine.

            It's merely a question of willingness. I agree there's only so much you can possibly do for someone who won't lift a finger to help himself. That's a character weakness and I wouldn't be doing anyone any favors if I validated it. For that I make no apology.

            It reminds me of that joke: "a 'computer expert' is someone who can read the manu

            • by h4rr4r ( 612664 )

              It's merely a question of willingness. I agree there's only so much you can possibly do for someone who won't lift a finger to help himself.

              That is the position I was talking about. Joe Sixpack does not care, and will not care. The position of Joe Sixpack is that anything that requires reading or 5 minutes of his time is to hard for him.

              As I have now two responses that seem to assume I think Joe Sixpack is some sort of invalid I will admit I should have been clearer.

              • It's merely a question of willingness. I agree there's only so much you can possibly do for someone who won't lift a finger to help himself.

                That is the position I was talking about. Joe Sixpack does not care, and will not care. The position of Joe Sixpack is that anything that requires reading or 5 minutes of his time is to hard for him.

                As I have now two responses that seem to assume I think Joe Sixpack is some sort of invalid I will admit I should have been clearer.

                There seems to be this unstated consensus that unless you excuse, legitimize, and enable any and all forms of intellectual laziness and willful helplessness, then you must be some kind of cold-hearted bastard who wants the poor to starve, old ladies to eat dog food, and baby seals to get clubbed to death.

                There's also this widespread and completely false notion that you're doing anyone any favor by teaching them to be at the mercy of others for basic things they are actually capable of doing themselves. Lik

                • by Fjandr ( 66656 )

                  This is easily one of the best posts I've read in years, and there are many who would treat you with scorn simply for uttering such notions.

                  • This is easily one of the best posts I've read in years

                    I always feel humbled whenever I receive a high compliment like that. Thank you. I will add that I don't think I was being particularly insightful, clever, or articulate. I think I was just being honest. If you do it that way, you don't really need elaborate technique or silver-tongued eloquence to discuss the nature of things.

                    Of all things this reminds me of the notion of a "Constitutional scholar". The Constitution is easy to understand. It does

          • Joe Sixpack is not in a position to be knowledgeable about anything

            Wrong! Joe sixpack knows plenty about beer...
            ...and quite likely about football and women.

    • Evercookie is unstoppable, irrevocable, undeleteable, and it represents a new trend.

      A RAMDisk is an emulated disk that uses system memory and is erased completely during shutdown.

      Symbolic links and hard links are pointers that let you direct files and directories to other locations, such as RAMdisks.

      Reboot. What evercookie?

      Takes about 10 mins to set up properly. Using Windows? CCleaner can help you with any missed temp files. Schedule it to run at startup.

      • by h4rr4r ( 612664 ) on Wednesday May 04, 2011 @12:29PM (#36026104)

        Hard links do not work across paritions/drives symlinks are what you want.

        • Hard links do not work across paritions/drives symlinks are what you want.

          I think you may be misunderstanding what he's saying. Let's say you want to have a hard link to R:

          The easiest approach doesnt even require a redirect. Simply point everything hard linked to the RAMdisk (R:). A simple batch file on startup is all it takes to set back up the ramdisk during boot so it's functional as if it was always there and always a part of the system. That also makes it easy to have the "safe copy" nicely tucked away for repeat reloading whenever one wants - or on each reboot when the ra

      • by dc29A ( 636871 ) *

        Windows RAM drive [ltr-data.se]. Works great with browser temporary data. You can use junctions to map adobe temporary folders to your RAM drive.

    • It's not unstoppable. I'd mod you up for informative, but you mention that it is so good that it is unstoppable. It is not unstoppable or undelete-able on all browsers. In fact, it can be removed from Chrome [threatpost.com]. It is therefore, not a limitation of the browser. They don't NEED conspire. Regular cookies rarely get deleted by most users.

      If you are wiping out your cookies and using ad blocking and script blocking software, they already know you are the least likely user to click an ad if you saw one. The on

      • by Nursie ( 632944 ) on Wednesday May 04, 2011 @12:32PM (#36026138)

        Really?

        Because you hear of deliberate violations of do-not-call lists, and everybody likes to make it hard to get off their spamvertising lists.

        It seems like common sense to you and me, but I'm not sure that the unethical marketing people (not all, but the unethical ones) have got there yet. They seem to think it's extra important to annoy the hell out of people who've already decided they don't want to be annoyed.

        • Re: (Score:2, Insightful)

          You want their content, they set the rules. You dont like it, dont view their content.

          This isnt rocket science, people.

          • by medeii ( 472309 )

            Repeat after me: an HTTP connection is not a contract.

            Site owners are free to offer suggestions as to how to show the content they're freely offering who connects to their public server. I am similarly free to ignore those suggestions, and accept or render only the parts I want.

            After all, if they don't want me seeing the content, all they have to do is stop giving it away.

            • Sure, youre free to block their cookies, so long as they choose to allow you to do so. They could quite easily refuse to let you access any content if you refuse to set cookies.

              Youre right its not a contract, but its THEIR content.

          • by Nursie ( 632944 )

            Cool, put counter-adblocking in place, refuse to serve content to people that block your ads.

            That way people can decide whether to enable the ads to see the content and neither party gets ripped off. It makes the relationship explicit.

            I fully support that.

        • He said "Google and Microsoft". Google and MS are not violationg do-not-call nor can-spam. And by extension, Google websites (search, gmail, etc), properties (Doubleclick), and Microsoft Bing and their web properties. That accounts for an extremely large portion of web advertising, not just on their sites, but on third party sites, phones, and apps.

          • by Nursie ( 632944 )

            Firstly, the OP said google and microsoft in reference to their role as browser manufacturers, then referred to them and others potentially being involved in evercookies.

            Secondly, The post I replied to didn't reference either company.

            Thirdly, I didn't say they were violating laws (though there certainly are people that violate DNC), I said that marketers and advertisers, particularly the unscrupulous ones, go out of their way to target people who don't want to be advertised to. The point being that it's cou

    • by Anonymous Coward

      this is easy to escape.

      Nothing escapes the event horizon that is /dev/null

      To have Flash functionality without cookies being set and/or saved to disk, just symlink a couple of files to /dev/null and forget about it.

      CD $HOME

      rm -rf .adobe .macromedia

      ln -s /dev/null .adobe

      ln -s /dev/null .macromedia

      Something else people forget about is CSS. Websites can use CSS to track you across sites as well. There are a couple of ways to defeat this. The easiest is to set remembering URLS to zero (0). The second is to surf

    • by Intron ( 870560 )

      Its an arms race. You can try to keep ahead, but the advertisers are willing to spend a lot of money to be able to track individuals.

    • by asa ( 33102 )

      You're taking this wildly off topic. Evercookie depends on a large group of features and this is a mitigation for one of those features.

  • Firefox (Score:5, Informative)

    by just_another_sean ( 919159 ) on Wednesday May 04, 2011 @11:56AM (#36025726) Journal

    And for Firefox users there is Better Privacy [mozilla.org].

    From the Better Privacy site:

    Better Privacy serves to protect against not deletable longterm cookies, a new generation of 'Super-Cookie', which silently conquered the internet. This new cookie generation offers unlimited user tracking to industry and market research. Concerning privacy Flash- and DOM Storage objects are most critical.
    This addon was made to make users aware of those hidden, never expiring objects and to offer an easy way to get rid of them - since browsers are unable to do that for you.

    emphasis mine

    • Re:Firefox (Score:5, Informative)

      by BZ ( 40346 ) on Wednesday May 04, 2011 @11:58AM (#36025744)

      Actually, Firefox 4 supports this as well, out of the box.

      • Re:Firefox (Score:4, Interesting)

        by Jah-Wren Ryel ( 80510 ) on Wednesday May 04, 2011 @12:06PM (#36025848)

        And for Firefox users there is Better Privacy [mozilla.org].

        Actually, Firefox 4 supports this as well, out of the box.

        FWIW - and it's worth it to me - Better Privacy provides better control in that I can set duration for the cookie. Mine are deleted after 5 minutes of last access. That works for sites like youtube that store the volume setting in the flash cookie, but still gives pretty good protection against flash cookies that might be misused due to lasting until I exit firefox (something I only do once or twice a month).

        • by BZ ( 40346 )

          Sure. Better Privacy is nice if you want its features. But it's not strictly necessary to just delete Flash cookies, which is what the article is about.

      • by Anonymous Coward

        And even if it _didn't_, what the fuck is wrong with rm? Or deleting them with a file explorer?

        Have we been SO dumbed down as a society that we are no longer even capable of basic filesystem operations such as removing files?

        I swear that watching the last 30 years has seemed like a continual process of seeing people get stupider and stupider until even the most basic thing are now considered "too hard". I await the time that turning the computer on is considered "too hard" for the average person to be exp

      • Actually, Firefox 4 supports this as well, out of the box.

        Yes, it does, and I don't know why TFA doesn't mention it. This, from the Adobe Flash Player 10.3 beta release notes [adobe.com]:

        Integration with browser privacy controls for managing local storage – Users will have a simpler way to clear local storage from the browser settings interface – similar to how users clear their browser cookies today. Flash Player 10.3 integrates control of local storage with the browser’s privacy settings in Mozilla Firefox 4, Microsoft Internet Explorer 8 and higher, and future releases of Apple Safari and Google Chrome. See this related post we published in January.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Yep. Has existed for several years now, including for older versions of Firefox like FF3.5
      (and maybe 3?)

      The only thing is it had to do it on disc due to lack of an Adobe API.

      However, Better Privacy works even with older versions of Flash, like 10.2 - unlike this new method which requires Adobe's cooperation.

    • Can somebody explain what the meaning of the 'no moldy whipped cream on pumpkin pie' icon is? I mean, I agree, but fail to see the connection.

      Not in the FAQ, I looked.

    • Ghostery also does this, nixing flash cookies. BTW, it has recently being bought by a marketing firm, although per the documentation they claim not to track users. FYI.

  • by iONiUM ( 530420 )

    Maybe it can stop all the horrible flash ads too..

    Although, sometimes they aren't so undesirable, such as when they're like this [upup-downdown.com] (warning: although there's no nudity you wouldn't want your boss seeing you look at that).

    • by h4rr4r ( 612664 )

      Flashblock. Why it is not the default I will never understand.

      • NoScript is better. Once I will detect a website tries to evercook me, it goes to permanent ban on my user-defined NoScript list.

    • >>>http://upup-downdown.com/comics/2011/05/04/invisible-boobies/

      So what did you want me to see? Only thing that I noticed was the "Creative writing: scifi, mystery, horror degree" ad for full sail university. I don't know... that webpage kinda sucked.

  • by BZ ( 40346 ) on Wednesday May 04, 2011 @12:00PM (#36025766)

    This also works in Firefox 4 last I checked; I'm not sure why the article just talks about Chrome and IE.

  • Opera is great for dialup or cellphone users, allowing image blocking. The built-in turbo feature also disables flash by default, in order to speed-up the webpage download (unless you click on the little "movie" icon to load the video/ad/whatever). Not sure how you would delete the Flash cookies though.

  • by Anonymous Coward on Wednesday May 04, 2011 @12:03PM (#36025808)

    In linux just link ~/.macromedia to /dev/null

    It turns out /dev/null is something of a cookie monster.

  • by hodet ( 620484 ) on Wednesday May 04, 2011 @12:09PM (#36025870)
    "The addition of the ability for users to delete the cookies set by plug-ins and browser add-ons gives them better control of the security and privacy of the content on their machines..."

    because its bad to have all those yourporn and redtube flash cookies on your work computer.

  • It's the same base engine, isn't it? What about the non-google Chromium? Will it work with Adobe to erase cookies?

    • It's the same base engine, isn't it? What about the non-google Chromium? Will it work with Adobe to erase cookies?

      This isn't a "base engine" issue -- it's a browser UI issue. Each browser needs to offer an API hook to plugins that allow them to say, "hey, call this function when the user has requested their browsing history be deleted!" So, the way you phrased your last question is backwards -- Adobe must work with browser capabilities, not the other way around.

      In the case of IE8 and later, this is a one-function COM interface [microsoft.com] that gets passed a single flags parameter indicating what types of objects should be delete

  • If you have the "BetterPrivacy" addon, you have control over Flash cookies.
  • by mccalli ( 323026 ) on Wednesday May 04, 2011 @12:34PM (#36026158) Homepage
    The 10.3 beta tells you when a Flash application is trying to write to your local machine. I've been hitting 'Deny' on everything and no ill effects been seen so far.

    Cheers,
    Ian
  • by doperative ( 1958782 ) on Wednesday May 04, 2011 @12:55PM (#36026434)

    Under Linux delete the ~/.macromedia directory ...

    • Exactly ... I keep this directory "list only" at all times. Sometimes sites don't work without being able to write there ... most of the time I don't care enough about the video to change rights, but I will if I'm watching The Daily Show or something.

      When I'm done, I clear the directory and re-lock it. I did the same for the ".adobe" directory, not sure if it's necessary

      • The point is, all these methods work, but they're all a royal pain in the ass. I don't want to go drop to a Linux command shell to get rid of cookies; that's why every browser has UI to do that for me. If a browser manufacturer knows there is crap cached on my machine related to my Internet browsing history, then when I ask it to delete all the Internet browsing history, it should delete it. Note that Windows doesn't have a "format my hard drive, but leave the porn alone" button (although this might be usef

    • by MrL0G1C ( 867445 ) on Wednesday May 04, 2011 @01:48PM (#36027196) Journal
      ..And for windows users, delete the /macromedia directory! (in ?:\Documents and Settings\UserName\Application Data\) or C:\Users\UserName\AppData\Roaming\
      • More conveniently, delete %APPDATA%\macromedia\. It's a bit longer than ~, but %APPDATA% or %USERPROFILE% are handy variables to know about. You can enter them into Explorer just file, also.

  • So much for One Chance [arstechnica.com].

  • by Tailhook ( 98486 ) on Wednesday May 04, 2011 @01:53PM (#36027246)

    Widespread use of this will make marketers focus on new tracking techniques. As it is they rely on cookies that are easily eradicated with simple tools, but are usually left alone by users. They don't have to remain that easy to thwart. They won't if all their analysis goes to hell 24h after 10.3 is released and auto-installed everywhere.

  • by brit74 ( 831798 ) on Wednesday May 04, 2011 @02:36PM (#36027800)
    Hat tip to chrome and IE for making this easier, but for those who don't already know, there is a way to delete flash cookies. Just click the "delete all sites" button after arriving at this webpage: http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html [macromedia.com]
  • by Anonymous Coward

    One of the reasons I have stuck with firefox is the better privacy extension that deletes all the flash cookies every time I close the browser. It does not hurt that Chrome sucks at playing games like Runescape, trying to force text to the address/search bar instead of the in game type.

  • ... I created an Automator [apple.com]-Script that moves these files/folders:

    ~/Library/Cookies/Cookies.plist
    ~/Library/Safari/History.plist
    ~/Library/Safari/HistoryIndex.sk
    ~/Library/Safari/LastSession.plist
    ~/Library/Safari/Downloads.plist
    ~/Library/Safari/Databases
    ~/Library/Safari/LocalStorage
    ~/Library/Safari/TopSites.plist
    ~/Library/Safari/WebpageIcons.db
    ~/Library/Preferences/Macromedia/Flash Player
    ~/Library/Caches/com.apple.Safari
    ~/Library/Caches/QuickTime
    ~/Library/Caches/Adobe/Flash Player/AssetCache
    ~/Library/Caches/Metadata/Safari

    ... to the thrash.

    Did I miss anything?

  • by theweatherelectric ( 2007596 ) on Wednesday May 04, 2011 @06:10PM (#36030182)
    I avoid the problem to begin with by not installing Flash in the first place. It all depends on your usage patterns, of course, but I find I no longer need Flash. Yes, some websites or specific features of some websites just don't work without Flash but for me these cases are increasingly in the minority.
  • is that you have to go to an Adobe URL to delete them. So, Adobe knows about all the pron flash cookies, etc, you're deleting from your computer. Why do they need to know this?

No spitting on the Bus! Thank you, The Mgt.

Working...