Cookies. Cookies. Cookies. Use our Cookies or else

Privacy issues from using Cookies.

Security issues from using Cookies.

What we really need is to require reasonable Web Browser standards that do not allow for this nonsense.

Yes, I know that some would say that Cookies are used on a website to improve the experience of the user. Keep records of what product we looked at that we might want to look back at. And some other things.

I would rather see all cookies banned rather than allow unknown functionalities.

Long ago in the US we had a highway system that was being littered with signs. Made our roads ugly. Was costing businesses a lot of money. If one wanted to have a successful hamburger stand one needed to pay for dozens of signs. Then we had lighted signs. Flashing bulbs in synchrony.

We passed a law against these kinds of signs. Since all Businesses had the same standard, it was better for them not to have to pay for all those signs.

By allowing the advertisers to make the rules we have these problems.

Malware enters computers through this constant requirement of advertisers to have flashier cooler graphics.

Let me guess, there are only a few very ineffectual organizations that complain to Congress. Congress backs the rich, their wealth building tools, Corporations. Corporations end up backing those who want to install malware onto my computer.

3 Likes

The benefit of cookies is that they identify you as you. For example, if you’re shopping on amazon and want to compare two different products, you might open the second one in a different tab. Amazon uses a cookie to see that your logged in account is opening this second tab and so it is logged on as you as well. Perhaps a banking website would be a better example. Log in, then clear your cookies, then try to blnavigate around the site, you’ll see what I mean.

I don’t disagree with what you’re saying, but I’m not aware of another way to achieve the same thing. Browser fingerprinting perhaps, but I don’t think that’s better.

4 Likes

Furthermore, cookies need not be a negative thing. They can be used in ways that are transparent and in ways that are mutually agreeable.

If there was a better way to do what they do, I’m sure we would have started using it.

Perhaps a better solution would be to push for legislation that makes what cookie do and store more transparent and completely under the control of the user.

3 Likes

These are pretty well documented. Basically involves someone getting hold of a cookie from your web browser who shouldn’t have it and then doing something using the cookie that theoretically only you should be able to do.

While this is most often done via the operation of the web browser itself, it is also an offline attack - in the sense that if your computer is compromised then your set of permanently-stored cookies is useful information for a hacker to extend the compromise to other computers.

From a privacy perspective, like most things, there is nothing inherently bad about cookies. It is all down to how they are used and whether it is even transparent to the user as to how they are used.

Cookie transparency is a conflict between privacy and security. Cookies are often deliberately obscure (e.g. encrypted) so that they cannot be forged.

I am unclear on what you mean by this.

There is nothing that a web browser by itself can achieve in altering a standard. The only result would be that lots of web sites won’t work.

For example, if a cookie is used for authentication then you won’t be able to log in to a web site. (On the one hand, you should be able to read a web site anonymously i.e. without logging in, but on the other hand allowing anonymous creation of new content on a web site is an invitation to problems.) Few web sites use HTTP authentication directly for authentication and even if they did, that itself is a kind of tracking mechanism.

Maybe you mean changing the HTTP RFC to remove cookies from the specification. It is unlikely that you would get universal agreement to do that, and browsers and servers would probably just keep on doing what they are currently doing.

It is possible to re-engineer a web site to use the web page itself for state, or use the URL itself for state, and thereby avoid some uses of cookies, but it would be a lot of work for every web site in the world that currently uses cookies to make those changes, it is a clunky way of doing things, and the alternatives themselves become a kind of tracking mechanism - and even then it wouldn’t substitute for all uses of cookies e.g. no permanent client-side state (which is both a good thing and a bad thing).

Bear in mind that cookies are a client-side mechanism. If the server has any means of identifying you, either explicitly or implicitly, then the server can achieve some of the same problems on the server-side.

Some means of identifying you are either through explicit authentication or via browser fingerprinting.

A reasonable approach may be a web browser that

  • by default throws all cookies away when the browser exits, regardless of cookie lifetime
  • but allows the user to indicate specific trusted domains for which cookies are retained for the actual lifetime of the cookie that the cookie specifies

This only works if you frequently (e.g. daily) close your browser e.g. does not work if you keep your browser open all the time and hibernate the computer.

1 Like

Better for businesses or better for the privacy of the users? The latter sounds pretty naive.

1 Like

Perhaps calling that its naive is being pretty cynical?

“I have reason to be cynical!” Maybe you do, but a cynical life isn’t worth living. Besides, it stifles innovation. Besides besides, the thing doesn’t exist. Let us dream.

If you are responding to my previous comment, I didn’t comment a dream, but an analysis of the current situation. That analysis seems to assume that businesses put information security and privacy of the users before their own profits. During the last couple of decades I haven’t seen much to support that view, but I have seen tons to support the opposite view. I’m dreaming of a different future of course (which shouldn’t be too surprising considering the fact that I’m here).

2 Likes

You didn’t comment a dream, “dream” was referring to “a better way” being something “better for the privacy of the users.”

By default, all web browsers should accept all cookies automatically, in to a quarantined area that dumps them in to the trash as soon as you exit the site. But there should be a “retain cookies” button in the browser too. That way if you want the site to keep their cookies stored in your PC, you can opt in to that. I see all web browsers that don’t operate this way, complicit in the invasion of our privacy. But I also don’t see any browsers that operate that way.

1 Like

Sounds like the age old convenience vs privacy/security problem.

In this case you could just change the settings of your browser to disable all cookies. This will affect your web browsing experience.

What do you propose as an alternate method of restoring a browser session after the browser closes (either intentionally or otherwise)?

Saying the default should be for this functionality to not exist at all is too inconvenient for most and not balanced enough for many, so I don’t think this is a practical default state.

Saying the default is to be prompted every time you go to a new site may be an acceptable middle ground, but is likely to just result in the habit of most people just clicking accept because of being overloaded which isn’t really helpful IMO.

Which brings us back to the current approach of accept first party cookies and prompt for third party cookies, which I believe is the default in most modern browsers. Along with the option of a “private” browser session that will delete all of the cookies when the session ends.

So disable cookies when you configure your browser. You won’t have the convenience and some web functionality will break, but you don’t want that functionality anyway right?

It’s a difficult thing - embedding statefulness in a stateless protocol like HTTP. Qubes does a good job with disposal AppVMs but if that’s not your thing; one may wish to consider https://privacybadger.org/.

2 Likes

the thing with privacy badger is that it must be “trained” (i.e it doesn’t work so well from the get go - takes a few repeated attempts to “learn” how to behave). it’s a usefull FireFox add-on nonetheless in combination with ublock-origin and LibreJS from GNU.

it’s so true that those three break some web-sites - but that’s mostly true about the closed-source-javascript.

2 Likes

I like to use the Brave browser. I do a little browsing normally, like looking at this forum, since I want the forum to remember who I am.

But I do the majority of my browsing in a private window. It retains the cookies only while the window is open.

{{ RANT MODE ON }}

Apologies in advance for the lengthy post, but I just came away from a very heated discussion with a employee of a large company that uses SMRC’ers. I went to school with her, we were friends.

Hello @purple

You touched on my favourite peeve. I agree, cookies are monsters now, but you also stated:

You guys passed a law in YOUR country. It is still the WORD-WIDE web, not the U.S. world-web and it belongs to every country now. The EU is years ahead in the realm of privacy, but needs more work. The U.S. could ban cookies, but only in the U.S. sites. We’d all still get web sites from countries that permit cookies, or ban them, and what a mess.

I remember calling tech support over a router issue, and the kid told me to delete my cookies. (I know!). If I did that, I would have a hard time logging in to many places I’d rather not have to look up every time - even here for exampleI
I believe that education is key, and since all participating Stalkers found other ways to make things popup, circumventing pop-up blockers, and got around cookies and added teeth to invasion of privacy, fingerprinting, beacons, and other SMRC’ing tools, it has become a war. They don’t give a (expletive), about privacy or our rights to them. We created blockers, and privacy work-arounds, but they hold information hostage unless we comply. The only way people have ever made corporations and/or government do the right thing was and still is the best way IMHO, is to shame them into it.

I feel we need to hit back and list companies and governments that SMRC visitors, how they do it, and let them know, we abhor their slimy way of monitoring us a product we really don’t want. Probably easier on the list if only honest sites were listed as trustworthy.

In the beginning, it was the “Information Highway” but now, it’s just a Google catalog run by advertising agencies… and in the end, we as consumers pay them to do this to us. We don’t buy computers any more, we buy a leash and hand one end to the government and corporations to share, and the other is tethered to our devices.

If you or I did what most websites do, we’d be charged with Stalking. So we should all call it what it is. It’s no longer tracking, or tracing as is the latest buzz-word; it is STALKING pure and simple.

I will take the time to drop a note to any “Contact Us” link when I get “We see you are using a ad blocker… blah blah”, with a reply to them saying “And I see you are wrapping stalkers inside your ads.” STOP calling them “Cookies” Even those old-fashioned cookies that let us login easier have evolved into Cookie Monsters - no offense to Sesame Street or Mitt. They evolved into Stalkers.

I can echo your concerns. I am hoping that Purism, and the whole Linux thing is on the right path and will make privacy available again in inexpensive and easy to use devices (laptops, desktops, phones etcetera) so people will marry up to it as easy as they do with Windows. But there is still much more to do to protect our most basic right - that of Right to Privacy. And it’s not just U.S. based - though that is the country that harbours the most offensive of invaders - even if the corporation has a Irish address. :smirk:

{{ RANT MODE OFF }}

~s~

7 Likes

Have a cookie, you’ll fee right as rain!

Fitting.10

and opt out, as far as is possible. Which in the case of government isn’t. :frowning:

2 Likes

I’ve done that too. But like Google’s page about opting out, most links go to the front end of sites and it’s a pain to find the opt-out arena, and even then, most ignore it anyway, and it seems opt-out lists change every hour.

As @leetaur suggested, using other browsers and their ‘private window’ options is a help, but why should we. But that doesn’t stop Google apps from smrcing us.
Who gave the Internet off to shysters and corporations to dictate what is OK and what isn’t? I can remember the Internet was a great idea once; a place to share information and ideas, now it’s a place to buy anything - anything from Snake Oil cures to children, murder for hire to virginity for sale. We all spend good money to prevent viruses and malware, firewall protection, and more so the ‘They’ can use our devices to Stalk us, Monitor us, Record our move and Control what we say, think and do. S.M.R.C.

Sorry - motor-mouthing again. It’s just that the Internet should belong again to people, not government, not business. I just wish we knew as much about the corporate and govt peeps and pervs (I know of no other name for the smrcers), so we could watch them as they watch and direct Our lives…

~s~

By “opt out” I meant: don’t use. As far as is possible.

by the way for those of you who don’t remember this is a line from the matrix film (reloaded?).
it’s basically the Oracle trolling Neo :joy: