Post Reply 
evercookie?
Sep. 23, 2010, 05:24 PM
Post: #1
evercookie?
Yesterday I've read about it on downloadsquad:

http://samy.pl/evercookie/

You can get an explanation of the methods and even the source code.
What kind of protection do we have against this nasty little code? Is sidki's config enough as it is?

PS: beware of the multiple flash toggle buttons.
Add Thank You Quote this message in a reply
Sep. 23, 2010, 07:12 PM
Post: #2
RE: evercookie?
the solution is actually quite simple - block all scripts by default... Big Teeth


(okay, maybe i've beaten that dead horse too frequently, lol...)
Add Thank You Quote this message in a reply
Sep. 24, 2010, 08:58 AM
Post: #3
RE: evercookie?
I came here to start a thread on this issue. I want to know also. Are we protected? Folks at dslreports, and elsewhere, are asking Proxo users if they install Proxo will they be protected?

Opera 10.62 is my default browser. I have HTML5 and WebM in this browser and I watch some videos using HTML5 and WebM. Can a website (like Google as the videos are Youtube ones) set an evercookie on Opera or will Proxo block it?

I don't intend to block all scripts.
Add Thank You Quote this message in a reply
Sep. 24, 2010, 04:39 PM
Post: #4
RE: evercookie?
has anyone else really even tried this?

i BYPASSED Proxo and still did NOT get a "persistent cookie" !!!


the only real "preventative" with Proxo bypassed is the "Macromedia" zero-byte file in %APPDATA% - that surely can't be the only thing needed to axe this "evercookie"?

or are only Opera and Firefox users "vulnerable"?
Add Thank You Quote this message in a reply
Sep. 24, 2010, 06:02 PM
Post: #5
RE: evercookie?
(Sep. 23, 2010 05:24 PM)eclipse Wrote:  Is sidki's config enough as it is?

Do i misunderstand something here? Posted link points to a test page, right? So why not just click the "Click to create..." button, and see if the "Cookie found: uid = currently not set" string changes?
Add Thank You Quote this message in a reply
Sep. 24, 2010, 09:11 PM
Post: #6
RE: evercookie?
sidki3003 Wrote:Do i misunderstand something here?
Well, kind of.... Wink

My goal was to start a clever discussion and figure out what kind of measures we would have to take to avoid this kind of code (in a more theoretical way - as anyone can go and push some buttons as you said). But might be a good idea to share the results.
The only mention of HTML5 and canvas is way over my head, so I was looking forward to hear from the more knowledgeable members of this forum.

And... at the time of my posting I was in a rush, in a really ancient pIII-450 with a really ancient browser (opera 9.64), so the HTML5 part isn´t working.


I´m still with that machine, so here are some partial results:
Sidki´s sept. BETA + opera 9.64

The first time I clicked on the create cookie nothing happened, clicked a second time, cookie created. Deleted cookie, and rediscovered:

Code:
userData mechanism: undefined
cookieData mechanism: undefined
localData mechanism: undefined
globalData mechanism: undefined
sessionData mechanism: undefined
historyData mechanism: 203
pngData mechanism: undefined
etagData mechanism: 203
lsoData mechanism: undefined

Proxo reports:
Cookies in Session:
evercookie_png=;
evercookie_etag=

Cookie rediscovered as seen from within opera:

.png  rediscovered.png (Size: 27.14 KB / Downloads: 682)

Also there´s a clickable timer event.... didn´t click it....
Maybe that´s affecting something in the results.

I think the CSS hack is fixed in the more recent editions of Opera?

Oh well... out of time for now, se you all later with more proper testing Smile!
Add Thank You Quote this message in a reply
Sep. 25, 2010, 01:00 PM
Post: #7
RE: evercookie?
Ahh ok, thanks for sharing your analysis. Smile!

I'm not that much into this stuff right now, but:
- Obviously LSOs are only created if you click one of the "toggle flash" buttons.
Flash files are binaries, so you can't perform surgical operations on them.
- Regarding the other storage locations: Last time i checked (2-3 years ago), they were only accessible via JS DOM methods, but i didn't see any sites using them.
- If you've left cookie handling as "Session Cookies by Default", make sure to remove session cookies (e.g. close page and restart Opera) before inspecting in Cookie Manager.

(Sep. 24, 2010 09:11 PM)eclipse Wrote:  I think the CSS hack is fixed in the more recent editions of Opera?

You've lost me. Wink (The test page displays correctly in v.10.62.)
Add Thank You Quote this message in a reply
Sep. 25, 2010, 02:22 PM
Post: #8
RE: evercookie?
(Sep. 25, 2010 01:00 PM)sidki3003 Wrote:  - Obviously LSOs are only created if you click one of the "toggle flash" buttons.

i'm going to have to sandbox a test on this...
a downfall to us IE/IE-Shell users is that the "connection" is made (and the entire flash downloaded?) even before we toggle that flash "on"...

at least, according the Proxo's recent URL list, the type column and the length column seem to indicate that the flash is downloaded...

i think the same goes for the java toggle, will have to double-check...
Add Thank You Quote this message in a reply
Sep. 26, 2010, 01:32 PM
Post: #9
RE: evercookie?
(Sep. 25, 2010 02:22 PM)ProxRocks Wrote:  at least, according the Proxo's recent URL list, the type column and the length column seem to indicate that the flash is downloaded...

We have discussed this a couple of times before... anyway Wink :

- There is an HTTP header called "content-length". Its value is the number of bytes that the server is going to transmit (Future I).
- HTTP headers are sent prior to the actual content.
- The Proxomitron "Length" column is using the content-length header value. It is not counting the actually transmitted bytes.
- The work-around for IE is to interrupt Flash transmission after the first few bytes.
Add Thank You Quote this message in a reply
Sep. 26, 2010, 08:30 PM
Post: #10
RE: evercookie?
ah yes...
thanks for the "reminder" Big Teeth
Add Thank You Quote this message in a reply
Sep. 27, 2010, 03:58 AM (This post was last modified: Sep. 27, 2010 04:00 AM by Kye-U.)
Post: #11
RE: evercookie?
As ProxRocks pointed out, one of the easiest solutions is to block all scripts by default. An alternative is to use NoScript (or another whitelisting add-on/extension); for cross-browser whitelisting, you can look into ASF: http://prxbx.com/forums/showthread.php?tid=970 (I'll have to give it a spiffier name; I just tested it on the evercookie page, and it rendered the demo useless, disabling even the "onclick" attribute in the buttons)
Visit this user's website
Add Thank You Quote this message in a reply
Post Reply 


Forum Jump: