Filed under: Security, Browsers
Limping and dripping from the maws of incorrigible security bod Samy Kamkar comes evercookie. As the name suggests, deleting an evercookie isn't easy -- in fact, once you've taken a nibble, that's it: you can't delete it.Of course, no benevolent person would ever use evercookie -- you'd have to be a nefarious money-grabbing megalomaniac! -- but the sheer number of clever hacks, cheap tricks and snarky ingenuity employed to make evercookies invulnerable makes this project very interesting indeed. All told, evercookie uses eight different storage locations for its cookie, ranging from HTTP and Flash cookies through to HTML5's new storage methods and 'RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out' (really!).
If the cookie can be found in any one of those locations, it can be rebuilt (and then stored in all eight places again!) Basically, unless you know exactly what you're doing (and you have a lot of spare time to hunt down all of the cookies), you can forget about ever deleting an evercookie.
It's horrible, really, but I feel I must bring this project under the scorching eye of public scrutiny. This is, after all, the work of a security expert -- rather than thinking of this as an evil piece of code that will be bent to the evil, omnipresent will of Google, think of it as the inoculation that strengthens us for what will surely follow. As it stands, evercookie could be deployed on any server.
Evercookie is open source, and I encourage anyone that values their privacy to see exactly how and where it stores its cookies. For now it's only in eight locations, but Samy already has plans for two more: Silverlight Isolated Storage and a Java method based on your NIC's details.
The worst thing is, such a cookie implementation might already be in the wild. Samy might not be the first person or corporation to try such a crazy, but fundamentally brilliant, idea!
evercookie: the one cookie that you... just... can't... DELETE! originally appeared on Download Squad on Tue, 21 Sep 2010 18:30:00 EST. Please see our terms for use of feeds.
Read | Permalink | Email this | CommentsNETWORK APPLIANCE NETGEAR NCR NATIONAL SEMICONDUCTOR NATIONAL INSTRUMENTS
No comments:
Post a Comment