Evercookie - the cookie you can't kill
Evercookie - the cookie you can't kill
Thursday, 23 September 2010

A cookie you can't refuse and once it is stored you can't remove it because every time you think you have deleted it, another part of it just regenerates. It's real and its called evercookie.



Samy Kamkar, a security researcher, has come up with a really good idea and implemented it as a Javascript/PHP framework. Evercookie implements a client-side persistent storage facility using a range of technologies to make it difficult to remove.  It also has the ability to repair any damage to any of the replicated cookie data that is deleted. It will also copy cookies from one browser to another if the web page detects just one example of the cookie.

Currently evercookie uses standard HTTP cookies, Flash cookies, HTML5 session storage, local storage, global storage and database storage.

But as well as just using the available standard local storage methods, evercookie also uses two clever methods of its own.

The first uses a PNG file with the cookie data encoded as RGB values. When the user views the page that wants to store the cookie, the PHP code generates a key and encodes this in a PNG file which it then includes in the page. The PNG file is stored on the client in the cache with a request to keep it for 20 years. The next time the client requests the page the PHP file forces the browser to load the image from the cache, by sending a Not modified response, and the Javascript then extracts the cookie data.




The second method uses the web page History maintained by the browser. What happens is that evercookie takes the key and codes it to valid characters. It then accesses a sequence of URLs that end with one, two, three and so on characters of the code - these are stored in the web history. The next time the page is loaded evercookie cycles through the possible URLs for the first character, then the second until it has retrieved the entire cookie code. Simple and elegant.

So is evercookie really impossible to remove? No of course not. Especially since its creator has been nice enough to tell us what each of the mechanisms are. In fact, it wouldn't take long to put together an evercookie cleaner utility.

Such is the nature of the privacy/security war. One programmer needs to track users so invents a way to do it then another programmer responds on behalf of the user to block the method. It just escalates.

What is more interesting, and perhaps worrying, is that any of these methods or similar could already be in use without anyone announcing them.



Microsoft Chooses Linux for IoT

Microsoft has chosen a Linux kernel for its latest move into IoT, despite the recent launch of Windows 10 IoT. Azure Sphere is the operating system that runs on micro controllers powering IoT devices. [ ... ]

Mozilla Makes WebAssembly For The Rest Of Us

WebAssembly - it's the next big thing. Until now the problem has been that you had to be dedicated, to say the least, to get involved. Now Mozilla has a way that we can all try it out  with WebAs [ ... ]

More News

Last Updated ( Thursday, 23 September 2010 )

RSS feed of news items only
I Programmer News
Copyright © 2018 i-programmer.info. All Rights Reserved.
Joomla! is Free Software released under the GNU/GPL License.