You are here

Private Browsing Question

11 posts / 0 new
Last post
truthseeker
truthseeker's picture
Offline
Last seen: 13 years 4 months ago
Joined: 2008-07-30 20:32
Private Browsing Question

Does Private Browsing block those new "super cookies", the non deletable LSO's?

Flash-cookies (Local Shared Objects, LSO) are pieces of information placed on your computer by a Flash plugin. Those Super-Cookies are placed in central system folders and so protected from deletion. They are frequently used like standard browser cookies. Although their thread potential is much higher as of conventional cookies, only few users began to take notice of them. It is of frequent occurrence that -after a time- hundreds of those Flash-cookies reside in special folders. And they won't be deleted - never and are used by companies to trace our internet activities. CCleaner etc do not delete them, nor does the web browser.

gluxon
gluxon's picture
Offline
Last seen: 5 years 1 month ago
Developer
Joined: 2008-06-21 19:26
No. Firefox Portable has no

No. Firefox Portable has no control over Flash's cookies.

ottosykora
Offline
Last seen: 2 days 1 hour ago
Joined: 2007-10-11 17:48
use following adon

BetterPrivacy

is it called, claims to remove LSO etc., in fact you can also protect some of those objects, I need one for example, some stupid internet TV wants it so, but I can remove all the rest and keep the one protected.

BTW: I can not see what some people mean by the supper cookies can not be deleted. I can simply right click on each, or each of their folders and they are gone. It is only the browser which does not delete them , but otherwise they are under appdata under macromedia. (on XP)
The text in your post looks like copied from the website of the BetterPrivacy, well they have to justify the use of their addon certainly somehow, so will create big dramatic issue of it. The pathetic 'central folders' are just appdata, special is only that they have # in the name.

Otto Sykora
Basel, Switzerland

John T. Haller
John T. Haller's picture
Offline
Last seen: 8 hours 2 min ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Yes, but

Yes, LSOs *are* blocked by default in Private Browsing. This is because FlashBlock is blocking all flash objects. If you run a flash object (by clicking play over it) that object will be able to access LSOs, though.

This should block nearly all Super Cookies. Unless you click play on ads of course.

Sometimes, the impossible can become possible, if you're awesome!

truthseeker
truthseeker's picture
Offline
Last seen: 13 years 4 months ago
Joined: 2008-07-30 20:32
I been testing this and it

I been testing this and it has javascript enabled and it DOES NOT block the new "super cookies" at all. I needed to install the firefox addon "Betterprivacy" to have control over the flash LSO cookies.

Any possibility to fix this security breach in Private Browsing? And automatically block all cookies as well, because at current Private Browsing allows cookies by default!

John T. Haller
John T. Haller's picture
Offline
Last seen: 8 hours 2 min ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Incorrect

Private Browsing blocks LSOs by default. If you never click on a flash object, you won't get them. Private Browsing has *temporary* cookies enabled. That means they are cleared on each exit. Some website that purports to test if you are 'vulnerable' to super cookies will always say you are if you have cookies enabled even per-session. But, if you disable cookies, a lot of websites won't work at all (including being able to use this site as anything but a guest).

Sometimes, the impossible can become possible, if you're awesome!

truthseeker
truthseeker's picture
Offline
Last seen: 13 years 4 months ago
Joined: 2008-07-30 20:32
Ok John, sounds good

Ok John, sounds good then.

BTW, I ran some tests, here are the results:

Test results

* Passed Mozilla crashes with evidence of memory corruption - passed
* Passed Internet Explorer bait & switch race condition - passed
* Passed Mozilla crashes with evidence of memory corruption - passed
* Passed Internet Explorer createTextRange arbitrary code execution - passed
* Passed Windows MDAC ADODB ActiveX control invalid length - passed
* Passed Adobe Flash Player video file parsing integer overflow - passed
* Passed XMLDOM substringData() heap overflow - passed
* Passed Mozilla crashes with evidence of memory corruption (rv:1.8.1.5) - passed
* Passed Opera JavaScript invalid pointer arbitrary code execution - passed
* Passed Apple QuickTime MOV file JVTCompEncodeFrame heap overflow - passed
* Passed Mozilla code execution via QuickTime Media-link files - passed
* Passed Mozilla crashes with evidence of memory corruption (rv:1.8.1.8.) - passed
* Passed Mozilla memory corruption vulnerabilities (rv:1.8.1.10) - passed
* Passed Mozilla crashes with evidence of memory corruption (rv:1.8.1.12) - passed
* Passed Apple QuickTime 'QTPlugin.ocx' ActiveX Control Multiple Buffer Overflows - passed
* Passed Window location property cross-domain scripting - passed
* Passed Mozilla Firefox MathML integer overflow - passed
* Passed Internet Explorer XML nested SPAN elements memory corruption - passed

Congratulations! The test has found no vulnerabilities in your browser!

Jacob Mastel
Offline
Last seen: 11 months 1 week ago
Developer
Joined: 2007-06-13 19:36
mysterious

And where exactly do these mysterious tests come from?

Release Team Member

truthseeker
truthseeker's picture
Offline
Last seen: 13 years 4 months ago
Joined: 2008-07-30 20:32
There are a few browser

There are a few browser checkers, but I used this one:

http://bcheck.scanit.be/bcheck/

truthseeker
truthseeker's picture
Offline
Last seen: 13 years 4 months ago
Joined: 2008-07-30 20:32
John, I just checked

John, I just checked something. Even though firefox has Adobe Flash blocked, somehow some youtube LSO cookies are still getting through and being stored in C:\Users\truth\AppData\Roaming\Macromedia

How come?

ottosykora
Offline
Last seen: 2 days 1 hour ago
Joined: 2007-10-11 17:48
if you click on you tube

videos then you deliberately selected this, so this cookie has to be accepted. If you block everything, you will not have much fun with your browser possibly. It can be that the lash itself will not appear (due to flash blocker), but the cookie can be transmitted before the actual flash file was downloaded. The flash file itself will probably not execute the flash player then, but the cookies are separate files.

As John stated, cookies are blocked if you do not deliberately click on some flash. The aim can not be to block all cookies completely, but rather help to remove them after the use again.

Otto Sykora
Basel, Switzerland

Log in or register to post comments