[Cryptography] rejecting 3rd party web accesses/cookies
gnu at toad.com
Wed Sep 23 17:23:50 EDT 2015
> Doesn't rejecting 3rd-party cookies (or more accurately, not
> sending them back to anyone) solve that problem? I had always
> thought that anysystem or configuration with "privacy > 0" in the
> list-of-design-goalswould do that. It seems more effective than the
> do-not-track header (that I gather is widely ignored by people in the
> tracking (ad) business).
See EFF's Privacy Badger plugin for Firefox and Chrome. It does
almost exactly this. It sends the Do-not-track header with every http
and https request. It looks for 3rd party inclusions into web pages
that are pulled in from web pages in multiple domain names. It
examines their cookies to see if any of them have more than nominal
entropy. If they are tracking you DESPITE your do-not-track request,
it blocks future accesses to those 3rd party inclusions automatically,
Since enforcing that across the board would break too many web sites,
it has a whitelist of a few 3rd party inclusions that are still
needed. Rather than completely blocking those, it blocks all cookies
and referrers when accessing them.
You can readily see what it's done, and can change what it does for each
3rd party site by sliding a slider among "block / block cookies / allow".
Privacy Badger also has special code for those insidious social-media
"like buttons" that track your every move on the web whenever they are
loaded into the page you're viewing, even when you don't click on
them. If it catches them tracking you, it replaces them with a local
equivalent, which only accesses the social media company if you
actually click on the button.
Since most ads come from 3rd party sites with lots of trackers, those
tend to get blocked very rapidly -- a nice side effect of protecting
And it's free software, so you can examine and improve it.
(disclaimer: I co-founded EFF and helped a bit with the design
of Privacy Badger)
More information about the cryptography