Mmm, forever cookies

On September 22, 2010, in development, security, by Eugene

My dad is always worried about persistent cookies in his web browser for some reason. He claims they slow down his computer over time, and maybe he’s a little paranoid about the privacy aspect of cookies.

Well, today he has a new reason to worry: evercookie. Evercookie is a small bit of evil/genius JavaScript code that allows a website to create ultra-persistent cookies on its users’ computers. Currently, it uses eight different methods of cookie storage, with plans to develop at least four more. Not only are some of these difficult to remove, but evercookie will attempt to recreate them all, if even one of its stored cookies is still present the next time you visit the site.

Some of the methods evercookie takes advantage of are typical and considered more or less legitimate, like using Local Shared Object cookies through the Flash plug-in. Other are pretty bizarre, such as creating web history entries in the browser that point to nonexistent URLs under the domain. These weird entries are actually the Base64 encoded über-cookie, which it can recover later using a simple brute forcing algorithm and a CSS history hack. Yes, I said it was bizarre.

To some people, evercookie might seem like a strange, pointless, or downright malicious project. After all, no user wants to be tracked across the web with some new, intrusive type of cookie. But in my mind, releasing this functionality in an easy-to-use and open source package is a good thing. Most of the cookie storage mechanisms it uses are not all that new, and are being used already anyway.

To me, the real point of evercookie is to raise awareness among everyday web users, the IT crowd, privacy advocates, and hopefully web browser companies. Yes, there are a million ways for shady or malicious websites to track you across the Internet, and your browser just wasn’t designed to properly protect you. Things like evercookie remind me that we need to do a lot more work on improving the security and privacy features for web clients, so that users don’t need to be worried or paranoid about visiting any web sites – including new ones that they don’t necessarily trust.


1 Response » to “Mmm, forever cookies”

  1. Daniel Molina says:

    Looks nice and very useful. I will review the implementation and its codependencies, if any. Thanks for your post. I’ve added the project to my bookmarks. I’m interested on how it works.