Spyware, viruses, & security forum: Privacy concerns over browser cookies in my system

I prefer a little program written and provided by Steven Gould called CleanUp.
I also keep my computers as clean as possible by TOTALLY clearing internet history, caches and cookies. I also use the Website Storage Settings panel which I have bookmarked http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html from which I delete FLASH COOKIES by right clicking within the window and selecting GLOBAL SETTINGS. I'm probably tracked by someone, somewhere, but I do all I can to keep it at a minimum.
If you value privacy at all it behooves you to go through the privacy settings of every site for which you need to log in.
THE MOST intrusive of ALL websites is Facebook! I have shut off or disabled every setting available to me to protect my privacy yet I often go to other sites while logged in at Facebook and WHOA!!!!!!!!!!!!!!! THERE I AM and I haven't yet found a way to prevent it.

Cookies are not dangerous as long as you remove the temporary files that may be under the control of the cookies you downloaded with the same temp files I mention here. Temporary files can be any kind of malware/execution file/etc., so a bad cookie can control what kind of damage that actionable temp file does while their minions are existent in you PC session. Clean all temp and Zombie files, and then your cookies are "relatively" safe. CCleaner is well known to be the only cleaner that effectively roots out all Zombie(ever cookie) files.

Cookies also control server behavior in page controls downloaded by your surfing habits. If the server is bad, you can bet the cookie is not going to be your friend either! MBAM, a good firewall(Comodo/Online Armor), and any good host file can block known bad server IP connections.

Along with CCleaner I recommend trying Superantispyware along with Malwarebytes Anti-Malware software. I have used these free programs for years with satisfying results. I hope this helps you keep clean.

One's browser can be a very useful tool. I have mine set to block Third Party cookies and to dump all other upon shutdown. I close my browser down complete quite frequently during the course of the time my computer is on so cookies and other info doesn't have the chance to build up. Private mode is nice for some purposes, but some sites just don't work well in that mode.

That said, CCleaner is great for cleaning other files on one's computer that are generally not all that necessary, too. That's yet another reason to add it to one's arsenal of utilities.

I will not repeat the good advice of my predisseors. Yes ther is a program that will allow you to view and delete individual cookies it's called "Flash Cookie View" came out for Windows XP and I have used it ever since. seems to work well in Windows 7 Home Premium. Cnet used to carry it. I don't know if they still do or not.

I have found that the free version of SuperAntispyware is useful in detecting tracking cookies (and allowing you to remove them) - as opposed to cookies which make it easier to log onto various web sites.

I have been using Selectout.com to track my cookies. It will give you a list of the cookies on your computer and you can elect to opt out or allow and it will give you a profile of the cookie to help you decide. I found it helpful. I elect not to delete all cookies because on sites I use frequently the cookie will have to be reloaded.

Hope this helps

All the replies to this question assume that the web sites placing cookies will always follow a certain set of rules which will allow the cookies to be found if the user so desires. A nagging question I have always has is what stops a web site from ignoring these naming/placement rules. If they want to hide them they certainly could, and I suspect, at least a large minority and probably a majority, do. Only "honest" webs would adhere and as we all know money trumps honesty. As long as web sites are allowed to perform these actions our privacy cannot be protected, no matter how much reassurance we are given and what claims concerning their removal cleaner/virus removal software may make. So if you use the web for all your important transactions roll the dice and cross your fingers.

...If they want to hide them they certainly could...

Really? How?

I know of two mechanisms for storing cookies: client-side Javascript assignments to 'document.cookie', and server-side sending of a new cookie header along with the page in the response. Both methods rely on the browser to store the cookie where _the_browser_ decides; neither method gives the attacker any control at all over where the cookie is stored. In programming terms, cookie storage location is not even an "argument" to any procedure I know of. Attackers do _not_ have access to the local disk; they are limited to saying something like "hey browser, here's a new cookie, please store it wherever you store cookies".

What am I missing? Very roughly how could an attacker "hide" a cookie?

(Maybe it's semantics? To my mind, if an attacker has found a way to break security and access the local file system directly, that is indeed a big hole. They could store all kinds of arbitrary and evil information ...a little bit of which would have otherwise been stored in "cookies". But the connection of that hole to "cookies" is so arcane and obscure I wouldn't identify the problem of having access to local storage as having anything at all to do with "cookies".i)

Sorry, "cookies" do NOT "gather information"; I thought that old chestnut was thrown on the dustheap years ago; "cookies" have NO ability to "do" anything. The main thing cookies provide is a way to "tag" every little bit of information, allowing a nefarious website to then put all the little bits together into a big enough chunk of information to be a real concern. (Before "cookies" there wasn't any reasonable way to collate all those little bits of information. "Cookies"did indeed introduce some new concerns, by making cost-effective a process that previously wasn't practicable, but "cookies" are not "magic". IMHO, one can better thwart cookies' abuses by understanding how they do what they do.)

Tracking your browsing activity across multiple websites requires all those websites to cooperate (unlikely) _except_ in the case where websites "loan" their cookies to other websites. Modern browsers provide an easy way to prevent this "loaning" of cookies. Just look for a setting something like "refuse third party cookies" and turn it on (the key words are "third party".)

Some sort of offline application capabilities in HTML5 will involve some form of local storage. It will probably essentially be "giant cookies". If so, the same browser security that already exists will be easy to copy.

In theory LocalStoredObjects/FlashCookies have the same security restrictions as regular cookies. But in practice entity behind that claim is Adobe rather than Google/Netscape (and their track record on security issues has issues:-). I assume there's some (rather obscure) Flash configuration to turn LSO off. I don't know for sure because I've had too many problems with Flash over the years (eats up too much CPU, not available on iPhones, lots of security concerns) that I just plain don't run Flash at all any more.

LSOs are not cookies per se. They are INSTRUMENTAL in gathering information. Since they stay on your PC for ever; they can help gather A LOT OF INFORMATION! Adobe is no longer the only application that leaves LSOs on the PC.

As far as cookies go; to repeat what I already said elsewhere here; a cookie has instruction sets that tell the server what to gather, and more and more of the not so good cookies can control temporary files (through server contacts) that do things that are in a very grey area, if not out right malicious.

So for Jill and Joe Sixpack - WHAT'S THE DIFFERENCE!!

I doubt they care!

Jennifer Kyrnin, About.com
(Posted without her permission out of context)

What Cookies Can Store

Cookies can store the following types of information:

Your Web browser and version
Your operating system
Your IP address (and from that possibly a close approximation of where you are browsing from)
The date and time
What page was visited using that browser and OS
A unique ID that the website generates for you the first time your browser arrives
Any information you provide via forms on the website
The credit card companies know your name, what you purchased, what store you were at, how much you spent, what your credit limit is, and more.

While cookies can store that information, they can't store it if you
don't provide it to the website.

Cookies Do Not Endanger Files on Your Hard Drive

Cookies are little text files (or lines in a text file) that are stored on your hard drive. They cannot execute code or act as a virus or malware.

A cookie is a line of text that looks something like this:

.about.com TRUE / FALSE 1692181505 jsc 13

In essence, this says that the cookie named jsc is served from anywhere on the .about.com domain.

It has a value of 13 and expires on June 9, 2028 at 10:47:06PM.

No, I don't know how About.com is using this cookie, but honestly, I don't care. The most damage that this cookie could do to me is fill up needed space on my hard drive. And it's easy to delete them if I have that problem.

Privacy and Cookies
If you're concerned about privacy issues with cookies, you would be better off finding out the privacy policies of the sites you visit.

The only way a cookie can store private information is if you give it to the site.

This could be through filling out a form, buying something, or joining a chat or forum on the site.

If you don't want your private information to show up in a cookie, then you shouldn't put it in a web form.

A site has access to any information you provide without using any cookies at all. Thus, it's more important to know the privacy policies of a site than to worry about whether they use cookies.

Create a Cookie

Cookies are set by the browser, often with a CGI or JavaScript. You can write a script to set a cookie at any

event on a Web page. For example, if you go to this page you will be given the option to set a cookie when

you click another link. The cookie looks something like this:

Set-Cookie: Count=1; expires=Wednesday, 01-Aug-2040 08:00:00 GMT; path=/

This means:

Set-Cookie:
This is the call that set's the cookie in the browser's cookie store.
Count=1;
This is the name of your cookie.
expires=Wednesday, 01-Aug-2040 08:00:00 GMT;
This details when the cookie will expire.
path=/;
This is the minimum path that needs to exist for the cookie to be returned.
WhoamI.com
The domain that set the cookie, and is the only domain that can retrieve the cookie.
Write the Cookie with JavaScript
Use the following code to write your cookie:

<script language="JavaScript">
cookie_name = "Basic_Cookie";
function write_cookie() {
if(document.cookie) {
index = document.cookie.indexOf(cookie_name);
} else {
index = -1;
}

if (index == -1) {
document.cookie=cookie_name+"=1; expires=Wednesday, 01-Aug-2040 08:00:00 GMT";
} else {
countbegin = (document.cookie.indexOf("=", index) + 1);
countend = document.cookie.indexOf(";", index);
if (countend == -1) {
countend = document.cookie.length;
}
count = eval(document.cookie.substring(countbegin, countend)) + 1;
document.cookie=cookie_name+"="+count+"; expires=Wednesday, 01-Aug-2040 08:00:00 GMT";
}
}
</script>Read Your Cookie
Once you've written the cookie, you need to read it in order to use it. Use this script to read your cookie:

<script language="JavaScript">
function gettimes() {
if(document.cookie) {
index = document.cookie.indexOf(cookie_name);
if (index != -1) {
countbegin = (document.cookie.indexOf("=", index) + 1);
countend = document.cookie.indexOf(";", index);
if (countend == -1) {
countend = document.cookie.length;
}
count = document.cookie.substring(countbegin, countend);
if (count == 1) {
return (count+" time");
} else {
return (count+" times");
}
}
}
return ("0 times");
}
</script>Call Your Cookie in a Link
Set your cookie when someone clicks a link with this code in your HTML body:

<script language="javascript">document.write(gettimes());</script>

Now everyone can create an read their own cookie and make a determination for themselves

Here are a few ideas to help you get better control over cookies. If you had Ghostery, the Firefox, Chrome, Safari, Opera and Internet Explorer add-on (which is designed to protect your privacy, by identifying who's tracking your browsing) installed, you'd have a list of trackers and you can choose to block them - or not.

http://www.ghostery.com/about

If you would rather not use a browser add on (because it will use some system resources) here are a few more ideas. Privacy protecting search engines such as Scroogle (already mentioned) block most cookies and prevent tracking.

Another such search engine is Startpage: https://startpage.com

What do you need to know about cookies and flash cookies? The following article explains all better than I can:

http://epic.org/privacy/cookies/flash.html

If you're really concerned it's possible to configure your browser to block all third party cookies and prompt you to make a choice on whether to accept them each time you visit a site and it's possible to configure flash player to do the same for flash cookies.

Here's a guide on flash cookies: http://kb2.adobe.com/cps/526/52697ee8.html

By setting the slider to zero in flash player's Global Storage Settings Panel then choosing to tick "allow third party flash content to store data on your computer" - you will be prompted to allow or block flash content whenever a flash cookie wants access.

Here's a guide on how to configure the most popular browsers to initially block cookies then ask you to decide choose whether to accept them or not: http://www.cert.org/tech_tips/securing_browser

You can also opt to change your DNS provider to a privacy protecting one. The advantage is that it doesn't use any system resources and most cookies are automatically blocked. It does require a little technical knowledge to configure your internet connection or router.

http://www.fooldns.com/ - Fool Dns

Another option is to use a browser with an aggressive built in ad blocker like Slim Browser:

https://www.slimbrowser.net

The ad blocker needs to be activated from the toolbar and the built in block list needs to be activated. This is important because these days malware often hides in adverts on some web pages - even the adverts on trusted sites are not always clean. SlimBrowser does away with the need to install additional ad blocking software or ad blocking browser ad ons although it's a good idea to make use of a modified Hosts file to block adverts when using other browsers or opening emails. You can also block any unwanted content on web pages by right clicking and choosing to always block the ad server's URL.

Personally when I see an ad displayed on a web page I use Slim Browser to grab the URL of the ad server and block the URL in my hosts file. If an entry exists in your hosts file it prevents your computer from connecting to the server hosting the ad and it blocks access across all installed browsers.

A reasonable choice for people new to hosts file management is HostsMan: http://www.abelhadigital.com/hostsman

It has a built in block list and you can manually add any site or element of any web page that you wish to block using the hosts file editor. There's no quick and easy simple solution. Some people are happy not to worry too much about cookies and they simply clean them with a system cleaning product after each browsing session.

I've just noticed the Do Not Track Plus browser add on. The download is hosted here:

http://download.cnet.com/8301-2007_4-57373684-12/do-not-track-plus-add-on-stops-the-tracking-paparazzi/

I have not used it but if you're looking for software to help you learn about tracking cookies and give you better control it looks like it could be a wise choice. Unlike some other methods of dealing with cookies you can choose to keep elements of a webpage to display that might otherwise not display if all cookies are blocked. This browser add on appears to allow ads and buttons that would not usually display if cookies are blocked to be displayed but the tracking ability of them will be disabled.

and was amazed how simple it was, and even allowed clicking on social buttons without allowing cookies to be set. However, I noticed I could no longer enter posts manually on Face Book after installing it. Turning it off, and disabling it, didn't help.

I think these problems will be solved by the developer though. I'm going to try it again later on, to see how things are going. It may work flawlessly on FireFox and Internet Explorer.