evercookie is a javascript API available that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they've removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others.
evercookie accomplishes this by storing the cookie data in several types of storage mechanisms that are available on the local browser. Additionally, if evercookie has found the user has removed any of the types of cookies in question, it recreates them using each mechanism available.
Specifically, when creating a new cookie, it uses the following storage mechanisms when available:
- Standard HTTP Cookies
- Local Shared Objects (Flash Cookies)
- Storing cookies in RGB values of auto-generated, force-cached
- PNGs using HTML5 Canvas tag to read pixels (cookies) back out
- Storing cookies in and reading out Web History
- Storing cookies in HTTP ETags
- Internet Explorer userData storage
- HTML5 Session Storage
- HTML5 Local Storage
- HTML5 Global Storage
- HTML5 Database Storage via SQLite
evercookie - go ahead, be evil.
virtually irrevocable persistent cookies
Tags: computers, conspiracies, doomed, security, www
15 Responses:
Oooh, the RGB cookies are particularly nasty.
*slides over to the "disable javascript" setting*
I admire its purity. A survivor... unclouded by conscience, remorse, or delusions of morality.
That's what NoScript is for, right?
Otherwise, I suppose one could store all your bookmarks online and just delete and re-install browsers every time you close down and restart. That might work.
Second NoScript. Shit like this is why I won't move to Chrome.
Funny that, since noscript doesn't defend against these, but chrome's incognito mode does.
Chrome's incognito mode does nothing about Flash cookies.
I can't explain my findings, then, when the evercookie page failed to carry a persistent value across incognito sessions. I have flash installed.
Ah..you're right! Adobe apparently updated Flash to work with incognito mode a couple months ago, in Flash 10.1.
I want off the Web now, please.
Just tried their test with my standard firefox settings of no cookies, and with NoScript enabled. No cookie was stored. I even enabled javascript for the site...still no cookies stored.
I suppose I'll dissent here. I don't care about cookie tracking at all. There a bigger issues of privacy that are more worrisome to me.
There is always lynx for the paranoid.
Like what?
Could probably partially defeat the Private Browsing/Incognito modes of Safari/Chrome if you combined this with a local database where you recorded IPs and browser signatures... You should assume that the "bad guys" have already been doing all this stuff for a while now. If you still want to believe in privacy you're going to have to use lynx proxied through the Tor network and convince everybody else on the planet to do the same...
Privacy is so last millenium.
If Flash is enabled and not LSOs not cleaned, evercookie tracks between browsers which is a clever trick. Likewise, evercookie can track visits between different domains in the same browser.
BleachBit 0.8.1 deletes evercookie tracking.