I apologise for the rather technical nature of this post, but it is necessary to get across the point I am trying to make.
The HTTP protocol that our web browsers uses is stateless, which means that the browser and the resulting webpage don’t natively know where you have come from, or what you have done on the webpage. This changed with the invention of cookies many years ago. These are files that can store a small amount of data in your browser storage to record this information. Cookies have also been used to track people across the web, and to provide a persisted state that can last for a long period of time. That means a cookie can be added to your browser that indicates you visited the site last week and allows the website to bring back suggestions relating to what you browsed back then. This is just one application.
Cookies can also be read by other websites (based on how it was set up) and can be used for targeted advertisements from other websites as well as other nefarious purposes employed by hackers.
A parameter to the cookie that the website can set is the ‘Same-Site’ Cookie Attribute. Developers can instruct browsers to control cookies sent with the request initiated by third party websites, which is a more practical solution than denying the sending of cookies in your browser settings.
There are three settings:
- Not set at all
- Lax – the cookie will be sent along with the request initiated by third party website. The important point here is that, to send a cookie the request being made must cause a top level navigation. Only in this way, the cookie set as LAX will be sent.
- Strict– this is the option in which the Same-Site rule is applied strictly. When the Same-Site attribute is set as Strict, the cookie will not be sent along with requests initiated by third party websites.
I am not going to go into the deep technical aspects of this in this blog, but there is are very useful article on the web that does go into the gory details that provided me with some of the explanation for this blog. I will also post a link to the video from Steve Gibson below where all this is explained in easy terms.
So, what are Google doing. The current default behaviour in the chrome browser is the same as if the Same-Site attribute is unset, i.e. it allows full access to the same-site cookies. In chrome version 74 the default behaviour will be set to that for ‘Lax’, unless the website developer specifically sets the attribute. This will have the effect of stopping a lot of the tracking that goes on between web pages.
Google to Implement Anti-Fingerprinting Features in Chrome
First let me explain. Browser Fingerprinting is a technique exploited by an number of websites in order to identify you more precisely using a number of factors present on the device you are using, including:
- The User Agent string your browser broadcasts on every http (including https) request
- Size of the browser window
- Fonts installed don your device
- Applications installed on your device
It can also be used by hackers to track your progress across the web.
I suggest you go to the Electronic Frontier Foundation’s service called Panopticlick to test out your browser. You will be amazed at what information your browser is telling about you to websites without any control from you. Best to switch off your adblocker and any tracking protection extensions to see what the raw browser does, then enable them again to see how effective these protect you.
Google are planning to implement some form of fingerprinting protection in a later version of the Chrome browser. They haven’t stated exactly what yet, or what version, but I will post an update when I find out.
If you want fingerprinting protection now, Firefox are bringing some of the features from the TOR Browser to Firefox in version 67 (current version as of writing is 66.0.5). It should be noted that Mozilla, who build the Firefox browser, also produce the TOR browser that channels everything through the TOR network.
This is not strictly a privacy change, but thought I would mention it anyway as I am sure people will find it useful.
How many times have you visited a number of sites, and then decided to use the back button in your broswer to take you to the previous page only to find it sends you back to where you were or to another page entirely?
This is caused by the website changing the back-button’s stack of sites you have visited by using redirects and by directly changing the back-button’s history. I find this annoying on just about every browser I use.
To bypass this on Chrome you can long press the back button and get a history of sites visited, or on other browsers you can also go to the browsing history and pickup the site you wanted from there. But this is all friction that you really don’t want to contend with.
What Google are doing is they are planning in a later version of Chrome to tag websites you specifically requested and serve them up with the back button, therefore making the back button experience more predictable.
I welcome these changes to the Chrome Browser, and hopefully FireFox, Safari and other browsers will also follow suit. My hope is also that the Chrome Version of the Microsoft Edge browser will also adopt these features (developer versions of this browser can be found on Microsoft’s Insider page, but be aware this is development software and may not be stable).
My primary source for this post was Steve Gibson’s very good Security Now podcast, which is produced by the TWiT Network every week and gives a roundup of the main security and privacy related news stories from the previous week. A link to the podcast is below:
This podcast also goes into the WhatsApp flaw that was recently disclosed (I am not writing about this), and changes to privacy recently announced at the Google IO developer conference on Android Q (next version) – you may also like to read my summary in my own blog post here.
A few more articles that you can read to educate yourself on how Cookies are used:
- NSA uses Google cookies to pinpoint targets for hacking (from 2013)
- Exploiting Browser Cookies to Bypass HTTPS and Steal Private Information (from 2015)
- What Is a Forged Cookie and How Did it Allow Hackers to Get Into My Yahoo Account?
There are many more articles out there, just put ‘Hacking using Cookies’ into your favourite search engine to find a trove of material.