What does Google actually know?
rjo__
Posts: 2,114
I am using Windows 10. Normally I go to very few sites: Parallax, Youtube, Breitbart, etc. And I never download anything except when I know it is a fairly secure site... but I broke my own rule and downloaded a video... I had to learn how to do this, because there was no option listed on the page...the recommended method involved tossing my cookies.
Now YouTube treats me like a complete stranger... all of my usual "recommended just for you... because you are special" stuff is gone... and won't come back.
I don't think these guys are as smart as they are made out to be.
I want my cookies back!!!!
Now YouTube treats me like a complete stranger... all of my usual "recommended just for you... because you are special" stuff is gone... and won't come back.
I don't think these guys are as smart as they are made out to be.
I want my cookies back!!!!
Comments
https://www.hotcleaner.com/cookies.html
If I need to temporarily allow all cookies, I use the Cookies App to delete unwanted cookies after I reset and adjust the restrictions.
I think you've misunderstood how cosy RJO was feeling with the ever present personalised tracking. He wants it all back but doesn't know how.
I personally prefer the results to reflect an unbiased collection of what I've asked for rather than a preselected list of promotional material. As such I just blanket block all scripting. Oh, and the cookies have always been auto-deleted by the browser upon closing so they've never been an issue.
Not so sure about this. Since at least Netscape 2.0 they've recorded to a cookies file. They were specifically designed to determine if a user had previously visited the site, and that assumes cross-session operability.
Today, the localStorage HTML5 object is the current fav, and those record to a file (sessonStorage will hold only for the session).
I'm pretty sure cookies were primarily devised to solve that problem.
Of course cookies hang around so they can then also be used to determine if you have visited before. Even before you log in to a new session.
And cookies were readable from Javascript so any other page you visit could contain JS that reads your cookies and forwards them to whoever.
All in all HTTP was designed to be as insecure as possible. Luckily we can tighten things up a lot now a days but it takes care and attention.
Cookies can be annoying though. For example when I click on a link in a forum to see a picture of some gadget or something that somebody were discussing. Unless I remember to open that link in incognito mode (ref. Gordon's post) I'll immediately get email spam from Amazon about similar items they're selling. Because somewhere there is a cookie stored for Amazon because I buy Kindle books now and then.
(I actually have 'delete cookies when browser is closed' enabled, but I *never* close my browser. Would lose all my tabs then. So if I *must* restart, I kill the browser and start in recovery mode. So all cookies always stay.)
If you're on a site that contains iframes or other content from another site, you can turn off accepting Third Party Cookies. This setting allows for same-domain cookies, but rejects cookies from domain B when you're on domain A. This setting doesn't require the cooperation of the domains.
If you're truly getting email spam from Amazon, there's a setting where you can turn those off. I don't get anything from Amazon other than notices about my purchases.
Why is it that all the settings that everyone wants set one way (mostly disable whatever it is) are always set the opposite way by default?
This applies to browser settings, Windows 10 settings, and so on.
It also applies to HTTP(S) itself. There is a bunch of headers that a security aware server has to set in it's responses to tell the browser not to do dangerous things. Not to mention other defensive measures a secure web app has to take.
$$$ MONEY $$$
The default settings provide greater ease at targeting ads and services. How will Google and Microsoft make their billions if they can't lob advertising at you?
They also say they allow all the Smile to make a better user experience. They think allowing (and not providing a switch to disallow) cross-domain JavaScript is a good thing for users. Google isn't about to adopt this protection; their Analytics code depends on it.
"Oh yes, please, Mr. Google. Add that cross-domain script tag to the DOM, just like any good malware writer would do. Thank you sir, may I have another?"
+1
You learn things here... you can't find anywhere else.
Thanks
ANYONE is free to tell the brewer how to make better beer. The brewer is under no obligation to take up that advice. This is how the market, even freeware software, works.
There is a long historic precedence for this. It took users to call out Netscape for not disclosing cookies, or that email addresses could be silently harvested just with simple JavaScript. We all enjoy better transparency now, but it can take everyday users to pressure software makers to step up to the plate. Publishers of free software are not immune to free criticism.
Lest anyone think something like Chrome is full of security holes, the opposite is true. Example: Chrome defaults to some very restrictive cross-domain checks, especially related to HTML5 content. Chrome treats local content uniquely, for instance, kicking up a CORS error when writing to and reading from the HTML5 canvas (so-called tainting). Firefox allows you to run this type of local disk content as if it were from a server, and doesn't raise an error. This *could* be a problem if users are duped into downloading and opening a local file that contains malicious code. The extent of this specific exploit is open to conclusion, with Chrome following one model, and Firefox another. Certainly Firefox employs other forms of CORS restrictions, and their model as a whole may mitigate any issues.
Which approach is best? That's a matter of opinion, and this is where discourse and criticism from users come into play. As long as the software developers keep an open mind, the debate always leads to better software.
In which case, my post didn't apply.
Clearly we as individuals are not going to be able to create a modern day web browser. Not many of us are wealthy enough to even contemplate hiring people to do it for us. A web browser is not some niche program one might need.
The web is now an essential part of life. Like food. Not many of us are farmers or are able to grow our own food. It's big business now. But I think you might agree that we have a right to demand that those who provide food do a good job of providing good health stuff and not cheating us.
Gordon is right. Chrome actually does a good job of securing things. To a large extent we are not Google's customers but rather the likes of the banks, Amazon, ebay, etc. For them they make things water tight.