Quote:
Originally Posted by
bakunin
To add to this, it is an effective security measure to clear absolutely all cached data (cookies, web content, ....) when closing the browser - i.e. in case of a shutdown. It takes a bit of work to re-login to all the sites but websites will not be able to identify you personally across sessions.
Also notice that some websites use information about your window size to identify you. This is why it is unwise to have maximized browser windows. Use fixed-size windows (like the for instance the TOR-browser does) instead which you should resize only in case you trust the website shown in this window.
bakunin
Hey Wolf,
Well, if here is one claim I can make, is that I am a long time and hands on expert in cybersecurity. I disagree with your advice to users.
Security is not as simple as you make it out to be in your quite sweeping, very general statements about individual IT "security".
Security (in terms of risk) is based on the intersection and threat, vulnerability and criticality. Risk analysis is based on facts, not "fear of the boogie man".
The fact is that the "tracking cookies" (mostly commercial in nature) and the "individual identification" you refer in your post do not provide quantifiable "threats" to the vast majority of individuals on the net and nor do they provide a "threat" which is critical to anyone, in most cases.
I have a very long history in cybersecurity and so I ask you, "why do I not clear all my cookies every time I logout (like the vast majority of all other browser users) and why do I not clear my browser cache every time I logout (like the vast majority of all other browser users)?"
The answer is simple. In general, I do not have an "issue" being tracked with cookies for commercial reasons; compared to the benefit of cookies, local browser storage and caching. It there was a "threat" which was "critical" to me, I would block cookies; but there is no such threat, in general.
So Wolf, I am curious... what do you do on the net which is so "critical" that you have "threats" which exploit "vulnerabilities" which cause you do "feel the need" do constantly delete cached content on your browser? Or, as I expect, there is none (really) and you simply have a personal dislike of "commercial tracking" on the net? Having a dislike of something, does not make it a "threat" or even a "vulnerability" in the context of risk analysis.
Location based services begs the question, "so what" if my location is tracked? Personally, I am not committing any crime where I need to "conceal my tracks", and so if Facebook or Google tracks my location because I use their many free services like Google Maps (free as in I do not pay for them and use them every time I drive my car outside of the area I live), or FB location when posting a picture for the few friends interested in what I am "up to". So what? How does that "tracking" effect the health and security of my life? I am not a criminal hiding from law enforcement. I am not a spy or an informant in a witness protection program. There is no "boogie men" chasing me around trying to track my location because my life is so interesting to track. I am not a rock star which my every movement has commercial value to a tabloid magazine.
Who and what is the threat?
Users must decide on their own (not by others) if the convenience of easy login to their favorite commercial and free web sites (and the speed of working with cached static files not being loaded again and again) are more important, to themselves an individuals , than worrying about being "tracked", which in the web is primarily for commercial ad targeting reasons. Many people that I know, have no problem at all being "tracked" and having products, goods and services offered to them because of cookies and location tracking. That is their choice, right? Some people like to eat vegetables, others do not. The same is true for how people use the internet.
So, I'm happy to debate this with you (or any and all) if we stick with facts, but I would tell you that very weak passwords by users pose a much greater vulnerability to their "IT life" (and the sites they visit) than the cookies and location tracking in their devices, especially combined with email spoofing and phishing techniques in email. It might surprise you, but most of the "younger generation" that I know do not even use email at all (and avoid it like a virus) and prefer messaging. They are not worried that FB "reads" their messages; because most are not doing illegal things on the net. They want free and easy (and fast) access!
In Thailand, for example, the strong trend is online shopping. It's cheaper for most people. There is less traffic, less air pollution, and less global warming contribution, to shop on line versus taking a car into the city. It is faster than sitting in traffic. There is no fuel costs. The prices are generally cheaper because there are less costs in the sale of goods (expensive real-estate not required), and they have more choices. Some of my friends shop nearly exclusively on line; and they are 30 to 40 years younger. They have no worries about a "cookie" or "cached content" and they do not want to login over and over when they shop on line; and they do not want to add to global warming taking a car into the city when they can buy online. They want speed and a very fast internet experience. They do not clear their browser caches or even think or care about it. What is the threat to them?
In closing Wolf, I disagree with your "sweeping advice" to all users to always "clear their cookies and cached data content". That is a decision than an individual should make based on their personal "risk profile" and for most people who are casual internet users (shoppers, information seekers); the desire for fast web performance (based on caching) and personalized content in the browser (based on cookies and local browser storage) and ease of access to their casual web sites (cookie based login and session information) for shopping, comparing prices, and seeking information (not criminal in nature), far out-weights the personal "risk", especially when we quantify (or qualify) risk based on the intersection of (1) threat, and (2) vulnerability and (3) criticality.
I do not advise people to "always clear their cache and their cookies" on their personal computers and personal devices, but they are certainly free to do so it it makes them feel good. However, I do not, in general, clear all cookies and the cache all the time on my personal devices, because like others, I prefer "speed and accessible" versus "slow and less accessible". That is an individual choice (based on my personal risk profile), not a choice that can be made by others in a very general statement about security or privacy..
On the other hand, when on a shared computer in public spaces, it is a good idea not to do anything which uses personal information which can be used to access a person's account.
I'm happy to debate this with anyone if they want to discuss IT security and privacy concerns based on risk, risk criteria, and facts, if it pleases them.
Maybe you can begin Wolf by discussing a specific scenario where cookies and caching on a personal computer puts a person at risk and what the risk it and how that risk profile is defined based on the (1) threat to the user, (2) the vulnerablity in the system that can be exploited by a threat, and (3) the severity or critical damage to the user if both (1) and (2) occur?
I am very interested in this topic, so please and kindly be factual in this, as you are in describing your great unix and linux solutions here at unix.com, so I can know your ideas about risk, threat, vulnerability and severity. I am truly curious what you are "worried about" which makes you "advise everyone on the net" to always clear their cache and delete all cookies in their web browsers!
Thanks!
