Location: Asia Pacific, Cyberspace, in the Dark Dystopia
Thanks Given: 2,351
Thanked 3,359 Times in 1,878 Posts
So far you have not identified any "threat" or "vulnerability" or any true security concern related to a single cookie or cache which cannot be seen without cookies and caches. You have expressed privacy concerns regarding online purchases and searches related to the tracking of users, all of which do not need to be cache nor cookie based.. Users are not generally not identified by "cookies" and "caches" in most of the scenarios you are offering and if sites wanted to keep the same information that is in a cookie, they could (and do) store that same state information on the server side in a DB. Deleting a cookie will not delete the data from a remote DB.
Let's be specific for a second:
Google Search and Google Products.
On the other hand, the vast majority of Google users are logged into a Google account when they use Google search or view a YT video or user Gmail, so Google tracks users based directly on their browsing habits (what they search for, what they click on, what they watch) and also the user's IP address , the UserAgent string and other readily available information available to every web server, even if your cache is blocked and your cookies are blocked. Google does not need your cookies and cache to track you; so clearing out this will not stop tracking. Heck, it will not even slow them down if they really want to track you!
Rinse and repeat, Google does not need "cookies" to track you. They don't need your cache for any of this. This is the point I keep trying to make. Clearing out cookies and clearing your cache is not stopping Google's tracking. However, it will make your browser load slower without the cache (unless you cache the files again) and it will cause you to need to login again when your cookies have been cleared. Most users, including me, prefer speed and ease of use; blocking cookies will NOT stop Google from tracking you. It's impossible to stop tracking unless you spoof your IP address (using some anon proxy) and spoof your user agent, etc, and do not login to Google, etc. etc. For what? I don't need to use TOR because I don't care if Google tracks me and TOR is SLOW SLOW SLOW. I am not paranoid about "being tracked". I'm not doing illegal things on the net either. This is true for the vast majority of Internet users as well. So what if they are tracked? It's more dangerous crossing the street outside my condo building than being tracked by Google, really! The lifts in my building are more dangerous than cookies, but I don't stop using the elevators.
So, clearing your browser cache every time you logout and deleting all your cookies are not going to have much effect on stopping tracking because Google (in this example) does not need these "cookies and caches" to track you.
I'm not sure why you are keenly against browser caches and cookies. What is the threat? It seems more of a personal dislike; because if you slow down and focus on a single aspect of the "cookies and caching" you are talking about; you will see that "cookies and caches" are not needed to track your web usage habits. Cookies and caches just make life easier for most users. Every web site you visit can store the same information that is in a cookie in a remote site database. A cookie is just data. That data is not necessary in your browser to track and profile you. That data is generated by both the browser and the server and put in a "cookie" to make life easier for the user (password hashes, session information, pages visited, articles read, user preferences), not to track them (speaking about Google in this discussion) in illegal, mysterious ways, generally speaking. Many sites use hashes of passwords as cookies so the user does not need to login again and again. They store the password hashed with the users IP address, for example, so the hash can only be used with a certain IP address, for example. This is for the good of the user experience, not to track their behavior. Rinse and repeat, we don't need cookies and caching to track user behavior.
I'm not sure how much web dev you do on a daily or weekly basis, or how much web code you develop regularly , but I can assure you that Google does not need your cache nor your cookies to track you; but if it makes you feel better to clear your cache every time you log out of your browser, and to delete all your cookies, then that's cool for you. Everyone should do as they wish.
The issue I have is that I do not think you should advising all users to delete their caches every time they log out and clear all they cookies, because "Wolf does not like cookies", in my view. That is why I responded. The vast majority of users never delete their cookies or clear their cache manually and they are not under siege. They will be tracked regardless of their cookie status by web sites who track.
Stated another way, when a security professional does a risk analysis, we look at (1) threat, (2) vulnerability and (3) criticality. What is the "threat" you are referring to? Do you perceive companies who are trying to sell you a product or service as a "threat"? FYI, I don't and most users on the web that I know consider this a feature, not a threat. Do you consider a company tracking your location to target location relevant information to use as "a threat"? FYI, I don't and most other users I know also think this is a feature, not a threat nor a bug. I find location tracking annoying, not threatening. I tend to block location tracking, but not because it is a "threat", but because I do not like location based ads and location based content. It's a just a personal preference. It is not a security issue for me. I'm not hiding my location since I'm not a fugitive on the run from law enforcement or fleeing the tax man
Now, we talk about "vulnerability" . Do "you" feel vulnerable when you browse the net? What makes you feel vulnerable? Are you using insecure passwords? Logging into porn sites and using a credit card? Using dating sites? Enquiring minds want to know? LOL . I'm not feeling vulnerable because I do not use credit cards on porn sites (LOL) and I do use strong passwords. I don't use any dating sites (being a happy guy in my relationship). These things are features, not bugs or threats for the sites I visit and shop.
I do admit that i block the New York Times cookies. That way I don't get all those messages trying to force me to sign up; so I can read the NYTs for free (past the home page). In that case, I'm the one reading the NYTs for free blocking cookies. My Bad. I'm the bad guy, not the NYTs. They deserve to get subscriptions, LOL. It's a great newspaper.
We can certainly agree the web is a dangerous place. That's good
Let's keep going.... I am happy to keep pushing back against your notion of always clearing "cookies and caches" daily and often and I'm just as keen to agree with you, if we can clearly identify the threat, the vulnerability, the criticality of those in the context of a standard risk analysis for them.