Individual Risk Management (Personal IT Security) and Browser Cache Management


 
Thread Tools Search this Thread
The Lounge What is on Your Mind? Individual Risk Management (Personal IT Security) and Browser Cache Management
# 8  
Old 04-03-2019
Hey Wolf,

So far you have not identified any "threat" or "vulnerability" or any true security concern related to a single cookie or cache which cannot be seen without cookies and caches. You have expressed privacy concerns regarding online purchases and searches related to the tracking of users, all of which do not need to be cache nor cookie based.. Users are not generally not identified by "cookies" and "caches" in most of the scenarios you are offering and if sites wanted to keep the same information that is in a cookie, they could (and do) store that same state information on the server side in a DB. Deleting a cookie will not delete the data from a remote DB.

Let's be specific for a second:

Google Search and Google Products.

Google identifies you based on your IP address and the user agent string when not logged in to Google, generally not via cookies, session hashes, or your cache (generally speaking). They do not need your cookies or browser cache to track you or your habits. Google does use cookies, but blocking them will not stop Google from tracking you or profiling you.

On the other hand, the vast majority of Google users are logged into a Google account when they use Google search or view a YT video or user Gmail, so Google tracks users based directly on their browsing habits (what they search for, what they click on, what they watch) and also the user's IP address , the UserAgent string and other readily available information available to every web server, even if your cache is blocked and your cookies are blocked. Google does not need your cookies and cache to track you; so clearing out this will not stop tracking. Heck, it will not even slow them down if they really want to track you!

Rinse and repeat, Google does not need "cookies" to track you. They don't need your cache for any of this. This is the point I keep trying to make. Clearing out cookies and clearing your cache is not stopping Google's tracking. However, it will make your browser load slower without the cache (unless you cache the files again) and it will cause you to need to login again when your cookies have been cleared. Most users, including me, prefer speed and ease of use; blocking cookies will NOT stop Google from tracking you. It's impossible to stop tracking unless you spoof your IP address (using some anon proxy) and spoof your user agent, etc, and do not login to Google, etc. etc. For what? I don't need to use TOR because I don't care if Google tracks me and TOR is SLOW SLOW SLOW. I am not paranoid about "being tracked". I'm not doing illegal things on the net either. This is true for the vast majority of Internet users as well. So what if they are tracked? It's more dangerous crossing the street outside my condo building than being tracked by Google, really! The lifts in my building are more dangerous than cookies, but I don't stop using the elevators.

So, clearing your browser cache every time you logout and deleting all your cookies are not going to have much effect on stopping tracking because Google (in this example) does not need these "cookies and caches" to track you.

I'm not sure why you are keenly against browser caches and cookies. What is the threat? It seems more of a personal dislike; because if you slow down and focus on a single aspect of the "cookies and caching" you are talking about; you will see that "cookies and caches" are not needed to track your web usage habits. Cookies and caches just make life easier for most users. Every web site you visit can store the same information that is in a cookie in a remote site database. A cookie is just data. That data is not necessary in your browser to track and profile you. That data is generated by both the browser and the server and put in a "cookie" to make life easier for the user (password hashes, session information, pages visited, articles read, user preferences), not to track them (speaking about Google in this discussion) in illegal, mysterious ways, generally speaking. Many sites use hashes of passwords as cookies so the user does not need to login again and again. They store the password hashed with the users IP address, for example, so the hash can only be used with a certain IP address, for example. This is for the good of the user experience, not to track their behavior. Rinse and repeat, we don't need cookies and caching to track user behavior.

Regarding the cache, the cache is simply the same information that ran in the browser, cached on the site so you don't have to load it again and again, to make web access faster. It's a cache. This is not malicious nor threatening to users per se, it is just caching. Clearing out this cache is fine to do; but the browser cache is not some major security or privacy threat to the user. The cache does not run Javascript while you are asleep and turn on your web cam. The script in the cache runs in the browser when you visit the site and that file is requested by the browser. It's the same file, just stored locally. The cache is no more of a threat than visiting the site. The cache is just a cache.

I'm not sure how much web dev you do on a daily or weekly basis, or how much web code you develop regularly , but I can assure you that Google does not need your cache nor your cookies to track you; but if it makes you feel better to clear your cache every time you log out of your browser, and to delete all your cookies, then that's cool for you. Everyone should do as they wish.

The issue I have is that I do not think you should advising all users to delete their caches every time they log out and clear all they cookies, because "Wolf does not like cookies", in my view. That is why I responded. The vast majority of users never delete their cookies or clear their cache manually and they are not under siege. They will be tracked regardless of their cookie status by web sites who track.

Stated another way, when a security professional does a risk analysis, we look at (1) threat, (2) vulnerability and (3) criticality. What is the "threat" you are referring to? Do you perceive companies who are trying to sell you a product or service as a "threat"? FYI, I don't and most users on the web that I know consider this a feature, not a threat. Do you consider a company tracking your location to target location relevant information to use as "a threat"? FYI, I don't and most other users I know also think this is a feature, not a threat nor a bug. I find location tracking annoying, not threatening. I tend to block location tracking, but not because it is a "threat", but because I do not like location based ads and location based content. It's a just a personal preference. It is not a security issue for me. I'm not hiding my location since I'm not a fugitive on the run from law enforcement or fleeing the tax man Smilie

Now, we talk about "vulnerability" . Do "you" feel vulnerable when you browse the net? What makes you feel vulnerable? Are you using insecure passwords? Logging into porn sites and using a credit card? Using dating sites? Enquiring minds want to know? LOL . I'm not feeling vulnerable because I do not use credit cards on porn sites (LOL) and I do use strong passwords. I don't use any dating sites (being a happy guy in my relationship). These things are features, not bugs or threats for the sites I visit and shop.

The web is certainly a dangerous place; but in all honesty, clearing your cookies and cache everyday is not going to stop a web site from tracking you if they want to track you. If there was a reasonable technical argument to clear cookies and caches every time we visited the net, I would agree with you to do so; but I have yet to read or see a factual technical reason to do it. If we weigh this against the reasons web sites use cookies and caches in the first place, most people like the benefits of cookies and caches; and they don't want to clear them for the sake of clearing them.

I do admit that i block the New York Times cookies. That way I don't get all those messages trying to force me to sign up; so I can read the NYTs for free (past the home page). In that case, I'm the one reading the NYTs for free blocking cookies. My Bad. I'm the bad guy, not the NYTs. They deserve to get subscriptions, LOL. It's a great newspaper.

We can certainly agree the web is a dangerous place. That's good Smilie

But it was not "cookies and caches" which caused the Russians to "kick the USA's butt in the 2016 election" The email accounts were hacked because of a phishing attack against Gmail accounts which did not have two factor authentication enabled, not because of cookies and caches. The use of social media for socially divisive propaganda and memetic attacks against people on FB and other platforms was not because of cookies and caches. The threats, vulnerabilities, and criticality of this is easily qualified. I wish we could qualify the threats, vulnerabilities of "cookies and caches" but as a cybersecurity professional, I'm sorry, but so far, nothing we have discussed is directly related to "caches and cookies" as threats to users. Cookies and caches are the least of most users worries on the net, really!

Let's keep going.... I am happy to keep pushing back against your notion of always clearing "cookies and caches" daily and often and I'm just as keen to agree with you, if we can clearly identify the threat, the vulnerability, the criticality of those in the context of a standard risk analysis for them.

Cheers!
Login or Register to Ask a Question

Previous Thread | Next Thread
Login or Register to Ask a Question