GRC876 Total Cookie Protection - Steve seems to be confused

  • Release Candidate 6
    Guest:
    We are at a “proposed final” true release candidate with nothing known remaining to be changed or fixed. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.

Darcon

Active member
Oct 8, 2020
37
6
In episode 876, Steve talked about Firefox's Total Cookie Protection and used his page: https://www.grc.com/cookies/forensics.htm to prove they were not working as third party cookies were still being written.

Total Cookie Protection does not stop third party cookies, it isolates them from tracking you across the web. He even said this at the beginning of the segment.
This change does not disable third-party cookies. That's the secret. It merely divides the single massive global cookie jar into individual per-domain or, as web engineers would say, same-origin cookie jars. In that manner, any third party is welcome to set a cookie in anyone's browser. But when that user goes somewhere else, the cookie jar will be switched to a new jar for that new domain.

For example if you go to Costco's website and one of their advertisers say Tempur-Pedic mattresses puts a 3rd party cookie in the Costco cookie jar, then went to the Mattress Firm website and Tempur-Pedic mattresses tries to see where else you have shopped for mattresses by looking for their cookie, they won't see it with Firefox because the Costco cookie jar is isolated from the Mattress Firm cookie jar.

The paradigm of the test needs to change. Steve's test would need to have 2 sites to visit, the first writes a third party cookie, the second site looks for the third party cookie to see if it exists. If it does, then flag it as a concern. If it does not find the third party cookie, then write a new one without flagging it.

The whole discussion failed to remember the distinction between isolated and a central cookie jar.
 
Reading Steve's post in the Security Now newsgroup I think Steve eventually realized his mistake. I would expect him to address it in his next podcast (tomorrow as I type this.)
 
Steve is an honest researcher and fessed up. Even more respect for the man!
Screen Shot 2022-07-01 at 09.12.18.jpg

Hi Gentlemen, I understand the notion of accepting 3rd Party Cookies but stopping them communicating with anything other then the originating site. However, the strict setting in FF is misleading because it very clearly says that with this setting enabled FF 'BLOCKS' 3PC's rather than 'isolating' them.
 
FF 'BLOCKS' 3PC's rather than 'isolating' them.
This is a distinction without meaning. In order for it to be a 3rd party (or what the pages calls cross-site) communication, it has to be reachable cross sites. If they sandbox them so that that communication cannot occur, then how is that not effectively blocking them (or more specifically blocking their functioning)?