GRC876 Total Cookie Protection - Steve seems to be confused

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

Darcon

Active member
Oct 8, 2020
43
9
In episode 876, Steve talked about Firefox's Total Cookie Protection and used his page: https://www.grc.com/cookies/forensics.htm to prove they were not working as third party cookies were still being written.

Total Cookie Protection does not stop third party cookies, it isolates them from tracking you across the web. He even said this at the beginning of the segment.
This change does not disable third-party cookies. That's the secret. It merely divides the single massive global cookie jar into individual per-domain or, as web engineers would say, same-origin cookie jars. In that manner, any third party is welcome to set a cookie in anyone's browser. But when that user goes somewhere else, the cookie jar will be switched to a new jar for that new domain.

For example if you go to Costco's website and one of their advertisers say Tempur-Pedic mattresses puts a 3rd party cookie in the Costco cookie jar, then went to the Mattress Firm website and Tempur-Pedic mattresses tries to see where else you have shopped for mattresses by looking for their cookie, they won't see it with Firefox because the Costco cookie jar is isolated from the Mattress Firm cookie jar.

The paradigm of the test needs to change. Steve's test would need to have 2 sites to visit, the first writes a third party cookie, the second site looks for the third party cookie to see if it exists. If it does, then flag it as a concern. If it does not find the third party cookie, then write a new one without flagging it.

The whole discussion failed to remember the distinction between isolated and a central cookie jar.
 
Reading Steve's post in the Security Now newsgroup I think Steve eventually realized his mistake. I would expect him to address it in his next podcast (tomorrow as I type this.)
 
Steve is an honest researcher and fessed up. Even more respect for the man!
Screen Shot 2022-07-01 at 09.12.18.jpg

Hi Gentlemen, I understand the notion of accepting 3rd Party Cookies but stopping them communicating with anything other then the originating site. However, the strict setting in FF is misleading because it very clearly says that with this setting enabled FF 'BLOCKS' 3PC's rather than 'isolating' them.
 
FF 'BLOCKS' 3PC's rather than 'isolating' them.
This is a distinction without meaning. In order for it to be a 3rd party (or what the pages calls cross-site) communication, it has to be reachable cross sites. If they sandbox them so that that communication cannot occur, then how is that not effectively blocking them (or more specifically blocking their functioning)?