Defending Firefox from Interest-based Ad Cookies: Page 3

(Page 3 of 3)

To disable third party cookies, do Tools -> Options -> Privacy tab. Then turn off the "Accept third party cookies" checkbox as shown below.

remove firefox cookies, third parties cookie

Interestingly, blocking third party cookies does not interfere with the opt-out preference you set for Yahoo, Microsoft and Google. Instead of using a yieldmanager.com cookie to store your preference, Yahoo stores it in a Yahoo.com cookie. Likewise, Microsoft uses a live.com cookie when it's prevented from creating an atdmt.com cookie.

Google, however, seems to have figured out a way around the third party restriction. In a test, I removed all cookies, disabled third party cookies, then visited the Google ads preferences page.

The page worked normally. That is, it created and updated a doubleclick.net cookie. Beats me how Google does this.

Manual Over-ride for Firefox Cookies

Firefox users also have a manual over-ride that can, for example, force the browser to never accept a cookie from a particular website. This seems to be the only way to prevent Google from writing Doubleclick cookies.

Manual over-ride is configured with: Tools -> Options -> Privacy tab -> Exceptions button. When entering the address of a website, use just the domain name. That is, enter "doubleclick.net" rather than "www.doubleclick.net" or "*.doubleclick.net".

The Allow button always allows a website to place cookies (white listing), the Block button is likewise self-explanatory. When you Allow, for example, nytimes.com to set cookies you may end up with cookies from nytimes.com, blogs.nytimes.com, movies.nytimes.com, travel.nytimes.com, wt.o.nytimes.com or anything that ends with "nytimes.com". This is normal.

The Allow for Session button doesn't strike me as particularly useful. It allows cookies from the website initially, but then removes them when Firefox is shut down. The term "session," when applied to cookies, refers to the time between when you start your web browser and when you shut it down.

You can verify that blocking doubleclick.net cookies blocks Google by visiting the Google Ads Preferences page. The page will, incorrectly, object that cookies are disabled. They're not, only cookies from Doubleclick are disabled.

Protecting your privacy one website at a time, however, is probably not practical. There are many different advertising networks and their names aren't always self-explanatory.

White Listing in Firefox

You may be thinking, why not have Firefox remove all cookies when it shuts down, except for those that are white-listed using the Allow button as described above? This scheme was, in fact, proposed by a listener on the April 16th episode of Steve Gibson's Security Now podcast. Despite the approval this idea got on the podcast, it's not possible.

White-listing a website means that Firefox will accept cookies from the site. It does not mean that Firefox will keep those cookies forever. When you tell Firefox to remove all cookies when it shuts down, that's just what it does. I tested this on both Windows XP and Ubuntu and Firefox deleted all cookies, even white-listed ones, when it shut down.

Deny All Firefox Cookies

Almost every website sets cookies, some depend on them. Is it practical to start out denying all cookies (first and third party) and then allowing them in on a site by site basis?

Good question, and one that can't be answered without trying it for an extended period of time, which I'm going to embark on soon.

Human nature being what it is, this approach needs a fast, quick, easy way to change the Allow/Deny status of a given website. The Permit Cookies extension also mentioned on the same Security Now, episode, is perfect for this.

After installing the extension, a "C" is displayed in the bottom right corner of the Firefox window. If the "C" is gray, then there is no Allow/Deny rule for the currently displayed website. Since we're defaulting to deny everything, gray means cookies are not accepted.

If the "C" is green, then there is an Allow rule and cookies are being accepted. Changing the Allow/Deny status of a website is accomplished by clicking on the "C". It couldn't be much easier.

Authorizing a website to set cookies accepts cookies from just the currently displayed domain. Any third party cookies that website might otherwise set are not allowed.

Installing the extension is the hardest part. For instructions, see the transcript of the April 16th Security Now podcast. It was the last listener question.

A Firefox Clean Slate

Where does this leave us?

The biggest bang for the buck comes from disabling third party cookies. This only takes a second, blocks almost all tracking cookies and still enables good cookies. It's hard to see a down side.

But what about existing tracking cookies? You could try to remove them individually, but it'll probably prove cumbersome. The best way to start clean is to remove all cookies.

Considering that Google can create doubleclick.net cookies even when third party cookies are disabled, I would create a specific block rule for doubleclick.net.

A clean slate, combined with blocking new third party cookies, should offer sufficient privacy with no ongoing maintenance on your part.

Page 3 of 3

Previous Page
1 2 3

Tags: Firefox, search, privacy

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.



IT Management Daily
Don't miss an article. Subscribe to our newsletter below.

By submitting your information, you agree that datamation.com may send you Datamation offers via email, phone and text message, as well as email offers about other products and services that Datamation believes may be of interest to you. Datamation will process your information in accordance with the Quinstreet Privacy Policy.