Individual Risk Management (Personal IT Security) and Browser Cache Management

To add to this, it is an effective security measure to clear absolutely all cached data (cookies, web content, ....) when closing the browser - i.e. in case of a shutdown. It takes a bit of work to re-login to all the sites but websites will not be able to identify you personally across sessions.

Also notice that some websites use information about your window size to identify you. This is why it is unwise to have maximized browser windows. Use fixed-size windows (like the for instance the TOR-browser does) instead which you should resize only in case you trust the website shown in this window.

bakunin

Hey Wolf,

Well, if here is one claim I can make, is that I am a long time and hands on expert in cybersecurity. I disagree with your advice to users.

Security is not as simple as you make it out to be in your quite sweeping, very general statements about individual IT "security".

Security (in terms of risk) is based on the intersection and threat, vulnerability and criticality. Risk analysis is based on facts, not "fear of the boogie man".

The fact is that the "tracking cookies" (mostly commercial in nature) and the "individual identification" you refer in your post do not provide quantifiable "threats" to the vast majority of individuals on the net and nor do they provide a "threat" which is critical to anyone, in most cases.

I have a very long history in cybersecurity and so I ask you, "why do I not clear all my cookies every time I logout (like the vast majority of all other browser users) and why do I not clear my browser cache every time I logout (like the vast majority of all other browser users)?"

The answer is simple. In general, I do not have an "issue" being tracked with cookies for commercial reasons; compared to the benefit of cookies, local browser storage and caching. It there was a "threat" which was "critical" to me, I would block cookies; but there is no such threat, in general.

So Wolf, I am curious... what do you do on the net which is so "critical" that you have "threats" which exploit "vulnerabilities" which cause you do "feel the need" do constantly delete cached content on your browser? Or, as I expect, there is none (really) and you simply have a personal dislike of "commercial tracking" on the net? Having a dislike of something, does not make it a "threat" or even a "vulnerability" in the context of risk analysis.

Location based services begs the question, "so what" if my location is tracked? Personally, I am not committing any crime where I need to "conceal my tracks", and so if Facebook or Google tracks my location because I use their many free services like Google Maps (free as in I do not pay for them and use them every time I drive my car outside of the area I live), or FB location when posting a picture for the few friends interested in what I am "up to". So what? How does that "tracking" effect the health and security of my life? I am not a criminal hiding from law enforcement. I am not a spy or an informant in a witness protection program. There is no "boogie men" chasing me around trying to track my location because my life is so interesting to track. I am not a rock star which my every movement has commercial value to a tabloid magazine.

Who and what is the threat?

Users must decide on their own (not by others) if the convenience of easy login to their favorite commercial and free web sites (and the speed of working with cached static files not being loaded again and again) are more important, to themselves an individuals , than worrying about being "tracked", which in the web is primarily for commercial ad targeting reasons. Many people that I know, have no problem at all being "tracked" and having products, goods and services offered to them because of cookies and location tracking. That is their choice, right? Some people like to eat vegetables, others do not. The same is true for how people use the internet.

So, I'm happy to debate this with you (or any and all) if we stick with facts, but I would tell you that very weak passwords by users pose a much greater vulnerability to their "IT life" (and the sites they visit) than the cookies and location tracking in their devices, especially combined with email spoofing and phishing techniques in email. It might surprise you, but most of the "younger generation" that I know do not even use email at all (and avoid it like a virus) and prefer messaging. They are not worried that FB "reads" their messages; because most are not doing illegal things on the net. They want free and easy (and fast) access!

In Thailand, for example, the strong trend is online shopping. It's cheaper for most people. There is less traffic, less air pollution, and less global warming contribution, to shop on line versus taking a car into the city. It is faster than sitting in traffic. There is no fuel costs. The prices are generally cheaper because there are less costs in the sale of goods (expensive real-estate not required), and they have more choices. Some of my friends shop nearly exclusively on line; and they are 30 to 40 years younger. They have no worries about a "cookie" or "cached content" and they do not want to login over and over when they shop on line; and they do not want to add to global warming taking a car into the city when they can buy online. They want speed and a very fast internet experience. They do not clear their browser caches or even think or care about it. What is the threat to them?

In closing Wolf, I disagree with your "sweeping advice" to all users to always "clear their cookies and cached data content". That is a decision than an individual should make based on their personal "risk profile" and for most people who are casual internet users (shoppers, information seekers); the desire for fast web performance (based on caching) and personalized content in the browser (based on cookies and local browser storage) and ease of access to their casual web sites (cookie based login and session information) for shopping, comparing prices, and seeking information (not criminal in nature), far out-weights the personal "risk", especially when we quantify (or qualify) risk based on the intersection of (1) threat, and (2) vulnerability and (3) criticality.

I do not advise people to "always clear their cache and their cookies" on their personal computers and personal devices, but they are certainly free to do so it it makes them feel good. However, I do not, in general, clear all cookies and the cache all the time on my personal devices, because like others, I prefer "speed and accessible" versus "slow and less accessible". That is an individual choice (based on my personal risk profile), not a choice that can be made by others in a very general statement about security or privacy..

On the other hand, when on a shared computer in public spaces, it is a good idea not to do anything which uses personal information which can be used to access a person's account.

I'm happy to debate this with anyone if they want to discuss IT security and privacy concerns based on risk, risk criteria, and facts, if it pleases them.

Maybe you can begin Wolf by discussing a specific scenario where cookies and caching on a personal computer puts a person at risk and what the risk it and how that risk profile is defined based on the (1) threat to the user, (2) the vulnerablity in the system that can be exploited by a threat, and (3) the severity or critical damage to the user if both (1) and (2) occur?

I am very interested in this topic, so please and kindly be factual in this, as you are in describing your great unix and linux solutions here at unix.com, so I can know your ideas about risk, threat, vulnerability and severity. I am truly curious what you are "worried about" which makes you "advise everyone on the net" to always clear their cache and delete all cookies in their web browsers!

Thanks!

1 Like

Wow - i didn't expect such an answer from a casual remark i threw somewhere between two meetings.

First off, thank you for taking the time to start this discussion. It is a worthwhile one and it should be held - not only by you and me but by everyone in our line of business. You are also right in this regard: i threw the term "security" into discussion without defining what i meant with it. So let me first make up for this before we delve into the main part again.

"Security" is a term that is used - and misused - in many ways and i have to blame myself for not saying more clearly what i mean when i used the term. There are a lot of different - more or less legitimate - meanings and i will not enter the discussion about how legitimate these meanings are. For you (or so i suppose) security means most prominently:

  • make sure anybody without a certain authorisation cannot do something the intended authorisation is required for
    (e.g. make sure stopping and starting the application can only be done by a certain user)

  • make sure anybody without a certain authorisation cannot do something the intended authorisation is required for
    (e.g. make sure nobody can become that user without the necessary password)

  • make sure nobody can get the authorisation by means outside of the supposed procedures
    (e.g. make sure nobody gets that users password by i.e. phishing methods)

and, i might add, this is a very important aspect of security. Most of what i read from you about security plays more less up that alley and most times, when i talk about security i mean the same. Still, there is another aspect and that is - privacy. Privacy is also an aspect of security because we are, at the core, territorial beings. I may have nothing to hide but i still wouldn't feel comfortable letting strangers search my bedroom or look at my bank account - and i'd feel even less comfortable if they do it while i am not there. (To be honest, if they'd look at my bank account i'd primarily feel not so much uncomfortable but embarrassed. ;-)) )

Cookies are little files a web server places at the client side which can be queried by the server later. In most cases these are used for harmless functions - after all, HTTP does not create a "session" but works rather like a mail exchange. HTTP consists of independent messages going back and forth between sender and receiver and if one wants to provide lasting context (this is what sets apart "sessions" from "messages") either the web server has to remember it - which would lead to exhaustion of resources on the server side in a very short time - or the server has to have a way to offload that to the client. This was the original rationale for creating cookies and in general storing web content on the client side.

Alas, this concept can be misused (like most things can be) and in fact in modern web development it regularly is. Modern web development and web server operating is a costly undertaking and things/services on the web are - mostly - supposed to be free. It follows that somehow the money to do it has to be raised somehow. Many web services do that by advertising and the revenue for advertisements is the better the more you know about the targets of these advertisements - the user. This is why many developments in modern Web Development revolves around getting more information about the user and one of the means of knowing the user better is to put context to his sessions - by cookies (i am aware these are not the only means - but a prominent part of it). Cookies (among other things) are used to connect data from single accesses to a web server to a picture about your habits.

This may sound pretty benign: the bookstore where you always buy the crime stories you like to read will provide only crime stories (and not the history documentations you detest) in its suggestions. On the other hand, whenever i go into a real bookstore i may be searching for a crime story but at that time i will see 5 other books - completely different in topic - which also interest me. This widens my horizon whereas i would start to "boil in my own bubble" otherwise. A similar notion goes for Youtube, as you noticed yourself, for Amazon, for Google, ....

I don't want to be in a bubble and this is why i completely delete all web data between browser sessions. It is probably not enough but at least it is a part of what i consider necessary to get a "clean slate" every time i contact one of these services. I don't want to get only hit in french (which i don't understand) just because i contact Google in France, etc., etc.. And, btw., if i am not forced by the policy of a company i work for i do not use Google at all but a mix of search engines all vowing to retain no data about me: Ixquick/StartPage, DuckDuckGo, and so on. I do not use Googles DNS server (or - heaven forbid - the hacked/crippled DNS server of my german ISP) but UncensoredDNS and Cloudflare (1.1.1.1) for backup. The only difference between my ISPs DNS and UncensoredDNS may be some porn site i don't care for anyway - but i would like to retain the decision if it is relevant or not for me mine. I will not give away that to some nondescript committee which decides behind closed doors about what is best for me.

You asked for a scenario where this might pose a risk to the user: let us say i search Google for ways to overcome personal debt repeatedly. If one of the "advertisement partners" of Google is the next bank and if Google is able to identify me across sessions i may well have lowered my credit rating effectively by doing that research - even if it might not even be for me. Given, that is a constructed example and includes a lot of conjecture - but the girl getting advertisement for baby food before even her parents were aware of her pregnancy was real. It is not a lot different (not in scope and definitely not in technical background) from what i presented here.

Professionally i support a lot of "big data" installations and - believe me - you'd be amazed about what is possible with a P9 LPAR, some TB of memory and many TB of fast disk space from a SAN like EMCs ExtremeIO.

I will stop here and leave something to discuss further on. At any rate, this is a great topic to discuss and i am looking forward to seeing your (and others) POV described in more detail. I am happy to be part of a community where we convene to learn and refine our ways from the exposition to each others perspectives.

Wolf

First. let me help you clarify.

Cookies are generally not "queried" by a server. Cookies are sent to the server with each page (that belong to the same cookie domain) as part of the standard HTTP request.

If you open any web dev tool, like Google Chrome Web Dev Tools (but it is the same with each major browser), you will see the cookies are sent with each page, not requested by the server.

Sorry, I just wanted to be technically correct.

Yes, that first example is "constructed" and not really realistic.

The second is a real example, but that example is not because of "cookies and caches"... it was because the girl had made purchases with Target and so Target (a retail chain in the US) sent her a paper flyer in the mail based on her purchases.

Neither of your examples are related to clearing cookies and caches.

The first is just a fantasy based without facts or details.

The second is well documented NOT to be related to cookies or web caches, but is related to the computer records of the purchases of the girl in the story. The article ends with an apology:

Can we please stick to the facts of "cookies" and "caches" which you advised people to clear "for their own good".

Neither of the scenarios you posted are relevant to that. I am sorry to inform!!

On the other hand, even if the girl in the "real story" above cleared her cookies and cache, she would have still got the coupons because she was targeted (marketing) because of her purchase history with the company in their database, not because of "cookies" or "caches" in browsers.

Also, the example from our Rant a while back when I posted about Goggle's YT targeting, that scenario is also not cookie nor cache based.

That targeting is based on user clicks, and searched, on the YT site, all back end DB data crunching, clearing cookies and caches will not change that as well!!.

(Combined with IP address info (location tracking) is some cases....

Let's keep this discussion going!

If i remember correctly (i admit, i remember it slightly different, but this was the first link i found) she hasn't even purchased things, just searched for them. But my point is: the reason why they were able to connect these searches (and/or purchases) and form a coherent picture describing her habits was because they were able to identify her across "sessions" (for the argument it doesn't matter if these sessions were purchases or just web searches): there is one session where someone searches for/buys "X" and there is another session (say, a day later) where someone searches for/buys "Y". To understand that a single person searched for/bought "X" as well as "Y" (and that way forming a picture of what the person is interested in) one has to have to connect the session data from these two sessions and come to the conclusion that the "someone" from the first session is the "someone" from the second one. If these were purchases the identifying criteria would be credit card information, name, address and so on. If these were web searches one of the methods doing the same is cookies, another is other stored web data. There was also a story about people being identified because of their search history a few years ago. This was possible only because the search engine provider (in this case not Google but AOL) was able to identify persons across contacts. It isn't necessary to identify you personally like "this session is by person X", it is sufficient to identify different persons like "this session was by the same person as that session".

Clearing these identification helpers will make it harder (note well - i don't say "impossible") for these organisations to identify you across various contacts with their services. I will readily concede that using anonymizing proxies (like TOR) will even help prevent this to a greater extent, but TOR is relatively slow, because of the way it operates. This is why i use it only for select purposes and use Firefox (with a hardened config, Ghostery, NoScript, and AdBlock installed, WebRTC disabled, ...) for low-threat things. And for the same reasons i delete all cached web data (session data especially) when i close the browser.

Another way would be to use "anonymous windows", which basically does the same with every new window. But i want at least some continuity in my browsing - i don't want to log in here for every new post, for instance, i don't want to log in to my chess server for every new game, etc. - i just do the bare minimum. Which is what i suggested.

Wolf

Hey Wolf,

So far you have not identified any "threat" or "vulnerability" or any true security concern related to a single cookie or cache which cannot be seen without cookies and caches. You have expressed privacy concerns regarding online purchases and searches related to the tracking of users, all of which do not need to be cache nor cookie based.. Users are not generally not identified by "cookies" and "caches" in most of the scenarios you are offering and if sites wanted to keep the same information that is in a cookie, they could (and do) store that same state information on the server side in a DB. Deleting a cookie will not delete the data from a remote DB.

Let's be specific for a second:

Google Search and Google Products.

Google identifies you based on your IP address and the user agent string when not logged in to Google, generally not via cookies, session hashes, or your cache (generally speaking). They do not need your cookies or browser cache to track you or your habits. Google does use cookies, but blocking them will not stop Google from tracking you or profiling you.

On the other hand, the vast majority of Google users are logged into a Google account when they use Google search or view a YT video or user Gmail, so Google tracks users based directly on their browsing habits (what they search for, what they click on, what they watch) and also the user's IP address , the UserAgent string and other readily available information available to every web server, even if your cache is blocked and your cookies are blocked. Google does not need your cookies and cache to track you; so clearing out this will not stop tracking. Heck, it will not even slow them down if they really want to track you!

Rinse and repeat, Google does not need "cookies" to track you. They don't need your cache for any of this. This is the point I keep trying to make. Clearing out cookies and clearing your cache is not stopping Google's tracking. However, it will make your browser load slower without the cache (unless you cache the files again) and it will cause you to need to login again when your cookies have been cleared. Most users, including me, prefer speed and ease of use; blocking cookies will NOT stop Google from tracking you. It's impossible to stop tracking unless you spoof your IP address (using some anon proxy) and spoof your user agent, etc, and do not login to Google, etc. etc. For what? I don't need to use TOR because I don't care if Google tracks me and TOR is SLOW SLOW SLOW. I am not paranoid about "being tracked". I'm not doing illegal things on the net either. This is true for the vast majority of Internet users as well. So what if they are tracked? It's more dangerous crossing the street outside my condo building than being tracked by Google, really! The lifts in my building are more dangerous than cookies, but I don't stop using the elevators.

So, clearing your browser cache every time you logout and deleting all your cookies are not going to have much effect on stopping tracking because Google (in this example) does not need these "cookies and caches" to track you.

I'm not sure why you are keenly against browser caches and cookies. What is the threat? It seems more of a personal dislike; because if you slow down and focus on a single aspect of the "cookies and caching" you are talking about; you will see that "cookies and caches" are not needed to track your web usage habits. Cookies and caches just make life easier for most users. Every web site you visit can store the same information that is in a cookie in a remote site database. A cookie is just data. That data is not necessary in your browser to track and profile you. That data is generated by both the browser and the server and put in a "cookie" to make life easier for the user (password hashes, session information, pages visited, articles read, user preferences), not to track them (speaking about Google in this discussion) in illegal, mysterious ways, generally speaking. Many sites use hashes of passwords as cookies so the user does not need to login again and again. They store the password hashed with the users IP address, for example, so the hash can only be used with a certain IP address, for example. This is for the good of the user experience, not to track their behavior. Rinse and repeat, we don't need cookies and caching to track user behavior.

Regarding the cache, the cache is simply the same information that ran in the browser, cached on the site so you don't have to load it again and again, to make web access faster. It's a cache. This is not malicious nor threatening to users per se, it is just caching. Clearing out this cache is fine to do; but the browser cache is not some major security or privacy threat to the user. The cache does not run Javascript while you are asleep and turn on your web cam. The script in the cache runs in the browser when you visit the site and that file is requested by the browser. It's the same file, just stored locally. The cache is no more of a threat than visiting the site. The cache is just a cache.

I'm not sure how much web dev you do on a daily or weekly basis, or how much web code you develop regularly , but I can assure you that Google does not need your cache nor your cookies to track you; but if it makes you feel better to clear your cache every time you log out of your browser, and to delete all your cookies, then that's cool for you. Everyone should do as they wish.

The issue I have is that I do not think you should advising all users to delete their caches every time they log out and clear all they cookies, because "Wolf does not like cookies", in my view. That is why I responded. The vast majority of users never delete their cookies or clear their cache manually and they are not under siege. They will be tracked regardless of their cookie status by web sites who track.

Stated another way, when a security professional does a risk analysis, we look at (1) threat, (2) vulnerability and (3) criticality. What is the "threat" you are referring to? Do you perceive companies who are trying to sell you a product or service as a "threat"? FYI, I don't and most users on the web that I know consider this a feature, not a threat. Do you consider a company tracking your location to target location relevant information to use as "a threat"? FYI, I don't and most other users I know also think this is a feature, not a threat nor a bug. I find location tracking annoying, not threatening. I tend to block location tracking, but not because it is a "threat", but because I do not like location based ads and location based content. It's a just a personal preference. It is not a security issue for me. I'm not hiding my location since I'm not a fugitive on the run from law enforcement or fleeing the tax man :slight_smile:

Now, we talk about "vulnerability" . Do "you" feel vulnerable when you browse the net? What makes you feel vulnerable? Are you using insecure passwords? Logging into porn sites and using a credit card? Using dating sites? Enquiring minds want to know? LOL . I'm not feeling vulnerable because I do not use credit cards on porn sites (LOL) and I do use strong passwords. I don't use any dating sites (being a happy guy in my relationship). These things are features, not bugs or threats for the sites I visit and shop.

The web is certainly a dangerous place; but in all honesty, clearing your cookies and cache everyday is not going to stop a web site from tracking you if they want to track you. If there was a reasonable technical argument to clear cookies and caches every time we visited the net, I would agree with you to do so; but I have yet to read or see a factual technical reason to do it. If we weigh this against the reasons web sites use cookies and caches in the first place, most people like the benefits of cookies and caches; and they don't want to clear them for the sake of clearing them.

I do admit that i block the New York Times cookies. That way I don't get all those messages trying to force me to sign up; so I can read the NYTs for free (past the home page). In that case, I'm the one reading the NYTs for free blocking cookies. My Bad. I'm the bad guy, not the NYTs. They deserve to get subscriptions, LOL. It's a great newspaper.

We can certainly agree the web is a dangerous place. That's good :slight_smile:

But it was not "cookies and caches" which caused the Russians to "kick the USA's butt in the 2016 election" The email accounts were hacked because of a phishing attack against Gmail accounts which did not have two factor authentication enabled, not because of cookies and caches. The use of social media for socially divisive propaganda and memetic attacks against people on FB and other platforms was not because of cookies and caches. The threats, vulnerabilities, and criticality of this is easily qualified. I wish we could qualify the threats, vulnerabilities of "cookies and caches" but as a cybersecurity professional, I'm sorry, but so far, nothing we have discussed is directly related to "caches and cookies" as threats to users. Cookies and caches are the least of most users worries on the net, really!

Let's keep going.... I am happy to keep pushing back against your notion of always clearing "cookies and caches" daily and often and I'm just as keen to agree with you, if we can clearly identify the threat, the vulnerability, the criticality of those in the context of a standard risk analysis for them.

Cheers!