[aerotwelve]

What's the best way to circumvent this? Is it even possible?

I'm no expert (which is why I ask), but I assume that blocking third-party cookies in your browser won't prevent situations like the tracker example the author provides.

That is, since you visited tracker at least once, their cookie would have been set during that visit as a first-party cookie, and therefore the http requests to retrieve the 1x1 transparent image from their server will contain the data they're after, right?

[pdkl95]

> What's the best way to circumvent this? Is it even possible?

1) Get rid of the misfeatures that allow the problem to exist. Change the browser to never send headers that leak information by design (Referer, Cookie, Etag, User-Agent, etc).

1.1) (Optional) Fix stateful sessions that previously depended on cookies with a new HTTP session+authentication feature (that doesn't have the problems that made the Authorization header mostly useless).

2) Strip most of the other HTTP headers that leak bits of entropy so the browser fingerprint is too small (~16 bits max?) to be a unique id.

2.1) (Optional) Add some of the removed functionality back as a single header that reports a single "browser class" out of a handful (<32, 4-5 bits max. ~8 would be better) of predefined classes (e.g. "Standard Desktop with screen size between H1xW1 and H2xW2 with >=2 channel audio output. Supported codecs: audio=[MP3, AAC], video codec [...]", "mobile with multitouch screen with size ...etc...").

3) Disable Javascript. Running Turing complete code from potentially malicious remote hosts will always be dangerous, because it isn't possible to answer any question about the behavior of a program without running it (halting problem in general; Turing machines with >=7918 states cannot[1] be proven with ZF set theory). A safe web of documents is possible. Software needs to be handled separately.

Of course, none of this will happen because the people with the power to make most of these changes derive a lot of their income from surveillance.

[1] https://www.scottaaronson.com/blog/?p=2725

[dahart]

I'm very much all for improving the security and privacy of the internet and my computer, but this seems pretty over the top to me.

> Get rid of the misfeatures that allow the problem to exist. Change the browser to never send headers that leak information by design (Referer, Cookie, Etag, User-Agent, etc).

The internet is the problem. If you want to get rid of being tracked on the internet, you have to stop using the internet. If you remove user agents & cookies & tags, you don't solve the problem and you lose some useful features. None of those things keeps your ISP from watching, nor do they stop web sites from noting your IP & requests and storing them on their end. And for anything you have to log into, there's no point to hiding headers.

> Of course, none of this will happen because the people with the power to make most of these changes derive a lot of their income from surveillance.

That's probably not true now, and it's definitely not representative of the reasons the features we have were invented in the first place. Some people really did want custom features to identify a computer's capabilities. Without headers, we'd gimp caching, and we can't differentiate between mobile & desktop, for example.

> Disable Javascript. Running Turing complete code from potentially malicious remote hosts will always be dangerous

This simply isn't possible to avoid in any practical way. Windows, MacOS and Linux run on code from a potentially malicious host, as do all applications you didn't write yourself. I mean, disable Javascript if you want, but you're also cutting yourself off from all web apps by doing that. And Javascript may have more security and oversight than anything you download from any app store, it's more sandboxed by design than binaries are.

I'm not sure why you're talking about the halting problem, that just isn't a serious concern in practice, it's a CS theoretic issue irrelevant to this thread or privacy. The major browsers will all let you kill stray JS processes.

Furthermore, because of browser sandboxing, it is possible to answer some questions about Javascript, unlike binaries you download from the internet. Frontend Javascript is not allowed to access arbitrary paths in the local filesystem without the local user's permission, just for one example. Nor can they read all cookies.

[koolba]

> What's the best way to circumvent this? Is it even possible?

Set you browser to clear all cookies on close, use a separate browser for anything that requires authentication (ex: gmail), and never mix the two types of browsing. If they create a profile on you the cookies it's tied to disappear when you close your browser.

It's feels like a minor pain when you first start out but you used to it quick. Plus since you're not logged into anything by default there's a slightly higher barrier to ordering needless crap online.

It's not foolproof as you can be tracked by a combination of other factors (see: https://panopticlick.eff.org/) but it's much better than the alternatives.

[jedimastert]

There's also Facebook Multi-account Containers (https://addons.mozilla.org/en-US/firefox/addon/multi-account...), which might do what you're looking for

[gaius]

If they create a profile on you the cookies it's tied to disappear when you close your browser.

If they see you with an IP address and a cookie and a moment later see that same IP with the same browser etc does something else they will correlate them. There is a whole industry around tracking people who explicitly do not consent or have withdrawn their consent to be tracked. That’s why we need GDPR.

[plurgid]

One of the reasons I love HN is that the commenters here usually have a much deeper understanding of this sort of thing than I do.

Which is why I'm left wondering why nobody has mentioned Firefox Incognito mode (chrome too I think).

At least on firefox, incognito mode does not store cookies on disk. They persist for the duration of the tab/window you logged into.

this would circumvent cookie tracking, I think. I mean I guess not if you opened one icognito window and did all of your browsing inside of it, and never closed it?

am I missing something?

[dahart]

Incognito, aka private browsing, aka guest profile, is a great way to avoid permanent cookies (and local storage too!). This feature exists on all major browsers.

This doesn't solve all tracking, but it will stop some cookie abuse. Choosing to use it also comes with the downside that you can't stay logged in to sites, and you may lose context & history you wanted to keep.

Incognito is super useful for web development precisely because you can very quickly get a fresh profile with no cookies in it.

[propogandist]

private browsing won't stop browser fingerprinting, which is an increasingly common tactic. Your browser fingerprint then is linked to other attributes (including other devices you may own, where say an IP may be shared) allowing firms to build profiles that are not-linked to cookies, which is harder to block.

Blocking the canvas fingerprint also enables easy identification, so you'll need a free add-on that generates noise.

[dahart]

Yep, all true. Incognito doesn’t protect you from tracking. The sooner cookies become useless to sites & advertisers, the sooner they come up with something else we can’t block. We might be mostly past that point already.

[davidhyde]

> What's the best way to circumvent this? Is it even possible?

I set my browser (firefox) to clear all cookies on exit but I let my browser save passwords whenever possible. That way you have to log in every time you use a service but at least you don't need to type in the login info every time. It's quick. Of course, this does not work nicely for two factor stuff but you can use another browser for those.

[taurine]

No it is not possible. Other users similar to you provide the data to help track you, so you'd have to circumvent this all together.

The industry is moving to cross-device tracking to track you over multiple devices, without using cookies. This is probabilistic, not deterministic: There is 88% chance this is user A. But with huge amounts of data still useful.