Heads-up on new addon: Self-Destructing Cookies

[Thrawn]

Just saw this on AMO up-and-coming extensions. It deletes cookies once they're no longer associated with an open tab, which sounds like quite a good idea for preventing CSRF etc, without needing to periodically restart the browser.

Not sure how it handles third-party cookies, but the developer has been responsive thus far to the (limited, as it's new) reviewers.

In my experience, a lot of people treat their browser as if it did this anyway - out of sight, out of mind - so it's probably good to have it actually expunge closed tabs. Plus it dumps tracking cookies.

[GµårÐïåñ]

How will it handle cookies associated to persistent services such as say Facebook, where you might close all the tabs, but you are using other things or opening a new tab to use another service but still need the Facebook authentication cookie? Destroying it simply on closure of the tab will result in having to constantly log back in, doesn't that become a headache of its own? Just wondering if you knew until I have a chance to test it out.

[Thrawn]

You can whitelist sites. In fact, it's smart enough to respect Firefox's built-in cookie management; if you have set an exception for a site, then that site's cookies won't self-destruct. Nice.

[GµårÐïåñ]

You can whitelist sites. In fact, it's smart enough to respect Firefox's built-in cookie management; if you have set an exception for a site, then that site's cookies won't self-destruct. Nice.

I just installed it and noticed that it uses FX's built-in cookie management which is something I actually don't like (unlike you who mentioned it as a positive ) because then other addons designed to clean up will get bypassed by those that are in there. It should keep its own list instead of globalizing it like that. Similar to how NS, ABP, RP, Ghostery, Abine and so on do it. We'll see though, let me play with it for a week on this profile and see how it works out.

[Tom T.]

Just saw this on AMO up-and-coming extensions. It deletes cookies once they're no longer associated with an open tab, which sounds like quite a good idea for preventing CSRF etc, without needing to periodically restart the browser.

I never go to a valuable site (banking, etc.) without first closing the browser and restarting, then doing the same after the banking is completed. Should solve the issue of CSRF from other tabs, and IMHO is Best Practice for sensitive sites. I'd never trust any browser or add-on enough to do online banking while other tabs or windows are open.

Plus it dumps tracking cookies.

Who ever allows tracking cookies?

[Thrawn]

I just installed it and noticed that it uses FX's built-in cookie management which is something I actually don't like (unlike you who mentioned it as a positive ) because then other addons designed to clean up will get bypassed by those that are in there. It should keep its own list instead of globalizing it like that. Similar to how NS, ABP, RP, Ghostery, Abine and so on do it. We'll see though, let me play with it for a week on this profile and see how it works out.

Hmm...not sure what you mean by cleanup being bypassed? It makes sense to me that if you've specifically designated a site to Allow/Block/Session cookies, then you don't want the self-destruct behavior for that site, so using the built-in exceptions seems like a good fit. What kind of cleanup / which addons do you mean?

The only situation where I can see that this would be a problem would be if your approach is 'ask me every time, and I won't create a permanent rule for each site, I'll just keep specifying for each cookie every time'. In that case, since you're not creating an exception, the self-destruct behavior would override your choice for those cookies. But I doubt anyone in the world does that.

I never go to a valuable site (banking, etc.) without first closing the browser and restarting, then doing the same after the banking is completed. Should solve the issue of CSRF from other tabs, and IMHO is Best Practice for sensitive sites. I'd never trust any browser or add-on enough to do online banking while other tabs or windows are open.

I know. But if you have a lot of tabs open, then you're looking at either a significant interruption to your workflow, while you re-open everything, or using some form of session restore, which theoretically could leak. Personally, if I'm opening the bank site from a bookmark, then I trust NoScript and RP to prevent any sites from crossing tabs and reading what I'm doing, and I love the idea of something that will purge all cookies as soon as I close the banking tab (which logging out alone would not do; I'm sure I'd still find some kind of cookies from the bank afterward, albeit maybe harmless ones).

Who ever allows tracking cookies?

Oh, I know. There are plenty of other ways to deal with them, and I do. I just like the idea of a cookie policy that automatically excludes them, because they're not associated with an open tab.

[Tom T.]

I never go to a valuable site (banking, etc.) without first closing the browser and restarting, then doing the same after the banking is completed. Should solve the issue of CSRF from other tabs, and IMHO is Best Practice for sensitive sites. I'd never trust any browser or add-on enough to do online banking while other tabs or windows are open.

I know. But if you have a lot of tabs open, then you're looking at either a significant interruption to your workflow,

Driving to the bank creates even more significant of an interruption. ... seriously, the security/convenience trade-off is a no-brainer for me here.
However, I understand that you're much more heavily involved in computer work in your Real Job. (Maybe bank in the off-hours?)
Some people have decided to have a banking-only laptop, used for nothing else (+ credit cards, other very sensitive sites,etc). Nice if you can afford it.

I love the idea of something that will purge all cookies as soon as I close the banking tab (which logging out alone would not do; I'm sure I'd still find some kind of cookies from the bank afterward, albeit maybe harmless ones).

The number of sites of all kinds that actually remove all of their cookies when you logout -- IDK the exact percent, but as a rough guess from experience, I'd say about half.
One would hope that a bank would do this, but they're notoriously poor at security, just where you need it the most.

[GµårÐïåñ]

@Tom, poor choice of words on my part, what I meant was not tracking, but rather session cookies. Often I use a service that I need available on multiple sites for personal or professional reasons, one of those is what I noted (F@c3b00k) since I consult with many of the major gaming and app developers for its platform. So just because I close all "facebook" related tabs, doesn't mean I am done with the session cookie that allows me to get auto logged in and recognized on the apps platform for something else, that's what I meant but it being over zealous. Otherwise, I don't do anything "IMPORTANT" or "CRITICAL" next to social scum like this with a 12 foot pole. I am like you, I have a separate and very well tightened profile that I use for JUST THAT PURPOSE and another for my daily stuff and another for development of extensions and so on, you get the idea. I segregate pretty well, I don't $h!t where I 3at if you will. Although my security for daily stuff is more formidable than most peoples' best efforts.

@Thrawn, what I meant is that when I something is put into the browser's database, it is no longer part of the "dump and clean" style mechanisms often used to get rid of stuff, and that means they will persist and bypass any efforts to remove them as they are being in the eyes of those tools listed explicitly and that's the part that bugs me. I wish I had a more elegant way to represent or say what i mean but I am hoping you can somewhat read my mind on that and think it through, if not, no worries, just another hump's opinion and not biggie. I thank you for bringing it to my attention and I am giving it a genuine look, so that's something. For that I am thankful sir, and tip my hat to you my dear friend and development partner.

Hope that clears that up as to what I meant. Clear as mud yet?

[Tom T.]

@ GµårÐïåñ,
Thanks for clearing up between tracking cookies (evil) and session cookies (useful when you want them). Yes, I want and expect a session cookie to be there until I close the browser, and if it needs to disappear earlier, it's just a few clicks to remove it even with default Fx and no special cookie-management add-ons. Also, glad to see a fellow tin-foil-hatter when it comes to critical activities.

Re: your reply to Thrawn: IIUC, your concern is that currently, we can configure Fx to dump all cookies, history, etc. on close, and on Ctrl+Shift+Del. But the add-on overrides that, and keeps stuff that we think is being auto-dumped, or manually dumped with "Clear Recent History". Am I even close on the mind-reading?

[Thrawn]

Huh?

You want an addon to automatically clean up your list of rules for which sites can set persistent cookies?

Am I missing something here? I can't see a use case for that.

[GµårÐïåñ]

Re: your reply to Thrawn: IIUC, your concern is that currently, we can configure Fx to dump all cookies, history, etc. on close, and on Ctrl+Shift+Del. But the add-on overrides that, and keeps stuff that we think is being auto-dumped, or manually dumped with "Clear Recent History". Am I even close on the mind-reading?

You'd be absolutely correct, that's exactly what I meant. It would become a persistent setting and therefore not removed by any method most of us use now. Take for example the passive denies that Spybot puts in the profile (you can look and see they ALWAYS remain no matter what we do) that's the point of using those databases and this addon does that and by whitelisting something, you are saying, LEAVE it for good. I have a slight problem with the finality and permanency of that approach.

Huh?

You want an addon to automatically clean up your list of rules for which sites can set persistent cookies?

Am I missing something here? I can't see a use case for that.

No my friend, what we mean is, if we have setup the browser to dump ALL cookies when we close the browser, we want that to happen automatically each time without worrying about the sticky ones remaining behind. Same with say BetterPrivacy dumping LSOs, I have even disabled cookie protection under that addon, so it gets rid of EVERYTHING, without any persistence. Does that clear up what we mean by automatically dumping stuff and not having it persist?

[Thrawn]

No my friend, what we mean is, if we have setup the browser to dump ALL cookies when we close the browser, we want that to happen automatically each time without worrying about the sticky ones remaining behind. Same with say BetterPrivacy dumping LSOs, I have even disabled cookie protection under that addon, so it gets rid of EVERYTHING, without any persistence. Does that clear up what we mean by automatically dumping stuff and not having it persist?

Yes, it does clarify what you mean.

Still confused, though, because I'm not aware of Self-Destructing Cookies making anything sticky. If you go to Firefox Preferences - Privacy and check the 'Clear History when Firefox closes' box, that still works fine, doesn't it, even on sites with exceptions?

Plus, you would only define an exception if you didn't want cookies to self-destruct, meaning that you want them to a) get blocked entirely (no issue), b) persist only for the session (no issue again), or c) persist as long as they want (and if you want to dump everything on browser exit, then you never do this, right?).

[GµårÐïåñ]

Still confused, though, because I'm not aware of Self-Destructing Cookies making anything sticky. If you go to Firefox Preferences - Privacy and check the 'Clear History when Firefox closes' box, that still works fine, doesn't it, even on sites with exceptions?

Well yes, the cleaning and all that still works as it should but anything whitelisted by this addon into the FX db will remain and will never be touched as it becomes "outside the scope" and untouchable. You know what I mean, otherwise you have to delete them manually. Make sense what I mean as permanent or sticky?

Plus, you would only define an exception if you didn't want cookies to self-destruct, meaning that you want them to a) get blocked entirely (no issue), b) persist only for the session (no issue again), or c) persist as long as they want (and if you want to dump everything on browser exit, then you never do this, right?).

The mechanism I have observed with this addon, and please correct me if I am wrong, is that if you don't whitelist something which makes it untouchable, it will delete it when the last tab matching it is gone, or when the timer you have set expires. So you either have to whitelist something to get it to not touch it which is too permanent for my taste, or you have to set a very long timer, which is inefficient as you cannot possibly know HOW LONG you will always need a cookie, one day it might be 8 hours before you close your browser, another it might be 3 minutes. So to beat the timer, you either have to keep opening a tab to keep it alive or whitelist it, too much all or nothing approach for me. Did I clear it up a bit?

[Thrawn]

Still confused, though, because I'm not aware of Self-Destructing Cookies making anything sticky. If you go to Firefox Preferences - Privacy and check the 'Clear History when Firefox closes' box, that still works fine, doesn't it, even on sites with exceptions?

Well yes, the cleaning and all that still works as it should but anything whitelisted by this addon into the FX db will remain and will never be touched as it becomes "outside the scope" and untouchable. You know what I mean, otherwise you have to delete them manually. Make sense what I mean as permanent or sticky?

Er...no, sorry, still doesn't make sense to me. Maybe I just don't understand Firefox internals well enough.

"anything whitelisted by this addon into the FX db will remain and will never be touched"
Any what?
Any site exceptions added via this addon? Yes, that's correct, but we've already established that you don't want anything else to touch those rules.
Any cookies set by sites that are whitelisted? No, they're not untouchable, they get ignored by this addon and are handled by the usual built-in preferences.
I don't think that this addon sets anything else...am I missing something?

The mechanism I have observed with this addon, and please correct me if I am wrong, is that if you don't whitelist something which makes it untouchable, it will delete it when the last tab matching it is gone, or when the timer you have set expires.

I don't think that that's correct. My understanding is that that timer is the grace period, controlling how often the addon will poll your cookies to see whether they are associated with an open tab.

Any cookie associated with an open tab will be ignored by the addon, and will hang around indefinitely until it expires, browser is closed, etc. Any cookie not associated with an open tab will hang around for approximately the timer period (default is 10 seconds), after which it will be caught by the poll and zapped.

So to beat the timer, you either have to keep opening a tab to keep it alive or whitelist it, too much all or nothing approach for me.

You can add an Allow for Session rule for a site, which would put that site back to the same situation you'd be in without the addon.

[Thrawn]

I agree with all u say about this cookie thing. but what i need to knows is who to cut it off.


:

Your wish is granted; you've been cut off .