What are Supercookies, Zombie Cookies, and Evercookies – Make Tech Easier

Make Tech Easier

Having a nosy neighbor find your secret recipe used to be the biggest privacy issue surrounding cookies, but that’s changed thanks to the Internet. While normal browser cookies are often helpful and easy to clear, there are other variants that are built to stick around and keep tabs on you. Two of these types, supercookies and zombie cookies (often known as “Evercookies”), can be particularly difficult to get rid of. Luckily, they haven’t gone unnoticed, and browsers are evolving to combat these sneakier tracking techniques.


This term can get a little confusing since it’s been used to describe several different technologies, only some of which are actually cookies. In general, though, it refers to anything that changes your browsing profile in order to give you a unique ID. In this way they serve the same function as cookies, allowing sites and advertisers to track you, but unlike cookies, they can’t really be deleted.

You’ll most often hear the term “supercookie” used in reference to Unique Identifier Headers (UIDH) and as a vulnerability in HTTP Strict Transport Security, or HSTS, though the original term refers to cookies that originate from top-level domains. This means that a cookie could be set for a domain like “.com” or “.co.uk,” allowing any website with that domain suffix to see it.

If Google.com sets a supercookie, that cookie would be visble to any other “.com” website. This is a clear privacy issue, but since it’s otherwise a conventional cookie, pretty much all modern browsers block them by default. Since no one talks much about this kind of supercookie anymore, you’ll generally hear more about the other two.

A Unique Identifier Header isn’t on your computer at all – it takes place between your ISP and a website’s servers. Here’s how:

  1. You send a request for a website to your ISP.
  2. Before your ISP forwards the request to the server, it adds a unique identifier string to the header of your request.
  3. This string allows sites to identify you as the same user whenever you visit, even if you’ve deleted their cookies. Once they know who you are, they can just put the same cookies straight back into your browser.

In simple terms, if an ISP is using UIDH tracking, it’s sending your personal signature to every website you visit (or the ones who have paid the ISP for it).  It’s mostly useful for optimizing ad revenue, but it’s invasive enough that the FCC fined Verizon 1.35 million USD for not informing their customers of it or giving them an option to opt out.

Aside from Verizon, there’s not much data on which companies are using UIDH information, but consumer backlash has made it a fairly unpopular strategy. Even better, it only works over unencrypted HTTP connections, and since most websites now use HTTPS by default and you can easily download extensions like HTTPS Everywhere, this supercookie isn’t actually much of a problem anymore and probably isn’t being widely used. If you want extra protection, use a VPN. This guarantees that your request will be relayed to the website without your UIDH attached.

This is a rare type of supercookie that hasn’t been specifically identified on any particular site, but apparently it was being exploited, since Apple patched Safari against it, citing confirmed instances of the attack.

HSTS is actually a good thing. It lets your browser safely redirect to the HTTPS version of a site rather than the insecure HTTP version. Unfortunately, it can also be used to create a supercookie with the following recipe:

  1. Create a lot of subdomains (like “domain.com,” “subdomain2.domain.com,” etc.).
  2. Assign each visitor to your main page a random number.
  3. Force users to load all your subdomains by either adding them in invisible pixels on a page or redirecting the user through each subdomain while loading the page.
  4. For some subdomain, tell the user’s browser to use HSTS to switch to the secure version. For others, leave the domain as unsecured HTTP.
  5. If a subdomain’s HSTS policy is turned on, it counts as a “1.” If it’s off, it counts as a “0.” Using this strategy, the site can write the user’s random ID number in binary in the browser’s HSTS settings.
  6. Every time the visitor returns, the site will check the HSTS policies of a user’s browser, which will return the same binary number that was originally generated, identifying the user.

It sounds complex, but what it boils down to is that websites can get your browser to generate and remember security settings for multiple pages, and the next time you visit, it can tell who you are because no one else has that exact combination of settings.

Apple has already come up with solutions to this problem, like only allowing HSTS settings to be set for one or two main domain names per site and limiting the number of chained redirects that sites are allowed to use. Other browsers are likely to follow these security measures (Firefox incognito mode seems to help), but since there aren’t any confirmed cases of this happening, it’s not a top priority for most. You can take matters into your own hands by digging into some settings and manually clearing HSTS policies, but that’s about it.


Zombie cookies are exactly what they sound like – cookies that come back to life after you thought they were gone. You may have seen them referred to as “Evercookies,” which are unfortunately not the cookie equivalent of a Wonka everlasting gobstopper. “Evercookie” is actually a JavaScript API created to illustrate how many different ways cookies could get around your deletion efforts.

Zombie cookies don’t get cleared because they’re hiding outside of your regular cookie storage. Local storage is a prime target (Adobe Flash and Microsoft Silverlight use this a lot), and some HTML5 storage can also be an issue. The living dead cookies can even be in your web history or in RGB color codes that your browser allows into its cache. All a website has to do is find one of the hidden cookies and it can resurrect the others.

Many of these security holes are disappearing, though. Flash and Silverlight aren’t a big part of modern web design, and many browsers aren’t especially vulnerable to other Evercookie hiding places anymore. Since there are so many different ways that these cookies can weasel their way into your system, though, there is no single way to protect yourself. A decent suite of privacy extensions and good browser-clearing habits are never a bad idea, however!

Online tracking technology is a constant race to the top, so if privacy is something that concerns you, you should probably just get used to the idea that we’re never guaranteed 100% anonymity online.

You probably don’t need to worry too much about supercookies, though, since they’re not seen in the wild very often and are increasingly being blocked. On the other hand, zombie cookies/Evercookies are harder to get rid of. Many of their more well-known avenues have been shut down, but they can still potentially work until every single vulnerability is patched, and they can always come up with new techniques.

Source link

Google to Allow Employers to Track Their Staff Using G Suite – Make Tech Easier

Make Tech Easier

Not that we really needed Google to have another way to track us, but they created one nonetheless. The G Suite productivity apps will now show your employer if you’re using their apps, such as Docs, Sheets, and Slides. The most troubling aspect of this is that it seems once you give employers that type of tool, it’s just a quick jump for them to track you even more.

Google is getting ready to launch a new tool called “Work Insights” for its business customers. This will allow employers to see who among their staff is really using the G Suite productivity apps to create docs, spreadsheets, presentations, or simply send email.

Microsoft offers the similar “Office 365” business apps, and Google’s new tool is very similar to Microsoft’s analytics product for those apps.

To put a positive spin on this tool, one explanation for it is that it will let IT administrators stay on top of their staff and see if they might need training on the G Suite apps. It can also show how teams use the apps to collaborate, such as through Docs, Hangouts, etc.


“The insight can help executives identify opportunities to strengthen collaboration and reduce silos,” Google said in a blog post regarding “Work Insights.”

The tool is currently only available in beta but was announced at a Tokyo Cloud event along with other tools that will help IT administrators locate security threats.

The downside here is obvious. What is being lost is privacy. It seems to be that Google always sees its users’ privacy as expendable. Initially it was easy to look past their tracking efforts, but they don’t stop and just take it further and further each time.

The biggest knock against Google is that they use all our data to target us with ads that they believe we will enjoy. It can be a bit unnerving to see ads pop up for something you just searched for on Google moments before.

Along with our search data, Google also has all our content from all its apps. They know a lot about us. Our name, address, phone number, location, etc. Everything you’ve ever filled out, created, or stored on a Google app is stored somewhere.

And now on top of all that they’re going to be taking not just your personal information, but your information that you use at work as well. And they’re going to be giving it to your employer.


Sure, with “Work Insights” they’ll be able to tell if you need further training on an app, but they’ll also know how much time you spend actually working and how much time you’re not spending on G Suite, such as the time you’re sneaking onto Facebook or Twitter or messaging your friends.

You may as well have a security camera focused on you, watching your every move.

Perhaps we’ve taken the whole tracking idea too far. It was a helpful idea to begin with, but it’s never-ending. We are being tracked more and more and more. It started with our search history, but it’s gone so far as to stretch into our work habits.

I ask this question knowing what the answer will be. I know when I ask how do you feel about the new “Work Insights” tool, that most readers here won’t like it. Most Make Tech Easier readers value their privacy, and if you’re now losing your work privacy, I think I know what your answer will be.

But I’m throwing caution to the wind and asking anyway. How do you feel about the new “Work Insights” tool? Do you see an end in sight for the information Google takes from us or do you think they’re just going to continue to get more and more emboldened? Let us know in the comments.

Image Credit: man using laptop with google website on screen by DepositPhotos, Google Doc Subhashish Panigrahi via Wikimedia Commons with others being Public domain

Source link

How to Test Your VPN Connection for Privacy Leaks – Make Tech Easier

Make Tech Easier

When you rely on a VPN, you certainly don’t want your private information slipping out, revealing details about who you are, where you are, and which sites you’re visiting. That’s exactly what VPN leaks are. They either come from your browser or your DNS connection. In either case, bad configuration can completely subvert your VPN connection.

You should always test your VPN to make sure that nothing is leaking. It doesn’t take long, and there are several places online to check to be sure that you’re not revealing anything about yourself.

The first and most obvious place to test your VPN is DNSLeakTest. It’s a site that’s designed to ensure that your DNS connection isn’t connecting to any servers outside your VPN.

DNS leaks are some of the most common VPN leaks. In a DNS leak your primary connection goes through your VPN like it should, but your DNS still goes to your ISP’s servers. Because your DNS reveals where you’re going and where you’re located, DNS leaks effectively render your VPN useless.

DNS Leak Test Home

Open your browser and go to dnsleaktest.com. When you first arrive, you’ll see a message telling you where you’re located and showing you a map. If that location isn’t where your VPN server is located, something is definitely wrong. Hopefully, it is your server location, and you can keep going.

There are two buttons on that main screen, too: one for the standard test and another for the extended version. Run the extended test.

DNS Leak Test Results

As the test runs through, it will try to find DNS servers that you’re using. When it completes, you’ll see the servers listed. In a successful test, you’ll only see your VPN’s DNS server.

Next, you can try Do I Leak. This one is an automated script that tests for both DNS leaks and browser leaks. Browser leaks are settings configured in your web browser that reveal information about you and your computer. They’re usually related to multimedia features, and most can be disabled without causing many issues.

When you arrive on the site, there’s only a single button there to begin the test. Click on it when you’re ready.

DoILeak VPN Test Results

The test will run through and probe multiple potential leak sources. After it’s done, it’ll print out the results of your tests in a convenient table. Each row will show you the results of a different test. Some things are more important than others.

Not having your timezone match doesn’t necessarily show anything about you other than the fact that you’re using a VPN, which someone could tell from the IP address anyway. Things like WebRTC, on the other hand, can reveal a great deal about you. You can click on the arrows at the end of each entry to find out more.

Browserleaks.com is another tool for analyzing multiple aspects of your connection. It tests many of the same things that DoILeak does but does them separately. When you arrive you’ll find each of the different available tests listed. They’ll all be on the side, too.

BrowserLeaks IP Test

Take a look at the basic IP address test first. It’ll give you location and DNS information. From there, you can take a look around. Java, Flash, WebRTC, WebGL, and Canvas Fingerprinting are probably the most important ones for you to look at.

BrowserLeaks takes things a step further by providing information on how to remedy the leaks that it finds at the bottom of each test page. Be sure to check them out if something turns up.

Finally, if you use your VPN for torrents, you want to make sure that you’re constantly protected. None of these tests specifically target torrenting. There is a great tool for torrents that actually interacts with your torrent client using a magnet link.

ipMagnet Results

The tool is called ipMagnet, and it provides you with a magnet link that you can paste into your torrent client. Allow it to run for a while. It’ll update automatically in your browser to reflect what’s happening in your client. You should only see your VPN IP listed in the ipMagnet results table.

By using these valuable tools and tests, you can ensure that your VPN is working as intended, and your information is secure. It’s not a great situation that you need to run tests to verify security of your VPN connection, but that is the case. Fortunately, once you have everything configured and secured, you won’t need to test or check things as often. They usually stay secure.

Source link

Customize App and Windows Permissions in Privacy Windows 10

Customize App and Windows Permissions in Privacy Windows 10

Windows 10 includes a separate section Privacy in Setting having App and Windows permissions. Options here ask for user’s consent to access his information for different applications. You will read the ways to change the settings according to your need keeping the privacy intact.


How to Customize App and Windows Permissions in Privacy Windows 10

Let’s Clear that Windows permissions section is set to demand your favor for Windows 10 to use your information for various purposes. In a similar way, App permissions will request you for applications to access your data.

First of all, let’s see how to reach App and Windows Permissions in Privacy Windows 10 –

Step-1: Press the shortcut combination Win+ I and select Privacy from different categories.

Customize App and Windows Permissions in Privacy Windows 10 image 1

Step-2: Once the Privacy opens, 2 sections come into appearance – Windows permissions and App permissions on the left side.

Customize App and Windows Permissions in Privacy Windows 10 image 2


How to Customize Windows Permissions in Privacy Windows 10

This section demands your permission to use advertising ID, language, searches, activities, typing history moreover Diagnostic data. Microsoft utilizes these information to enhance your experience with Windows 10. See how to customize Windows permissions privacy:


Step-3: Make a click on General under Windows permissions.

1. The beginning option within the General tab is – “Let apps use advertising ID to make ads more interesting to you based on your App uses – Microsoft collects your data and Stores and sends to app developers“.

Microsoft tracks your movements on PC, Store and desktop apps, Cortana. They accumulate the information as per Advertising ID and send to app developers. Store apps send you advertisements relevant to your the details of the activities on Windows 10. So if you want to be a part of Microsoft advertising system for Windows 10 then turn on this option. When you run child’s account then this ID gets automatically disabled.

2. Let websites provide locally relevant content by accessing my language list – When you use Bing search engine, it traces your language from the system and serves the content meeting with. Nowadays Cortana also provides news updates if you have enabled the settings. In our opinion, you must enable this option.

3.  Let Windows track app launches to improve start and search result – Windows 10 displays ideas in the form of applications in the list view of Start menu suitable to your requirement. In addition, while exploring on Cortana you might have seen search suggestions under Best match.  All these suggestions are controlled by this Privacy settings option. When you give permission you will get benefits of the recommendations.

Show me suggested content in the settings app – You might have viewed advertisements on the right and bottom side of Windows settings application. This option controls ads, so use that toggle when you want to disable.

Customize App and Windows Permissions in Privacy Windows 10 image 3

Speech inking and typing

When you Customize App and Windows Permissions in Privacy Windows 10, Speech, Inking and Typing is a significant tab.

Step-4: Click on Speech, Inking & typing in the left pane and go to the right side.

Cortana and few Store applications allow to talk and use handwriting patterns. They create a local user dictionary taking help from your voice and typed texts. The information is used to give you better suggestions during writing and speaking on Windows 10. So you are a user involved with these tasks, leave the setting enabled. After disabling this setting can’t speak to Cortana moreover the typing and Inking user dictionary will be deleted. However, handwriting recognition and typing suggestion will still work.

Customize App and Windows Permissions in Privacy Windows 10 image 4

Diagnostics and feedback

You will find multiple advanced settings in Diagnostics and feedback when you Customize App and Windows Permissions in Privacy Windows 10.

Step-6: Select Diagnostics and feedback from the left pane and jump to the adjacent right.

Microsoft collects data based on activities of a user and applies it to keep Windows device up to date and Secure. Diagnostic details are the information that helps Microsoft to fix issues and boost up product and services. So turn on this option is a wise idea.

Customize App and Windows Permissions in Privacy Windows 10 image 5

Tailored Experiences

If you select to enable Tailored experiences then Microsoft will apply the data to personalize your experience.

Diagnostic data viewer

Windows 10  includes Diagnostic data viewer that lets seeing the gathered data with the help of a store app. in addition, you can delete the Diagnostic data from the settings here.

Step-7: Go to this link and get Diagnostic data viewer application on your System from Microsoft store. Click on Diagnostic data viewer switch and allow the store app to present on the screen.

Step-8: Press the Hamberger menu and use Filter toggle to see the Basic or Full report. You can view Browsing History, Device Connectivity and Configuration, Inking, Typing and Speech Utterance, moreover, Product and Service Performance here.

Step-9: Click on any of the concerned tabs to see the Events and data. Clear Selection will deselect all the tabs.

Step-10: You can download the Diagnostic report to your Windows 10 system by clicking on Export Data.

Diagnostic Data Sampling

To minimize data collection, Microsoft accumulates some diagnostic events from a limited set of Windows devices. This is called Sampling. This icon indicates your device is sending data for this diagnostic event as part of a sample.

Microsoft uses Windows diagnostic data to inform and focus their decisions and efforts, providing you with the most robust and valuable platform possible, empowering both your productivity an. passion. By participating in the diagnostic data programs, you have a voice in the operating system’s development, improving the overall product experience and quality through your insights.

Customize App and Windows Permissions in Privacy Windows 10 image 6

Activity History

Microsoft gathers your activity but it also provides to delete its history at the same time.

Step-11: Do a click on activity history on the left side and Clear activity history on the right.

Activity History privacy Windows 10 image

How to Customize App Permissions in Privacy Windows 10

Windows 10 offers to give apps permission separately to access your content. Your information is kept in the left pane and the right pane has the list of applications whom you choose to allow. You view Location, Camera Microphone, Notifications Account info, Contacts, Calendar, Call history, Email, Tasks, Messaging, Radios, Other devices, Background apps, App diagnostics, “Automatic file downloads”, Documents, Pictures, Videos, and File system in the App permissions section.

You can Customize App and Windows Permissions in Privacy Windows 10 using these sections, see how


1. Click on Location and check whether the service for this device is on by pressing the Change button. Click on Set default button, navigate to the Bing maps, choose your correct location and assign it as default. You can use Clear to erase the previous

Scroll down to the lower part and see the list of applications. Toggle the button next to the app which you like to allow to access your location.

location privacy windows 10 settings image


Make a lick on Camera and go to the right flank. You find a Universal switch button that allows all apps to access your camera. If you want to prevent an application from opening then go to the lower part and turn off.

Camera Privacy settings windows 10 image


In the same way, perform a click on Microphone and navigate to the right section. Here, you get a Change button that permits entire applications to access your mic. If you want to stop accessing then click on the Change button and turn off the toggle. For changing the permission for each app separately move down and play with turn on and off switches.

microphone privacy settings windows 10 image


Now click on Notifications and take your mouse cursor to the right side. Here, also a toggle button is available that lets all applications to access your notification settings. You can enable and disable the permission using this. In addition, to individually disable the permission go to the list in the downward direction and turn off the button.

Account info

Perform a click on Account info and slide to the right field. Your account info access for this device is in the on state, so change and switch off to disable. By default Windows 10 allows all apps to access your account, therefore, check if it is correct for your condition. To disable one by one go down to the applications and toggle off. You will view Email and accounts, Microsoft content, and Microsoft Edge in the list.


If you allow access an app, it will use this device will be able to enter the contacts. Denying will block applications from accessing any person’s contacts.

Carry out a click on Contacts in the left pane and hop to the right. For preventing all the people’s contacts from being accessed, select the Change button and pull the slider towards left. Creep down and enable or disable the permissions for the apps independently.


When you allow access to Calendar, people using this device will be capable of choosing if their applications have a ingress to their calendar by using the settings on this page. Refusing access will restrict apps from accessing any person’s calendar. In order to Customize App and Windows Permissions in Privacy Windows 10 Calendar is an important option. Cortana, Fitbit, Mail and Calendar, and People apps will ask for the permission.

Press Calendar on the left side and traverse to the right pane. Use the slider under Allow apps to access your calendar to turn on or off the people globally. Either slither and drag the button to change the status individually.

Call history

Cortana, Fitbit, Mail and Calendar, and People will demand to use your Call history on this device.


Cortana, Mail and Calendar, and People app will be managed through App permissions on this Settings page.


All applications can access your tasks perform their works on the current device. So keep it enabled.


Cortana, Fitbit, Messaging, People, and Skype will like to use your messaging system to executes their tasks.


Fitbit asks permission to access your Radios application like Bluetooth to send or receive data.

Other devices

Microsoft Edge, Mixed reality viewer, moreover OneNote will ask you to grant permission to access your trusted devices using Sync settings.

Background apps

Abundant of applications will need the allowance to access your Background apps to receive info, send notifications, and stay up-to-date. If you deny access by turning off the apps, you can conserve power and battery.

App diagnostics

This option worths when you Customize App and Windows Permissions in Privacy Windows 10. Few applications use diagnostic information from other apps on your device to run with intentions. The information may carry its titles, the user account name that launched, memory, CPU, disk, and network usage. When you disable this setting the apps couldn’t use the info.

Automatic file downloads

Windows automatically downloads online-only files from cloud storage provider (for example OneDrive) for applications that request them. If you block any of those apps from demanding, you can unblock them here.


This is a new option that lets you Customize App and Windows Permissions in Privacy Windows 10. Multiple applications like Feedback hub, OneNote, Voice, Recorder and Windows Defender Security center want access to Documents library to work as intended. You can control the permissions from here.


This settings page allows you to handle the apps permissions that want to use your Pictures library. Camera, Cortana, Feedback hub, Fitbit, Microsoft Edge, Mixed Reality Viewer, Paint 3D, Photos, Scan, Windows Shell Experience Host and Xbox are the applications that demand access.


Multiple apps require using your Video library to work as intended. These are Camera, Mixed Reality Viewer, Movies & TV, Photos, and Xbox.

File System

If you Customize App and Windows Permissions in Privacy Windows 10 file system is a clamant option. Few apps need your permission to access the File system means Documents, Pictures, Videos and OneDrive Files. You can change the setting for your device moreover allow the access from here.

Isn’t easy to Customize App and Windows Permissions in Privacy Windows 10?

Source link