[go: up one dir, main page]
|
|
Log in / Subscribe / Register

Another kind of cookie

By Jake Edge
October 29, 2008

It has become increasingly difficult to use the web without some kind of Flash player, but a little-known "feature" of Flash is causing some privacy concerns. In some ways, Local Shared Objects (LSOs aka Flash cookies) are similar to browser cookies, but there are a number of significant differences as well. In addition, because the dominant Flash player is closed-source, one must depend on Adobe's ability to faithfully implement the security model. In all, Flash cookies are something that web users should be cognizant of.

At its core, an LSO is a chunk of data that is stored on a user's disk based on the domain that the Flash program was downloaded from. Only Flash programs from that domain should have access to the data and, unlike browser cookies, much more data can be stored. By default, 100K bytes can be used per domain, which is a sizable increase from the 4K available for browser cookies. The amount of storage for a Flash cookie can be increased with the assent of the user, or decreased via the management interface.

Another major difference from the now-familiar browser cookies is that the interface for managing them is less-than-obvious. From a given Flash application, there is a "Settings" menu that allows control of the LSOs from that site. To see the sites that have stored Flash cookies or to have more global control over them, one must visit Adobe's site. There are also third-party applications and browser add-ons that will allow more control. A user can also resort to the ultimate control—removing them from the filesystem (~/.macromedia/Flash_Player/#SharedObjects).

There are many benign things that a Flash application might do with a bit of local storage—caching data, storing preferences, etc.—but they can also be used to track users in much the same way that browser cookies are used. Because Flash cookies are less well-known, and harder to manage, though, they may be more effective because they are removed or restricted less often.

Another important thing to note is that there is no requirement that there be a visible Flash application on the web site. A site could embed a Flash application with no visible elements simply to store a cookie. Unless the user has a browser add-on like NoScript, they will get no indication that anything has happened.

Assuming that there aren't any holes in Adobe's implementation of the Flash security model, Flash cookies aren't much different—or more dangerous—than browser cookies. But that assumption is a bit worrisome. For Firefox or other free software browsers, the code can be inspected to verify correct behavior. Either Flash or Firefox could have some flaw that allowed cross-site cookie access (which would be a rather nasty information disclosure vulnerability), but for Flash, we can only take Adobe's word.

Privacy advocates have been successful in getting the idea of deleting browser cookies into the consciousness of concerned users, but Flash cookies seem to have flown below the radar. A recent blog posting that was widely reported has helped to raise the profile of Flash cookies so that users will, hopefully, know that they exist. Those with a desire to strictly control their privacy will be better able to do so. With luck, it may also lead Adobe to provide an easier and more visible interface to manage them as well.


Index entries for this article
SecurityBrowser cookies
SecurityPrivacy

to post comments

Another kind of cookie

Posted Oct 30, 2008 5:16 UTC (Thu) by bronson (guest, #4806) [Link]

I am surprised at the number of people who run without Flashblock. It makes the web nicer in so many ways. Do they just not realize that it exists?

Another kind of cookie

Posted Oct 30, 2008 8:21 UTC (Thu) by busman (subscriber, #7333) [Link] (1 responses)

Apparently Gnash -users are safe? I couldn't find anything on my
harddisk that would indicate that Gnash have placed there
something. Or maybe I'm just visiting "safe" sites :)

Another kind of cookie

Posted Oct 30, 2008 9:49 UTC (Thu) by dlang (guest, #313) [Link]

if gnash doesn't do the same thing there are going to be flash programs that won't work right and so it will be a compatibility issue.

Another kind of cookie

Posted Oct 30, 2008 9:18 UTC (Thu) by debacle (subscriber, #7114) [Link]

For free software users this is not a problem, as the programs they use always can be inspected. E.g. I use swfdec instead of Adobes secret software and it works fine for most things, such as youtube. This combined with the NoScript and AdBlock extensions for Firefox give a nice web experience.

Another kind of cookie

Posted Nov 1, 2008 12:43 UTC (Sat) by ssam (guest, #46587) [Link] (1 responses)

if you can manage without flash, that the best option. if i hit a site that needs i just apt-get it, and then remove it afterwards.

if 99% of web browsers report that then have flash installed, then web developers will use it. if a people that did not like flash uninstalled, it the web would have less flash.

for youtube i use totem, but miro or elisa also work.

(if you have flash block, you browser still reports to the site that flash is installed)

Another kind of cookie

Posted Nov 25, 2008 0:52 UTC (Tue) by jasonspiro (guest, #38047) [Link]

ssam wrote:

> if you have flash block, [your] browser still reports to the site that flash is installed

You can use Firefox 3's new plugin manager to disable Flash without restarting Firefox. To do so, click Tools > Add-ons > Plugins > [plugin name] > Disable. After you do that, does Firefox still report to webmasters that Flash is installed? (I'm currently on a shared PC running Firefox 2, and I don't want to disturb anything, so I don't want to check.)


Copyright © 2008, Eklektix, Inc.
This article may be redistributed under the terms of the Creative Commons CC BY-SA 4.0 license
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds