Wednesday, October 13, 2010

Killing the Evercookie (Google Chrome w/o Restart)

This post inspired by Dominic White's attempt at killing Samy Kamar's evercookie demo. As described:

evercookie is a javascript API available that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they've removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others.

evercookie accomplishes this by storing the cookie data in several types of storage mechanisms that are available on the local browser. Additionally, if evercookie has found the user has removed any of the types of cookies in question, it recreates them using each mechanism available.


Yes, plain evil. Samy research highlights a crucial aspect of privacy protection available in modern Web browsers -- and how difficult it can be for the average user to maintain. Dominic's solution for the Safari browser apparently requires a reset & restart of the browser and a bash script. I decided to try and find a way to do the same for Google Chrome, but without an annoying browser restart and using only the GUI. Below is my process that appears to work against Samy's current version.



Set-Up
Go to Samy's evercookie demo
- Click "Click to create an ever cookie" * not down the number

Evercookie Removal
1) Open a new tab, then close all other windows and tabs.

2) Delete Silverlight Isolated Storage

Go to http://www.silverlight.net/
Right click the Silverlight application (any app will do)
Silverlight Preferences > Application Storage > Delete all...
Click "Yes"

* Optionally disable "Enable application storage"

3) Delete Flash Local Shared Objects (LSO)

Go got the Flash "Website Storage Settings panel"
Click "Delete all sites"
Click "Confirm"

4) Clear Browsing Data

- Wrench > Tools > Clear Browsing Data...
- Select all options
- Clear data from this period: Everything
- Click "Clear Browsing data"


Testing
Go back to Samy's evercookie demo
- Click "Click to rediscover cookies WITHOUT reactivating deleted cookies"
- The process was successful is all mechanisms return "undefined"