Not planned Make harder for banned members to re-register with Evercookie

[AlexandrosD]

What is the point of evercookie? Evercookie is designed to make persistent data just that, persistent. Bystoring the same data in several locations that a client can access, if any of the data is ever lost (for example, by clearing cookies), the data can be recovered and then reset and reused.

See more @ http://samy.pl/evercookie/

Anyone can easily change their IP address and delete their session cookies, something that allows banned members to easily re-register.
It'd be awesome if evercookie gets implemented somehow in xenforo. An add-on would also do nice I suppose. Test it by yourselves. You can even change your browser. It can still detect you
I have just suggested g0rn, the creator of Multiple Account Detection add-on, to use evercookie with his last add-on.

 

[Shadab]

Did "evercookie" persist after clearing the browser data & restarting?

Browser Name & Version		Normal Session	Private Session

Google Chrome 8.0.552.210 beta	-		No
Firefox 4 Beta 7		No		No
Opera 10.63			No		-
Safari 5.0.1			Yes		No
Internet Explorer 8		Yes		No

This was tested on Windows XP SP2, which is probably the most common environment for the target "audience" of this script. I'll test it on Ubuntu 10.04 LTS once I get some more free time, to see if it makes any difference.

 

[Dean]

I'm not sure how much more testing you would need to do if you are only casually interested in the subject. My curiosity is satisfied at least.

 

[groundup]

What harm is it doing? To the machine or user, there is no harm done, but rather an extra measure to prevent a person from entering a site that they are not wanted on whether temp or permanent. The cookie isn't removed by typical removal methods, however free programs (which probably should have be ran as part your computer's maintenance) such as CCleaner can easily remove the cookie.

Malware, short for malicious software, is software designed to infiltrate a computer system without the owner's informed consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code

Evercookie matches just about everything about that definition from Wikipedia. Just so we don't get off on a tangent about how Wikipedia isn't the source for all things knowing, it is pretty much the same definition that every other site gives.

 

[Decent60]

The problem is, it's not a program. It's a cookie, same kind used in other authentications. The difference is, it's placed in several areas that are used for datastorage instead of the just the regular cookie area.

 

[groundup]

The evercookie software is malware. It doesn't only store a cookie. If this would be done, I couldn't imagine any major forum system doing it by default. It would require an extension.

 

[Decent60]

The evercookie software is an authentication system. It stays on the web server and no executable files are downloaded onto the computer but rather several cookies placed in a datastorage areas on your computer. These same areas are used by Ad companies currently and placing similar items (only they update with the address you came from and other information about your computer).

 

[Tanax]

The evercookie software is malware. It doesn't only store a cookie. If this would be done, I couldn't imagine any major forum system doing it by default. It would require an extension.

You obviously have no idea of what you're talking about.
EverCookie is not stored on the user's computers. It is stored like regular cookies.

If you go by your belief, then you'd have to sue almost every website on the Internet since most of them are storing and using cookies - EXACTLY like EverCookie - on your computer without your consent, an implementation that is well-used and that in your eyes is a malware.

 

[Decent60]

You obviously have no idea of what you're talking about.
EverCookie is not stored on the user's computers. It is stored like regular cookies.

If you go by your belief, then you'd have to sue almost every website on the Internet since most of them are storing and using cookies - EXACTLY like EverCookie - on your computer without your consent, an implementation that is well-used and that in your eyes is a malware.

Just to clear up a few things, cookies are stored on a person's computer, mostly in a folder called "Cookies".
EverCookie is stored like regular cookies, except for the fact that they are in several different locations:
- Standard HTTP Cookies
- Local Shared Objects (Flash Cookies)
- Silverlight Isolated Storage
- Storing cookies in RGB values of auto-generated, force-cached
PNGs using HTML5 Canvas tag to read pixels (cookies) back out
- Storing cookies in Web History
- Storing cookies in HTTP ETags
- Storing cookies in Web cache
- window.name caching
- Internet Explorer userData storage
- HTML5 Session Storage
- HTML5 Local Storage
- HTML5 Global Storage
- HTML5 Database Storage via SQLite

Because of the vast locations, this is why it is very persistent.

 

[Tanax]

Just to clear up a few things, cookies are stored on a person's computer, mostly in a folder called "Cookies".
EverCookie is stored like regular cookies, except for the fact that they are in several different locations:
- Standard HTTP Cookies
- Local Shared Objects (Flash Cookies)
- Silverlight Isolated Storage
- Storing cookies in RGB values of auto-generated, force-cached
PNGs using HTML5 Canvas tag to read pixels (cookies) back out
- Storing cookies in Web History
- Storing cookies in HTTP ETags
- Storing cookies in Web cache
- window.name caching
- Internet Explorer userData storage
- HTML5 Session Storage
- HTML5 Local Storage
- HTML5 Global Storage
- HTML5 Database Storage via SQLite

Because of the vast locations, this is why it is very persistent.

Yes, but to just to make things clear; EverCookie itself is NOT stored on the person's computers. EverCookie is a software that STORES cookies but the software itself is stored on the webserver(the hoster of the XenForo forum if this were to be implemented). Other than that, you are correct.

 

[dutchbb]

If the website using this technology mentions it in a privacy policy, I think it should be ok to use?

 

[Floris]

What harm is it doing? To the machine or user, there is no harm done, but rather an extra measure to prevent a person from entering a site that they are not wanted on whether temp or permanent. The cookie isn't removed by typical removal methods, however free programs (which probably should have be ran as part your computer's maintenance) such as CCleaner can easily remove the cookie.

The harm is that you can't opt-out and are forced to have something on your system you can't get rid of.

It's like delivering mail via postal service into someone their house that they didn't ask for and then you can't get it out of your house ..

 

[g0rn]

The harm is that you can't opt-out and are forced to have something on your system you can't get rid of.

You actually can. At least in Chrome you can do everything with a few mouse clicks (silverlight storage can be cleared in the menu you get on right-clicking on any silverlight app, flash storage can be cleared at the Adobe website, cache, cookies, history and HTML5 storages can be cleared in chrome menu). It is a bit more complicated to get rid of it, but it is still possible. It is also a good test for browsers (regarding how easy is it to clear ALL the data websites may save on your machine).

 

[Alpha1]

Did "evercookie" persist after clearing the browser data & restarting?

Browser Name & Version		Normal Session	Private Session

Google Chrome 8.0.552.210 beta	-		No
Firefox 4 Beta 7		No		No
Opera 10.63			No		-
Safari 5.0.1			Yes		No
Internet Explorer 8		Yes		No

This was tested on Windows XP SP2, which is probably the most common environment for the target "audience" of this script. I'll test it on Ubuntu 10.04 LTS once I get some more free time, to see if it makes any difference.

I wonder if it looks more positive for evercookie when tested on older browsers. From the above it looks like EverCookie is pretty useless. It will just increase the instances of banned member detection a bit.

 

[Floris]

You actually can. At least in Chrome you can do everything with a few mouse clicks (silverlight storage can be cleared in the menu you get on right-clicking on any silverlight app, flash storage can be cleared at the Adobe website, cache, cookies, history and HTML5 storages can be cleared in chrome menu). It is a bit more complicated to get rid of it, but it is still possible. It is also a good test for browsers (regarding how easy is it to clear ALL the data websites may save on your machine).

You can also remove a virus with the right mouse clicks, ..

 

[Tanax]

You can also remove a virus with the right mouse clicks, ..

That's not really the same. The cookies generated by EverCookie aren't harming the computer nor the person using it. A virus can both completely destroy the computer aswell as steal bankinformation and other things that may harm the person using the computer.

 

[groundup]

You obviously have no idea of what you're talking about.
EverCookie is not stored on the user's computers. It is stored like regular cookies.

If you go by your belief, then you'd have to sue almost every website on the Internet since most of them are storing and using cookies - EXACTLY like EverCookie - on your computer without your consent, an implementation that is well-used and that in your eyes is a malware.

Tanax, there really is no need to be insulting. Everything about Evercookie is malware. I will break it down for you so you understand what I'm referring to. The only reason I am even devoting an ounce of time to you, this topic, or anyone referring to this topic is because I really don't want to see it used.

Malware, short for malicious software, is software designed to infiltrate a computer system without the owner's informed consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code

Evercookie, like you've told me numerous times is the software, not the cookie. This is what I've said and you are completely misreading it. Evercookie is the malware. Evercookie is designed to infiltrate a computer system without the owner's informed consent. The language they use on their homepage is even very similar to this. Is it hostile? Not necessarily, but it can be. Intrusive? Without a doubt. Annoying? Absolutely! Yes, it is software and/or program code. How can you possibly NOT construe that as malware?

There's a reason why giant ad agencies aren't using this. They aren't that stupid and know that this is malware. It is nothing like a simple cookie. Browsers are built to stop them. By using this, you are purposely subverting my ability to control my privacy. Use at your own risk - knowing that you are violating numerous privacy rights.

 

[Wired]

This has too much potential to be used for evil. Don't assume "only" good guys would use something like this. While the tool may be useful to some, it can be used to harass others as well.

 

[Tanax]

Tanax, there really is no need to be insulting. Everything about Evercookie is malware. I will break it down for you so you understand what I'm referring to. The only reason I am even devoting an ounce of time to you, this topic, or anyone referring to this topic is because I really don't want to see it used.


Evercookie, like you've told me numerous times is the software, not the cookie. This is what I've said and you are completely misreading it. Evercookie is the malware. Evercookie is designed to infiltrate a computer system without the owner's informed consent. The language they use on their homepage is even very similar to this. Is it hostile? Not necessarily, but it can be. Intrusive? Without a doubt. Annoying? Absolutely! Yes, it is software and/or program code. How can you possibly NOT construe that as malware?

There's a reason why giant ad agencies aren't using this. They aren't that stupid and know that this is malware. It is nothing like a simple cookie. Browsers are built to stop them. By using this, you are purposely subverting my ability to control my privacy. Use at your own risk - knowing that you are violating numerous privacy rights.

I didn't insult you anywhere. I just stated that you clearly have no idea what you're talking about. And I still believe that you have no idea what you're talking about. EverCookie is basically just creating many cookies instead of only one and place them in different cookie-locations. They ARE regular cookies, just several of them and placed in different locations instead of only 1 cookie in 1 location like regular cookies. Other than that the cookies are not designed to "infiltrate" nor harm the user in any way.

I see no problems with adding this feature. It's not intrusive in any way and I'm not violating anything by using it.

In fact, I think it's every forum-admin's RIGHT to use it. If someone gets banned and they just reset their IP, aren't THEY violating MY terms of agreement upon signing up? They are the ones that are violating both rules aswell as privacy rights since I banned them from my community I don't want them here. They are MORE malware than the EverCookie since they are infiltrating my community without my consent. They're not a software though Annoying? What's annoying about a cookie that most users don't even KNOW it's there, let alone view it. I almost never view my cookies and I certainly don't know when and where a website places a cookie on my computer.

The reason they aren't using it because of people like yourself. Misguided people who have no idea what is actually going on.

 

[Tanax]

This has too much potential to be used for evil. Don't assume "only" good guys would use something like this. While the tool may be useful to some, it can be used to harass others as well.

I agree. But what about IP-tracking that you perform as admin on users? Can't that be used to harass someone? Even track them where they live.
What I mean is that A LOT of things on the board available to admins CAN be abused. That's a poor reason for not adding a feature IMO.

 

[groundup]

Tanax, once again, inflammatory remarks serve no purpose in a peaceful debate. You claim I, a person who helps develop forum software and has for the better part of a decade, doesn't know what they're talking about. Yet, you still don't understand the definition of malware or a person's right to not be tracked. You are looking at this idea in a very myopic world of a forum admin. You don't see the privacy issues that can come from something where a person has no choice on being tracked. There is nothing regular about this software. You're right, it creates several normal forms of tracking a person. Yet, it also goes much further in that it continually places these cookies even after you've requested to remove them and there are many of them where browsers have not created a way of telling a website not to place them on your computer.

If it is your right to use it, it is my right to remove it, correct? Well, how do you remove all of the tracking devices Evercookie uses? There should be information as to how to remove them. Otherwise, you're claiming your rights as an admin are more important than everyone of your users' individual rights. I can't stomach that.

Once again, you're the one that keeps saying evercookie's tracking "cookies" (which they aren't all even close to being cookies) are malware. I have stated numerous times that evercookie, the application or API, is malware. As you continually quote me, it shouldn't be hard for you to read what I've written before.

You're insulting and inflammatory remarks about how I don't know what I'm talking about are beginning to slightly aggravate me. At no point have I said anything about your person, merely the views that you have.

I think I am done with this. I am pretty sure no forum software will institute this natively with all of the privacy concerns involved.