I allow NO cookies, yet cookies (both 1st & 3rd party) are still being set
I can't decide if this is a Firefox problem or not, but I'm starting here because it makes the most sense to me. I do not allow any cookies to be stored except by the exception list . But when cleaning up my PC at end of day, I notice all these cookies in my CCleaner that should not be there I do have other browsers installed, but never use them & their privacy settings are set to block all cookies as well. Anyone have any clues as to what is going on? Thanks in advance.
I could not seem to be able to add any images so I hope this works... [img]https://farm1.staticflickr.com/874/40451042655_b73d92d928.jpg/img [img]https://farm1.staticflickr.com/879/41346455381_a10b096127.jpg/img
Asịsa ahọpụtara
CCleaner has a different definition of "cookies" than Firefox does. In particular, CCleaner also lists the contents of a file called SiteSecurityServiceState.txt that stores "HTTP Strict Transport Security" (HSTS) instructions from sites Firefox has visited in regular (non-private) windows.
HSTS is a flag sites can set to instruct browsers never to use HTTP when accessing the site. Unless you use a private browsing window, Firefox saves those instructions in the SiteSecurityServiceState.txt file for future reference. In Firefox, this data is considered a "Site Preference" rather than a "Cookie".
Why does CCleaner consider that file to contain "cookies"? It's possible for a tracking script to generate a lot of requests to different sites and observe when Firefox uses HTTP and when it uses HTTPS, combine that information, and use it as a kind of fingerprint. Some people have called it an HSTS supercookie.
Testing the Theory
Could you check whether the SiteSecurityServiceState.txt file is the source of "cookies" that CCleaner is finding? Once Firefox has shut down, you can simply delete the file and then do your CCleaner scan. Here's how you delete it:
Open your current Firefox settings (AKA Firefox profile) folder using either
- "3-bar" menu button > "?" Help > Troubleshooting Information
- (menu bar) Help > Troubleshooting Information
- type or paste about:support in the address bar and press Enter
In the first table on the page, on the Profile Folder row, click the "Open Folder" button. This should launch a new window listing various files and folders in Windows Explorer.
Leaving that window open, switch back to Firefox and Exit, either:
- "3-bar" menu button > Exit
- (menu bar) File > Exit
Pause while Firefox finishes its cleanup, then right-click SiteSecurityServiceState.txt and delete it. Note: if Windows does not show the .txt extension on the file name, you can unhide file extensions using the steps in this article: https://www.bleepingcomputer.com/tutorials/how-to-show-file-extensions-in-windows/
Then if you check using CCleaner, do you get a clean bill of health?
Mitigations
There have been "proof of concept" sites over the years, but until recently, this kind of fingerprinting was not considered to be in actual use. Just recently, "Webkit," which is the foundation of Safari, issued an article indicating it was discovered in the wild, and what was changed to block it: Protecting Against HSTS Abuse.
The Webkit approach has been submitted to Mozilla developers through a bug report; they seem skeptical that it will solve the problem. Anyway, it will be months before anything changes there.
For now, I'm not aware of a way to prevent Firefox from keeping HSTS instructions without removing a lot of other data at the same time. You could consider these options:
(1) Use private windows, which should limit the duration of retention of HSTS data to the length of your private session
(2) Use anti-tracking and ad-blocking features/add-ons, since this is not anticipated to be a problem with legit servers
(3) Establish a routine to remove the SiteSecurityServiceState.txt file from the profile folder at relevant intervals
(4) [NOT RECOMMENDED] Set Firefox to clear "Site Preferences" at shutdown, but this also removes other site data such as cookie/pop-up permissions and zoom levels, so not a good solution
(5) [EXPERIMENTAL] Empty out the SiteSecurityServiceState.txt file and at the OS level, set it to Read-Only so Firefox cannot write to it. It is unclear how this might affect Firefox's ability to enforce HTTP Strict Transport Security, but if you always check to make sure sites handling sensitive information are using a secure connection, it might not cause any harm to you personally. This would not be recommended for people who are not observant.
Gụọ azịza a na nghọta 👍 2All Replies (6)
Asịsa Ahọpụtara
CCleaner has a different definition of "cookies" than Firefox does. In particular, CCleaner also lists the contents of a file called SiteSecurityServiceState.txt that stores "HTTP Strict Transport Security" (HSTS) instructions from sites Firefox has visited in regular (non-private) windows.
HSTS is a flag sites can set to instruct browsers never to use HTTP when accessing the site. Unless you use a private browsing window, Firefox saves those instructions in the SiteSecurityServiceState.txt file for future reference. In Firefox, this data is considered a "Site Preference" rather than a "Cookie".
Why does CCleaner consider that file to contain "cookies"? It's possible for a tracking script to generate a lot of requests to different sites and observe when Firefox uses HTTP and when it uses HTTPS, combine that information, and use it as a kind of fingerprint. Some people have called it an HSTS supercookie.
Testing the Theory
Could you check whether the SiteSecurityServiceState.txt file is the source of "cookies" that CCleaner is finding? Once Firefox has shut down, you can simply delete the file and then do your CCleaner scan. Here's how you delete it:
Open your current Firefox settings (AKA Firefox profile) folder using either
- "3-bar" menu button > "?" Help > Troubleshooting Information
- (menu bar) Help > Troubleshooting Information
- type or paste about:support in the address bar and press Enter
In the first table on the page, on the Profile Folder row, click the "Open Folder" button. This should launch a new window listing various files and folders in Windows Explorer.
Leaving that window open, switch back to Firefox and Exit, either:
- "3-bar" menu button > Exit
- (menu bar) File > Exit
Pause while Firefox finishes its cleanup, then right-click SiteSecurityServiceState.txt and delete it. Note: if Windows does not show the .txt extension on the file name, you can unhide file extensions using the steps in this article: https://www.bleepingcomputer.com/tutorials/how-to-show-file-extensions-in-windows/
Then if you check using CCleaner, do you get a clean bill of health?
Mitigations
There have been "proof of concept" sites over the years, but until recently, this kind of fingerprinting was not considered to be in actual use. Just recently, "Webkit," which is the foundation of Safari, issued an article indicating it was discovered in the wild, and what was changed to block it: Protecting Against HSTS Abuse.
The Webkit approach has been submitted to Mozilla developers through a bug report; they seem skeptical that it will solve the problem. Anyway, it will be months before anything changes there.
For now, I'm not aware of a way to prevent Firefox from keeping HSTS instructions without removing a lot of other data at the same time. You could consider these options:
(1) Use private windows, which should limit the duration of retention of HSTS data to the length of your private session
(2) Use anti-tracking and ad-blocking features/add-ons, since this is not anticipated to be a problem with legit servers
(3) Establish a routine to remove the SiteSecurityServiceState.txt file from the profile folder at relevant intervals
(4) [NOT RECOMMENDED] Set Firefox to clear "Site Preferences" at shutdown, but this also removes other site data such as cookie/pop-up permissions and zoom levels, so not a good solution
(5) [EXPERIMENTAL] Empty out the SiteSecurityServiceState.txt file and at the OS level, set it to Read-Only so Firefox cannot write to it. It is unclear how this might affect Firefox's ability to enforce HTTP Strict Transport Security, but if you always check to make sure sites handling sensitive information are using a secure connection, it might not cause any harm to you personally. This would not be recommended for people who are not observant.
Edeziri
Thank you, I really appreciate your quick response. I just found this previous question/answer a few seconds ago. For the record I did search & not find anything like this before I posted my question. I do believe this will help solve my issue. Thanks again!
Hi tcfox, this just starting popping up a lot recently and may indicate that CCleaner has changed what it looks at, so whatever you discover in your testing would be really helpful to us in answering these questions. Thanks.
The SiteSecurityServiceState.txt had all those cookies stored in it. I closed Firefox & deleted that file. So far it has yet to regenerate & those cookies have not returned. I was planning on having to make it a read-only file but that does not seem necessary.
Thanks for the update.
P.S. They're not really cookies.
- sigh* Okay, so update again - .txt file did return, so it looks like I am going to have to delete the info & make it read-only. I firmly believe that will work, but if not, i will update again.
Copy that on the "cookies"