Internet/web browser privacy, security, and Flash cookies (LSO)

Flash cookies FAQ: What do you know about "Flash cookies" (also known as "LSO Cookies", and web browser "Super Cookies")?

With the latest "privacy" announcements from Facebook about how they'll take care of your privacy for you (see my story on my Facebook privacy experience), I decided to start researching the murky waters of "web browser privacy".

Flash, and Flash cookies

In my research, two things about web browser privacy kept jumping out at me. First, I found a plugin for the Firefox web browser named "Better Privacy" that lets you delete web browser LSO files, which, it turns out, are another name for "Flash cookies", or "Flash super cookies".

The second thing I ran into was a quote from one of the world's leading security hackers (Charlie Miller, who has won the Pwn2Own browser security contest the last two years), who said about web browser privacy and security, and I quote, "The main thing is not to install Flash". (See the tuaw.com article.) Ouch.

After learning about these browser Flash privacy/security issues, I decided to check into them. Here's what I've found.

Web browser privacy and clearing your cookies

To begin, here's a question for you: Do you clear your web browser cookies from time to time? If so, do you believe that you delete all your web browser cookies when you select the "Delete cookies" option in your web browser?

If you answer "yes", I'm sorry to say you'd be wrong.

It turns out that "Flash cookies" aren't deleted by the normal internet browser "delete cookies" process. In fact, these are so bad, your browser doesn't know anything about them.

Web browser privacy and Flash cookies (LSO cookies)

Very early in my research I also read that one Flash cookie could be accessed by many different websites. That is, a cookie named foo.sol (".sol" is their normal filename extension) could be accessed by www.example.com and www.acme.com. If that's true, this would be much different than normal web browser cookies, which can only be accessed by the site that originally set them. If multiple websites could access the same cookie (the same information about you), that would be incredibly bad news for your web browser privacy/security.

According to this Wikipedia article, this should no longer be possible with the latest version of the Flash plugin. So one important lesson right away is that if you're using Flash, make sure you have the latest version of the Flash plugin installed.

Here are two more interesting quotes from that Wikipedia article about Flash cookies (LSO cookies):

"More than half of the internet’s top websites use Flash LSO cookies to track users and store information about them."

And this:

"Global LSO settings are not under the direct control of the user, and can only be amended through Adobe's online "Global Settings Manager" control panel."

(We'll look at this Flash Global Settings Manager more in just a moment.)

Internet browser privacy and the Firefox Better Privacy Add-on

For the last week I've been using the Better Privacy add-on for Firefox. Better Privacy was created solely to handle this Flash cookie issue.

When I first installed Better Privacy, I found a whopping 226 Flash cookies (LSO files) on my filesystem! I immediately made a backup of those files (so I could later test them), and then I deleted them all. The only really important difference I noticed in my web browser was that I was logged out of my Yahoo email client, so it's clear that Yahoo Mail uses a Flash cookie to store login information.

Web browser privacy and Google Chrome

Another thing I found is that the Google Chrome browser provides a link to the Adobe/Macromedia website, where there is (of all things) a Flash widget that lets you manage your Flash privacy settings. In Chrome on Mac OS X, just select the Chrome menu, then the "Clear Browsing Data" menu item, and then the "Adobe Flash Player storage settings" link on the dialog that comes up.

That's one really nice thing about Chrome in regards to this web browser privacy issue: They make this Flash cookie problem much more obvious than any other web browser I have used.

Another great thing is that Chrome makes this Flash Player cookie manager URL easier to find. The Chrome browser sends you to this URL:

http://www.adobe.com/go/settmgr_storage_en

which in turn forwards you to this URL:

http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html

(If you want to bookmark one of those URLs, I'd bookmark the first one.)

My own browser cookies privacy practices

For the last year or two I've used the Firefox browser plugin FlashBlock. I use that plugin because many websites use Flash snippets for advertising, and other websites like ESPN and Usa Network start annoying audio/video Flash animations immediately.

During a test this morning, I found that FlashBlock does not allow Flash cookies to be stored on my computer unless I manually allow the Flash widget to function, which is cool. (I tested this by going to a website that I know uses Flash, and FlashBlock did not allow their Flash widgets to play. When I checked the Flash LSO directory, I saw there were no LSO ".sol" files in the directory. Next, I allowed one of the Flash widgets to play, and when I checked the Flash LSO directory, there was indeed a Flash "super cookie" in that directory.)

As mentioned, last week I installed the Firefox browser plugin "Better Privacy" to delete Flash cookies on a regular basis. It doesn't seem to be deleting the LSO files automatically, so I've been deleting them manually every few days. (I suspect that this is because I now also use three different browsers, and these Flash browser cookies aren't coming from Firefox.)

I've also started using the Google Chrome browser more. I like that they make these Flash cookies much more obvious in the "delete cookies" area, and they also have an "Incognito Window" option, which I discuss in my "Web browser privacy - the Chrome Incognito Window" article.

The internet/web browser cookies privacy issue - summary

First, let me say that this "web browser privacy" article is hard to wrap up. I can't clearly say, "Do X, Y, and Z, and you'll be fine."

Clearly, the safest thing to do is not use Flash, but since I like watching videos on YuoTube and Hulu, I can't follow that advice.

The good news is that Wikipedia reports that with the latest version of Flash, web sites cannot access each other's Flash cookies. That is huge, as it cuts down on a very simple way for you to be tracked as you move from one website to another.

Lacking a good summary here, all I can think to say is, "These are the issues I've found. How you decide to go forward knowing this information is up to you."

P.S. -- If you think all of these internet web browser privacy and security concerns are all a bunch of hogwash, I just this moment turned to Google News, and read this story about how Google was collecting web usage data from public WiFi networks. To their credit, Google has admitted this was a horrible slip-up, but if Google, whose motto is "Do no evil", does something like this, what can we expect from people who don't have a motto like that?

Post new comment

The content of this field is kept private and will not be shown publicly.