Supercookies

This term can get a little confusing since it’s been used to describe several different technologies, only some of which are actually cookies. In general, though, it refers to anything that changes your browsing profile in order to give you a unique ID. In this way they serve the same function as cookies, allowing sites and advertisers to track you, but unlike cookies, they can’t really be deleted. You’ll most often hear the term “supercookie” used in reference to Unique Identifier Headers (UIDH) and as a vulnerability in HTTP Strict Transport Security, or HSTS, though the original term refers to cookies that originate from top-level domains. This means that a cookie could be set for a domain like “.com” or “.co.uk,” allowing any website with that domain suffix to see it. If Google.com sets a supercookie, that cookie would be visble to any other “.com” website. This is a clear privacy issue, but since it’s otherwise a conventional cookie, pretty much all modern browsers block them by default. Since no one talks much about this kind of supercookie anymore, you’ll generally hear more about the other two.

Unique Identifier Header (UIDH)

A Unique Identifier Header isn’t on your computer at all – it takes place between your ISP and a website’s servers. Here’s how: In simple terms, if an ISP is using UIDH tracking, it’s sending your personal signature to every website you visit (or the ones who have paid the ISP for it).  It’s mostly useful for optimizing ad revenue, but it’s invasive enough that the FCC fined Verizon 1.35 million USD for not informing their customers of it or giving them an option to opt out. Aside from Verizon, there’s not much data on which companies are using UIDH information, but consumer backlash has made it a fairly unpopular strategy. Even better, it only works over unencrypted HTTP connections, and since most websites now use HTTPS by default and you can easily download extensions like HTTPS Everywhere, this supercookie isn’t actually much of a problem anymore and probably isn’t being widely used. If you want extra protection, use a VPN. This guarantees that your request will be relayed to the website without your UIDH attached.

HTTPS Strict Transfer Security (HSTS)

This is a rare type of supercookie that hasn’t been specifically identified on any particular site, but apparently it was being exploited, since Apple patched Safari against it, citing confirmed instances of the attack. HSTS is actually a good thing. It lets your browser safely redirect to the HTTPS version of a site rather than the insecure HTTP version. Unfortunately, it can also be used to create a supercookie with the following recipe: It sounds complex, but what it boils down to is that websites can get your browser to generate and remember security settings for multiple pages, and the next time you visit, it can tell who you are because no one else has that exact combination of settings. Apple has already come up with solutions to this problem, like only allowing HSTS settings to be set for one or two main domain names per site and limiting the number of chained redirects that sites are allowed to use. Other browsers are likely to follow these security measures (Firefox incognito mode seems to help), but since there aren’t any confirmed cases of this happening, it’s not a top priority for most. You can take matters into your own hands by digging into some settings and manually clearing HSTS policies, but that’s about it.

Zombie cookies/Evercookies

Zombie cookies are exactly what they sound like – cookies that come back to life after you thought they were gone. You may have seen them referred to as “Evercookies,” which are unfortunately not the cookie equivalent of a Wonka everlasting gobstopper. “Evercookie” is actually a JavaScript API created to illustrate how many different ways cookies could get around your deletion efforts. Zombie cookies don’t get cleared because they’re hiding outside of your regular cookie storage. Local storage is a prime target (Adobe Flash and Microsoft Silverlight use this a lot), and some HTML5 storage can also be an issue. The living dead cookies can even be in your web history or in RGB color codes that your browser allows into its cache. All a website has to do is find one of the hidden cookies and it can resurrect the others. Many of these security holes are disappearing, though. Flash and Silverlight aren’t a big part of modern web design, and many browsers aren’t especially vulnerable to other Evercookie hiding places anymore. Since there are so many different ways that these cookies can weasel their way into your system, though, there is no single way to protect yourself. A decent suite of privacy extensions and good browser-clearing habits are never a bad idea, however!

Wait, are we safe or not?

Online tracking technology is a constant race to the top, so if privacy is something that concerns you, you should probably just get used to the idea that we’re never guaranteed 100% anonymity online. You probably don’t need to worry too much about supercookies, though, since they’re not seen in the wild very often and are increasingly being blocked. On the other hand, zombie cookies/Evercookies are harder to get rid of. Many of their more well-known avenues have been shut down, but they can still potentially work until every single vulnerability is patched, and they can always come up with new techniques.