“Verizon and AT&T
are adding ‘supercookies’ to your cellphone browsing.”
Cookies do not come from Keebler. They are files in your browser that a website asks you to hold and give back to it when it asks for it.
When they were conceived soon after the birth of the Web they were an innocuous
means for a web server to remember what you, among hundreds of people who may
be browsing its pages, are doing. Since then clever programmers have found
valuable and sinister ways to use cookies. In response users and browsers took
steps that block not just bad, but good cookies and the arms race continues.
Thus is born the supercookie which does not reside in
the browser. Generally it is some form of fingerprinting of specific
characteristics of your computer. It is easy for a web server to ask the
browser to report plug-ins and fonts it knows about and also CPU capability and
screen resolution, among other features. It will use these statistics to better
customize the web page, graphics, and video it sends you. A half-dozen pieces
of information uniquely identifies me out of over 4.5 million computers. The
website can then collect this information in a database correlated to personal
facts it already knows about.
Recently the popular press has picked up on another type of
supercookie being fed us by the cell carriers. Verizon has acknowledged that
they’ve added this “feature” since 2012 and it has also shown up on tests of
AT&T phones. The technique involves the fact that your cell carrier, like
any ISP, is a man in the middle for
everything you send out on their network. In this case, they are adding a text
identifier to every HTTP transmission
you send over cellular data – it is not included if you connect via WiFi.
Verizon’s goal was to allow websites,, for a fee to send them
your code and receive some of the plethora of personal data Verizon knows about
you. This could include details such
as your demographics, phone number, and which store you just walked into at the
mall. Unfortunately for Verizon, because the ID is included whether the website
subscribes or not, the website could just as easily build their own dossier on
that ID. The ID is still attached to your browsing even if you opt out of
allowing Verizon to sell your data.
The only way to block this identifier is to make your
communications on the cellular network all through a secure channel. They
cannot attach the ID to HTTPS browsing. Fortunately major social networking
sites such as Facebook, Google, and Twitter use HTTPS all the time. For all the
other websites you might visit, your only recourse is to install and use a VPN.
Although Verizon is the only carrier to admit that they
include and are monetizing this ID; the technology is available to every
cellular company, ISP, or public access site.
---------------
References:
Steve Gibson’s Security Now
·
The entire podcast: http://twit.tv/show/security-now/479
·
His show notes and other text: https://www.grc.com/sn/sn-479-notes.pdf
Wired Magazine describes the process
My articles on cookies
EFF
fingerprint test
. (cc) 2014- Bill Barnes - Disclaimer - Home Page - Blogs Home