[tor-talk] 12.7 percent of the domains I visit are intercepted by CloudFlare

Joe Btfsplk joebtfsplk at gmx.com
Sat Apr 23 19:03:26 UTC 2016 

On 4/23/2016 8:15 AM, Rob van der Hoeven wrote:
> Hi,
>
> Today I got an idea of how to measure "The CloudFlare problem". It turns
> out that every time you visit a website that's behind CloudFlare a
> cookie is set with the name __cfduid
>
> If you use Firefox these cookies end up in a SQLite database which can
> be queried with the SQLite Manager add-on. My total number of cookies is
> 2523 (I disable third-party cookies by default). CloudFlare cookies:
> 321. So 321/2523 *100 = 12.7% of the domains I have visited are
> monitored by CloudFlare. Quite shocking I think.
>
> Rob.
> https://hoevenstein.nl
>   
Are you saying using TBB, cloudflare sets cookies withOUT either
checking "accept cookies from sites;"
or entering an exception for their domain in TBB's cookie exceptions;
or when in Options > Privacy - "Accept 3rd party cookies" = Never?

If I don't set "accept cookies" & select "never allow 3rd party 
cookies", and don't enter a domain in cookie exceptions, I don't get 
cookies.
(seems the "Exceptions" Privacy option should be called "Permissions," 
same as the profile file containing them - "permissions.sqlite."  They 
didn't consult me on the UI.

You don't have a cookie manager addon installed, do you?  Maybe changing 
TBB default behavior.

Even if I check TBB - "Accept cookies from sites", on restarting TBB, it 
unchecks that box (by design).

For TBB (Firefox) - Tools > Options > Privacy - what I don't understand 
is why TBB allows "Accept 3rd party cookies" to be reset to "Always," 
when you check "Accept cookies?"
Then it also *unchecks* / *over rides* the Torbutton Privacy & Security 
Settings - "Restrict 3rd party cookies & other tracking data" - and then 
definitely allows 3rd party cookies.

It probably shouldn't.  Doesn't this allows tracking _during_ the 
session?  True, 1st & 3rd party cookies & exceptions are deleted on 
restarting TBB.

If users check allow cookies in TBB - Firefox Options, TBB probably 
should prevent 3rd party cookies from automatically resetting from 
"Never" to "Always."
Especially when Torbutton's Privacy setting is checked to restrict 3rd 
party cookies.
Seems the only way Torbutton settings should be allowed to change is 
from Torbutton UI.

More information about the tor-talk mailing list