[tor-talk] 12.7 percent of the domains I visit are intercepted by CloudFlare
Joe Btfsplk
joebtfsplk at gmx.com
Sat Apr 23 22:21:26 UTC 2016
On 4/23/2016 2:54 PM, Rob van der Hoeven wrote:
> On Sat, 2016-04-23 at 14:03 -0500, Joe Btfsplk wrote:
>> On 4/23/2016 8:15 AM, Rob van der Hoeven wrote:
>>> Hi,
>>>
>>> Today I got an idea of how to measure "The CloudFlare problem". It turns
>>> out that every time you visit a website that's behind CloudFlare a
>>> cookie is set with the name __cfduid
>>>
>>> If you use Firefox these cookies end up in a SQLite database which can
>>> be queried with the SQLite Manager add-on. My total number of cookies is
>>> 2523 (I disable third-party cookies by default). CloudFlare cookies:
>>> 321. So 321/2523 *100 = 12.7% of the domains I have visited are
>>> monitored by CloudFlare. Quite shocking I think.
>>>
>>> Rob.
>>> https://hoevenstein.nl
>>>
>> Are you saying using TBB, cloudflare sets cookies withOUT either
>> checking "accept cookies from sites;"
>> or entering an exception for their domain in TBB's cookie exceptions;
>> or when in Options > Privacy - "Accept 3rd party cookies" = Never?
>>
> I am not using TBB. Sorry I was not clear about this. I use the normal
> Firefox, enhanced with NoScript, AddBlockPlus etc. I changed the privacy
> settings so that "Accept cookies from sites" is allowed, but "Accept
> third-party cookies" is set to "Never"
>
> Now the interesting (nasty) properties of CloudFlare cookies are:
>
> 1) They are not coming from the CloudFlare domain, but from the domain
> you are visiting. If you surf to abcdef.com and that site uses
> CloudFlare then the CloudFlare cookie is set for the abcdef.com domain.
> CloudFlare clearly is a third-party, but their cookies can not be
> disabled by refusing third-party cookies.
>
> 2) Many of *my* CloudFlare cookies have an expiration date of 23 dec
> 2019. These are clearly ment to be tracking cookies.
>
>
Technically, this isn't a Firefox discussion or support list, but...
My guess is it is set by abc.com, but the " name" of the cookie involves
"cloudflare?"
What does it show under the "site" column - viewing the cookies? Does it
show it came from Cloudflare site?
Post the name of site & cookie name.
You can check in about:config for pref:
network.cookie.thirdparty.sessionOnly. It should be set to False to
reject 3rd party cookies.
On Disney.com, they set a cookie named
"HumanClickSiteContainerID_88830415" but the SITE name shown for it is
Disney.com.
It's true - there's always a 1st for everything.
More information about the tor-talk
mailing list