Adobe Flashplugin versus Noscript

[v41]

I make use of the Noscript option to forbid adobe flash on untrusted sites.
So I was perturbed to find that the flashplugin process,

Code:

/usr/lib/firefox/plugin-container /usr/lib/adobe-flashplugin/libflashplayer.so -greomni /usr/lib/firefox/omni.ja 1234 true plugin

and a flash cookie,

Code:

~/.macromedia/Flash_Player/macromedia.com/support/flashplayer/sys/settings.sol

appear whenever I apply firefox -> tools -> clear recent history. This occurs even when browsing only a single untrusted website. It has only started happening fairly recently.

I'm wondering why clearing the firefox history spawns a flashplugin process, whether it can be prevented, and whether this is a bug?

[v41]

Update: Clearing firefox's history spawns the flash plugin process even when I explicitly disable flash in firefox -> tools -> addons -> plugins.

[OpSecShellshock]

Update: Clearing firefox's history spawns the flash plugin process even when I explicitly disable flash in firefox -> tools -> addons -> plugins.

If you have another browser such as Chromium or some other application that uses Flash, it will write its Flash cookies to the same directory that Firefox does. Then when you go to clear out the Firefox history and cookies it will see the cookie or LSO in that directory no matter which other application caused it to be put there.

[v41]

If you have another browser such as Chromium or some other application that uses Flash, it will write its Flash cookies to the same directory that Firefox does. Then when you go to clear out the Firefox history and cookies it will see the cookie or LSO in that directory no matter which other application caused it to be put there.

The only browser installed is firefox. Even if I purge the flash-cookie directory, ~/.macromedia, and delete the flashplugin process, they are both recreated the instant I clear firefox's history.

[kleenex]

Hi, try to install BetterPrivacy add-on's for Firefox, which offers various ways to handle Flash-cookies set by Google, YouTube, Ebay and others.... I use this add-on for a long time and it seems to works very well. BetterPrivacy offers interesting options e.g delete Flash cookies on application start or on Firefox exit etc.

[computeratin]

Hi, try to install BetterPrivacy add-on's for Firefox, which offers various ways to handle Flash-cookies set by Google, YouTube, Ebay and others.... I use this add-on for a long time and it seems to works very well. BetterPrivacy offers interesting options e.g delete Flash cookies on application start or on Firefox exit etc.

+1 Better Privacy

Also look in to Request Policy as a supplement to No Scripts.

And I've been reading lately about a new privacy threat called "ever cookies" or "super cookie" that write to a lot of places that cookies don't normally write to.

They are supposed to be very hard to block or remove. So far I've only found one tool claiming that it can handle super cookies: Nevercookie.

But, every time I try to install it I get error messages.

[v41]

Hi, try to install BetterPrivacy add-on's for Firefox

Kleenex and computeratin, thank you for suggesting the BetterPrivacy addon. I should have mentioned at the outset that I'm using several privacy-related addons, including BetterPrivacy. They are: AdblockPlus, BetterPrivacy, FoundStone HTML5 Local Storage Explorer, NoScript, RequestPolicy and Sanitisminau.

It would be interesting to know whether this issue is affecting many people, or just me. To see whether you are affected, try the following:

(1) While firefox is running, delete the contents of ~/.macromedia
(2) Clear firefox's history ( firefox -> tools -> clear recent history)
(3) Check whether any files or directories have been created in ~/.macromedia. If so, then you are affected.

[computeratin]

Congrats on having a clue about browser sec! (/no sarc)

Welcome to the latest privacy threat:

Evercookies:

http://samy.pl/evercookie/

http://www.schneier.com/blog/archive...ercookies.html

http://en.wikipedia.org/wiki/Evercookie

http://forums.pcworld.com/index.php?...d-evercookies/

http://blogs.wsj.com/digits/2010/12/...ing-consumers/

So far I haven't figured out how to keep the bleeeeeeeeeeeeeeeeeeeeeeeeeep things out without breaking 98% of sites on the web.

[kleenex]

computeratin thanks for the info about Nevercookie, evercookie and so on, because it seems to be an interesting plug-ins. I will certainly try it.

[computeratin]

This is the first time in a while that I've had a chance to research this. It looks like enough progress has been made that people have figured out how to flush them at least. So that you can't be tracked across sessions. They still can't be blocked without messing up most web sites. (?)

Removal methods:

1) This one looks a little time consuming, but safe.
http://www.youtube.com/watch?v=U-WNk...layer_embedded

2) This one is more automated. But I'm at work. I can't check if it's in the repos. And you know all of the warnings about software not in the repos and it may be dangerous.
http://bleachbit.sourceforge.net/

3) I'm not sure what this does. I'm not sure if it's supposed to delete or block? But I found it in a few places. It may be dangerous:
javasc#ipt:ec.set('uid', 12345); (in your browser bar)

NOTE: I AM NOT AN EXPERT, GURU, PROGRAMMER OR CODER AND I AM NOT ADVOCATING THAT YOU INSTALL SOFTWARE FROM OUTSIDE THE REPOS OR PLUG IN CODE YOU DON'T UNDERSTAND.

THIS INFORMATION IS FOR RESEARCH PURPOSES ONLY!!! IF ANYTHING PRESENTED HERE IS ABOVE YOUR SKILL LEVEL THEN USE AT YOUR OWN RISK.

IN OTHER WORDS: IT'S NOT MY FAULT IF YOU BLOW UP YOUR INSTALL!!!

Personally I will test all of this in a virtual machine that I use for nothing other than testing stuff like this.