Was just checking this site's cookies, when i noticed it.
This is nothing outrageous, of course. But for us, the paranoid ones it would be one more thing off our minds, if we could keep it off our machines.

Please edit this thread to follow the rules of the forum or this thread will be either moved to General (for discussion) or locked.

Thank you.

Edit: I may move it into general though if that action is felt more appropriate. Of course it has the most relevance here (but does not follow template), so yeah.

Has discussion value nonetheless, but threads in this forum are supposed to follow the template.

If you're so paranoid you probably shouldn't be allowing your browser to store cookies for a furry porn site to begin with

Tuvalu said:
If you're so paranoid you probably shouldn't be allowing your browser to store cookies for a furry porn site to begin with

In other words, use private browsing or incognito mode.

You could also just hide a browser somewhere in your computer with no shortcuts anywhere to it.

Furrin_Gok said:
In other words, use private browsing or incognito mode.

You could also just hide a browser somewhere in your computer with no shortcuts anywhere to it.

i believe they actually are worrying about the cookies displaying their information are also being sent to other people accessing e621 by the site itself, not their own browser

The site shouldn't need to store the blacklist as a cookie, though. Couldn't it serve it alongside the rest of the page somehow?

Maxpizzle said:
The site shouldn't need to store the blacklist as a cookie, though. Couldn't it serve it alongside the rest of the page somehow?

Its part of the ticket that stores and verifies your login information. Why not store it as a cookie for more rapid loading and easier functionality?

Thats all cookies are. Data tokens.

Also like the others said. If youre so afraid of people digging through your cookies? If they have enough knowhow to read your internally saved cookie data, they have enough to know what kind of sites etc you visit anyway and etc and not including that in a cookie wouldn't protect you at all from someone who knows how to read that Metadata to begin with.

R'D said:
i believe they actually are worrying about the cookies displaying their information are also being sent to other people accessing e621 by the site itself, not their own browser

Unless those other people are admins, or the cookie doesn't have the Secure flag set
, such a concern is misplaced.

A person who has physical access to their computer, using their browser to inspect their cookies, is a much more realistic concern. Albeit a tad paranoid (what is someone going to learn from a list of what you -don't- want to see, aside from how to disgust you?).

Anyway, IMO the correct measure to prevent that is to do proper basic security in the first place. Consisting of:

• have your own user account, with a password that you tell no-one
• ensure that the permissions on your files are set so that only you can read them, and
• proper screen-locking (ie. anyone who comes to your computer when you are away should have to enter your password to get in), set to automatically kick in on a relatively low delay (60-120 seconds). Ideally, should also have something set up so you can -immediately- lock the screen.

Parasprite has discussed the possibility of moving to a different blacklist storage system, which would allow much larger blacklists. AFAICS that's currently held up by the need to pick a standard method that will work across all browsers. It's unclear what effects that would have on security, but it certainly would move blacklists out of cookies.

savageorange said:

• have your own user account, with a password that you tell no-one
• ensure that the permissions on your files are set so that only you can read them, and
• proper screen-locking (ie. anyone who comes to your computer when you are away should have to enter your password to get in), set to automatically kick in on a relatively low delay (60-120 seconds). Ideally, should also have something set up so you can -immediately- lock the screen.

Win+L locks any windows computer past Windows 95. Just throwing that out there.

That was probably my third most used hot key after Win+E and Win+R when I was still living with my parents.

"Oh God, people know what aren't my fetishes..!!"

As a web dev, I do believe blacklists shouldn't be in cookies, but not for privacy reasons. :v
Client has to send them(My blacklist is about 2300 characters long, or 2.24kb) and the server has to send it back which isn't efficient if you want to crunch down web load, thats almost 4.5kb wasted bandwidth(Doesn't sound like much but it adds up!). Best method is to store it as a API and store it into local storage, this way it is only received when: 1) Blacklist missing, 2) User change, 3) Blacklist changed(possible through pre-process hook to the click event on the save button in settings).

But if you want privacy, best thing to do is use incognito, or password protect your account and enable screensaver lock. Most end users don't even know how to access the cookie key/values anyway.

Chaser said:
As a web dev, I do believe blacklists shouldn't be in cookies, but not for privacy reasons. :v
Client has to send them(My blacklist is about 2300 characters long, or 2.24kb) and the server has to send it back which isn't efficient if you want to crunch down web load, thats almost 4.5kb wasted bandwidth(Doesn't sound like much but it adds up!). Best method is to store it as a API and store it into local storage, this way it is only received when: 1) Blacklist missing, 2) User change, 3) Blacklist changed(possible through pre-process hook to the click event on the save button in settings).

But if you want privacy, best thing to do is use incognito, or password protect your account and enable screensaver lock. Most end users don't even know how to access the cookie key/values anyway.

Pretty much this. And you know I don't think enough people realize that all that data no matter how small adds up.

And I also agree if this is about privacy, just use incognito since it doesn't save browsing or download history or cookies, or use Win+L like NotMeNotYou said.

United_Gamers said:
Pretty much this. And you know I don't think enough people realize that all that data no matter how small adds up.

ads...you pay the ISP for internet access in $ and you pay the ad companies in bandwidth to take your info and make money off of you as a product to be traded... said bandwidth probably adds up quite quickly since so much of the internet has a veritable rainbow of types of ads plastered across the vast majority of it. and if your ISP uses bandwidth caps, guess who's taking a sizeable chunk of that cap when not blocked. :/ (well, that and they make stuff load a lot slower)

Of course the ideal thing would still be the long standing feature request to have server side blacklisting (i.e. pretty much effectively remove the search tag limit).

GDelscribe said:
Its part of the ticket that stores and verifies your login information. Why not store it as a cookie for more rapid loading and easier functionality?

Thats all cookies are. Data tokens.

Cookies are not faster than inline code, and cookies are not tokens, they are just client-side data storage, that said they can and often are used as tokens.

Or a Veracrypt container on a USB stick that contains a full suit of portable apps (or the TOR browser), if we really want to get paranoid. Throw in a hardware key that also needs to be connected and contains part of the password to get really crazy.

Chaser said:
As a web dev, I do believe blacklists shouldn't be in cookies, but not for privacy reasons. :v
Client has to send them(My blacklist is about 2300 characters long, or 2.24kb) and the server has to send it back which isn't efficient if you want to crunch down web load, thats almost 4.5kb wasted bandwidth(Doesn't sound like much but it adds up!). Best method is to store it as a API and store it into local storage, this way it is only received when: 1) Blacklist missing, 2) User change, 3) Blacklist changed(possible through pre-process hook to the click event on the save button in settings).

But if you want privacy, best thing to do is use incognito, or password protect your account and enable screensaver lock. Most end users don't even know how to access the cookie key/values anyway.

This is probably the best reason to change it yeah.

hsauq said:
This may seem a bit extreme and kinda tedious, but they could also create an alternate profile, store it on an encrypted volume, and just decrypt it and open a separate instance of Firefox or one of its variants whenever they feel like using websites they're not comfortable with others knowing about.

That would be useful if you need to keep around data (cache, cookies, etc), rather than the typical Incognito mode 'no cookies/cache'

It still doesn't address the basic problem though (the most likely information leak is to someone who has immediate physical access to your machine. Encryption only protects you if you can guarantee the volume isn't mounted at the time of the attack)

That's why I emphasized auto screen locking and proper login. It prevents a casual attacker from being able to -try- to do anything at all on your computer.