Is silverlight and Java running on the web browser capable of saving "state" into the user's local machines?

Question

I am aware that even after we have cleared our cache and cookies, websites can still save files/information into our computer using Flash (Flash ever cookies),

I was wondering does other plugins like Silverlight and Java have this problem?

Effectively, the question is:

When I use Incognito, what technologies will allow webpages to escape this incognito cage ?

If the provider could save the same state with a unique server side cookie would the be less of a concern? I'm thinking about the high probability your browser is itself unique (https://panopticlick.eff.org/) or you have authenticated. — zedman9991, Oct 18 '11 at 15:15
What security issue are you interested in: confidentiality (privacy), integrity (using state to exploit a vulnerability, or some other issue related to protecting some asset? — this.josh, Oct 19 '11 at 06:44

score 4 · Answer 1 · answered Oct 18 '11 at 14:10

Actually, depending on the browser and plugins used, there are many ways for a website to store persistent information on users' computer. It's not cookies and cache anymore. Some of these new methods require user confirmation, some don't - it also varies by browser. Flash has Local Shared Objects, Silverlight has Isolated Storage, HTML5 itself gives Offline Application cache, Session Storage and Local Storage.

It's not easy to clean them all at once. In fact, there is a proof-of-concept project that uses all those tricky ways and many others to create a super-persistent-and-resurecting-cookie - Evercookie. Of course, there is also an Evercookie killer called Nevercookie.

@Pacerier If only one client uses the same IP, you could use that to resurrect cookie. Of course, it isn't very efficient for Internet connexions with frequently changing IP. — curiousguy, Nov 07 '11 at 21:12

score 4 · Answer 2 · answered Oct 18 '11 at 14:19

4

You are right. There are really many ways for a website to store persistent data on you, even if you dont want them too. Evercookie by Samy Kamkar is an example of this.

Quotede from the site of Evercookie it stores persistent data on you with the help of these storage mechanisms:

Standard HTTP Cookies

Local Shared Objects (Flash Cookies)

Silverlight Isolated Storage

Storing cookies in RGB values of auto-generated, force-cached

PNGs using HTML5 Canvas tag to read pixels (cookies) back out

Storing cookies in Web History

Storing cookies in HTTP ETags

Storing cookies in Web cache

window.name caching

Internet Explorer userData storage

HTML5 Session Storage

HTML5 Local Storage

HTML5 Global Storage

HTML5 Database Storage via SQLite

answered Oct 18 '11 at 14:19

Chris Dale

16,119
10
56
97

But incognito will basically defeat everything other than the the 2nd and 3rd point right? – Pacerier Oct 20 '11 at 07:46
@Pacerier, Chromes incognito window defeats all the points in the list :) – Chris Dale Oct 20 '11 at 12:25
What about Tor Browser? – Pacerier Oct 22 '11 at 16:40
@Pacerier, Tor Browser also safe. Once you restart it it does not manage to refind the evercookies. – Chris Dale Oct 22 '11 at 19:10
are you familiar with Tor's "use new identity" functionality? Do I need to restart or is the `use new identity` sufficient? – Pacerier Oct 23 '11 at 16:58
Ahh. I believe you are referring to Vidala Control Panel's "use new identity". No this does not work. Only restart of Firefox will clear the evercookie. – Chris Dale Oct 23 '11 at 18:25
1

@Pacerier "_Vidala Control Panel's "use new identity_" is only about **Tor exit point**. Tor does **not** know or care about HTTP cookies, HTTP ETags, HTML5 Session Storage, Flash super cookies... – curiousguy Nov 07 '11 at 21:09
@curiousguy could you elaborate the part on the `Tor exit point` ? – Pacerier Nov 08 '11 at 07:02
@Pacerier Tor is like the super-VPN (except it isn't a real VPN, Tor only gives you TCP and DNS, not IP access). Imagine you have an ISP that 1) will let you change your IP address as often as you like 2) won't ever reveal your true identity. That what's Tor tries to be (sort of - again, Tor does _not_ carry IP datagrams). Tor tries very hard to hide your the IP address your real ISP gave you. Nothing less, nothing more. If you have more questions about Tor, maybe you should ask a new question. (This comment box is tiny.) – curiousguy Nov 08 '11 at 07:40
(continued) When you browse a website through Tor, the source IP address the website sees is the Tor exit point your Tor client has chosen. Your Tor client can decide to use another exit point at any time. I'll add that it isn't easy for me to answer questions about Tor no knowing the level of your knowledge about Tor and your mental modem crowds systems. – curiousguy Nov 08 '11 at 07:44
@curiousguy ic, btw do you happen to work with / for Tor ? – Pacerier Nov 08 '11 at 23:53
@Pacerier I have installed and tried Tor, and support Tor goal, but that's it. I do not work for the development of Tor. – curiousguy Nov 19 '11 at 05:23

score 3 · Answer 3 · answered Oct 18 '11 at 11:50

3

Since 6u10 Java applets have been able to store "muffins" (effectively cookies) using java.jnlp.PersistenceService.

Also from the same release, Java applets can also open files through FileOpenService, FileSaveService and ExtendedService.

answered Oct 18 '11 at 11:50

Tom Hawtin - tackline

284
2
11

Are muffins built on top of cookies? In other words do muffins stay after I have cleared my cookies? – Pacerier Oct 20 '11 at 07:40
Muffins are an entirely separate bit similar mechanism. You don't even need a browser installed to use them with Java WebStart applications. – Tom Hawtin - tackline Oct 20 '11 at 17:19

score 3 · Answer 4 · answered Oct 18 '11 at 13:51

3

Silverlight can actually access the local filesystem, depending on the permissions granted. It is subject to .NET security mechanisms, but if these are badly configured, it is possible to read a user's files, or even change them.

answered Oct 18 '11 at 13:51

tdammers

1,776
9
14

holy, so basically if I surf with Silverlight enabled, just visiting a site could invite a virus in? – Pacerier Oct 20 '11 at 07:47
Yes, it could, but not just like that - you'd have to grant silverlight permission to write to 'interesting' locations, which it is not normally allowed to. The .NET security model is quite complicated, but it does make sense - silverlight plugins in the internet zone are mostly untrusted and will only be granted very limited access to system resources, so they can't just modify any registry key or dump dlls in windows\system32 or anything. – tdammers Oct 20 '11 at 19:59
but they could install "programs" into my computer which if I unknowingly "run as administrator" that's all it takes to destroy my computer? – Pacerier Oct 22 '11 at 16:41

Is silverlight and Java running on the web browser capable of saving "state" into the user's local machines?

4 Answers4