Only browser makers can stop spies from piggybacking on commercial Web tracking
December 13, 2013  

Ed Felten has some advice on how to stop spies from piggybacking on commercial Web tracking:

In the medium term, the easiest way for trackers to protect their users is to switch to https. Until they do so, it is up to users to protect themselves.

The context is that the NSA is using web cookies to track people as they browse across web sites. For example, an advertising company might place ads on two web sites; when you visit each site, your browser will send the same cookie to the advertiser (unencrypted, using HTTP), allowing the advertiser (and the NSA) to know that you have visited both sites. See the Washington Post article for full details.

Ed is right that HTTPS (encrypted browsing) will prevent the attack, and trackers can implement this right now. And I look forward to his post on how users can protect themselves. However, this ignores the fact that browser makers are the ones who are really able to protect their users from the attack.

Browser makers should give users a preference setting: never send unencrypted cookies. That is, the user could tell the browser not to send cookies over HTTP, only HTTPS. So if a tracker tries to see a cookie using HTTP, it will be denied; but if it tries to see a cookie over HTTPS, it will succeed.

Moreover, browser makers should make this the default setting.

This approach gives an immediate, compelling incentive for trackers to start using HTTPS instead of HTTP: they won’t be able to do their job without it. Since trackers (and not users) are the only ones who can flip the switch on HTTPS, the only way to protect users is to create such an incentive. And today, only browser makers can do this.