What does HackerNews think of evercookie?
Produces persistent, respawning "super" cookies in a browser, abusing over a dozen techniques. Its goal is to identify users after they've removed standard cookies and other privacy data such as Flash cookies (LSOs), HTML5 storage, SilverLight storage, and others.
https://github.com/samyk/evercookie
It's quite dead now, stopped working around 2017: https://github.com/samyk/evercookie/issues/125
One of the purposes of the evercookie project was to have a collection of tracking methods that browser vendors can test against their implementation.
- Standard HTTP Cookies - Flash Local Shared Objects - Silverlight Isolated Storage - CSS History Knocking - Storing cookies in HTTP ETags (Backend server required) - Storing cookies in Web cache (Backend server required) - HTTP Strict Transport Security (HSTS) Pinning (works in Incognito mode) - window.name caching - Internet Explorer userData storage - HTML5 Session Storage - HTML5 Local Storage - HTML5 Global Storage - HTML5 Database Storage via SQLite - HTML5 Canvas - Cookie values stored in RGB data of auto-generated, force-cached PNG images (Backend server required) - HTML5 IndexedDB - Java JNLP PersistenceService - Java exploit CVE-2013-0422 - Attempts to escape the applet sandbox and write cookie data directly to the user's hard drive.
https://github.com/samyk/evercookie
In short, everything and more can be used for tracking, and that has really killed the party for the many people who have created responsible, useful applications of these browser APIs.
On smaller devices, a few kb of important data in LocalStorage was periodically deleted without user intervention.
> do you believe it will be used for nefarious purposes?
If one is nefarious of heart, https://github.com/samyk/evercookie supersedes ImmortalDB.
For improved resiliency.
You can also configure IronDB to only use any two datastores of your choice, if you so desire: IronStorage's constructor takes an Array of storage implementations of your choice. See https://github.com/gruns/irondb#api.
> So you delete data when the user wants to delete data. Which database doesn't have this feature?
A database where the data therein can be deleted without warning. Browsers unceremoniously delete IndexedDB, LocalStorage, and SessionStorage under storage pressure. See https://developers.google.com/web/fundamentals/instant-and-o...
> doesn't use Flash, Silverlight, or Java -- which do?
Evercookie, a similar library, uses Flash, Silverlight, and/or Java.
See https://github.com/samyk/evercookie.
> No offence to the author but all this sound malicious. Perhaps this is why evercookie isn't maintained?
No offense taken.
Thank you for your feedback, kreetx. Don't hesitate to let me know if I can answer any other questions, or if there's anything else I can do for you.
The GDPR being deliberately vague is a response to issues like these, it serves neither the interests of the users or the regulation to say "Get consent before getting cookies and only cookies" only to have sites and services turn around and use methods like this, or:
BrowserFingerprinting - https://panopticlick.eff.org/
Super/Ever Cookies - https://github.com/samyk/evercookie
HSTS identification - https://www.owasp.org/index.php/HTTP_Strict_Transport_Securi...
or whatever the new sneaky identification via browser features hack happens to be.
[0] https://github.com/samyk/evercookie/
[1] http://www.theregister.co.uk/2015/01/30/verizon_uidh_super_c...