The attack described on the first page of TFA didn't involve any 'reconstruction'. They were able to access the web histories by stealing cookies and using them to access the web histories Google provides. In the second page they talk about using the cookies to view a users' Google Suggest results.
Still, this is relatively unsurprising. If you snoop on my non-https transmissions, yeah, you can get a lot of information that I consider private. It would be nice if everything were https (the EFF has been pushi
Totally agreed. One of the first things I do when I do a new install (for me personally) is to make sure in FF that either I have cookies turned off or to have FF ask me everytime. its just like noscript, where yes, it can get annoying for a while, but then once your whitelist is fairly complete it is very worth it. Or you can just always start FF in a private browsing session too.
Um, do you understand the attack at all? The attackers intercepted your cookies from Google, using a standard man-in-the-middle attack, and used them to access your account. Cookie whitelisting is useless here: the only cookies are legitimate ones from Google, and if you deny those, you can't log in (as with any cookie-based authentication).
Yes, exactly. If you are rejecting the cookies, you aren't logged in, and your search history is tracked less. I don't consider the personalization a feature, so I prefer not to be logged in.
(I do this in a somewhat hilarious fashion, I log into Google to use gmail, and then I delete the cookies for google.com (but not for mail.google.com). Paranoia, I am doing it wrong.)
It is easier to change the specification to fit the program than vice versa.
Reconstructing? (Score:5, Informative)
The attack described on the first page of TFA didn't involve any 'reconstruction'. They were able to access the web histories by stealing cookies and using them to access the web histories Google provides. In the second page they talk about using the cookies to view a users' Google Suggest results.
Still, this is relatively unsurprising. If you snoop on my non-https transmissions, yeah, you can get a lot of information that I consider private. It would be nice if everything were https (the EFF has been pushi
Re:Reconstructing? (Score:1, Insightful)
Cookie white-listing seems saner and saner.
Re: (Score:1)
Re: (Score:2)
Cookie white-listing seems saner and saner.
Um, do you understand the attack at all? The attackers intercepted your cookies from Google, using a standard man-in-the-middle attack, and used them to access your account. Cookie whitelisting is useless here: the only cookies are legitimate ones from Google, and if you deny those, you can't log in (as with any cookie-based authentication).
Re: (Score:1)
Yes, exactly. If you are rejecting the cookies, you aren't logged in, and your search history is tracked less. I don't consider the personalization a feature, so I prefer not to be logged in.
(I do this in a somewhat hilarious fashion, I log into Google to use gmail, and then I delete the cookies for google.com (but not for mail.google.com). Paranoia, I am doing it wrong.)