Q&A Is Deleting Cookies the Only Way to Prevent Cookie Theft?

F

ForgottenSeer 85179

I find that a bit extreme.
Of course, limiting third party apps and extensions is preferred for security and privacy, but now you are trusting a third party dns provider.
Every DNS is by definition third party.
I also use Quad9 in router which e.g. is used by OS.

I don't think a few well-chosen extensions pose a real threat.
Even known trusted extensions get manipulated. Adblock Plus, NoScript, WOT, …
 
  • Like
Reactions: Nevi

Jan Willy

Level 7
Jul 5, 2019
290
A doctor would examin the patient first before he makes a diagnosis. Now we know hardly nothing about the patient. Nevertheless we prescribe all kinds of medication. Perhaps to let the patient stay safe and healthy MS Edge with built in ad- and tracker blocking, is enough.
 

SeriousHoax

Level 37
Verified
Mar 16, 2019
2,661
As already suggested by some members,

1) Try hardening the OS by using something like Hard Configurator/SimpleWindowsHardening. If using Microsoft Defender then also check Configure Defender. Both have dedicated threads here.
2) Use a password manager if you can like Bitwarden.
3) It's a must to install an adblocker like uBlock Origin. I would also like to mention another capable and trusted one which is Adguard. If uBlock Origin causes any issue by chance then there's always Adguard as an alternative solution.
4) Ignore whoever says not to use an Adblocker.
5) Set the browser to block all third-party cookies.
6) Delete cookies now and then. Maybe two, three times a month at least.
7) As Mr. oldschool is back after a long time, follow his motto, "Stay safe, not paranoid". ✌️
 
F

ForgottenSeer 85179

3) It's a must to install an adblocker like uBlock Origin. I would also like to mention another capable and trusted one which is Adguard. If uBlock Origin causes any issue by chance then there's always Adguard as an alternative solution.
This isn't a must. Why did you recommend such as must? Nowadays browser provide own tracking protection and against Ads, a lot of other options exist.

4) Ignore whoever says not to use an Adblocker.
That's not how it works but nice to see that you don't accept other opinions and facts. Here also a quote from GrapheneOS dev:
The recommended approach to system-wide ad-blocking is setting up domain-based ad-blocking as part of DNS resolution.

Apps and web sites can detect that ad-blocking is being used and can determine what's being blocked. This can be used as part of fingerprinting users. Using a widely used service like AdGuard with a standard block list is much less of an issue than a custom set of subscriptions / rules, but it still stands out compared to the default of not doing it.
@always_forever above quote is interesting for you.

6) Delete cookies now and then. Maybe two, three times a month at least.
This will only end in endless cookie banner management, instead of only doing it once.
It's not worth it, nor adding any advantages.
 
Last edited by a moderator:

HarborFront

Level 59
Verified
Content Creator
Oct 9, 2016
4,826
Hello,

I hope this post finds everyone here well and staying safe.

I'm wondering if there Is any way to prevent passwords from being stolen due to cookie theft apart from deleting all cookies after each browser session?

I know there’s a tradeoff between convenience and security and I’m willing to embrace that…but I work online a lot and having to re-register my PC multiple times every day is draining a lot of precious time.

Is the best way to just delete them or is there another way to prevent this?

There’s a lot of scams in the world these days and I’m doing my best to increase my cybersecurity knowledge and practices…so any insight would be sincerely appreciated!
Deleting cookies is after each browsing session unless you can auto delete during your browsing session (see below).

You'll need to keep the cookies if you need to frequently sign-in to the sites

I think the concern here is during the browsing session and how to prevent cookie theft. There are many articles on the net detailing this, e.g.


They mainly talked of prevention like

1) Surf over secure sites e.g. HTTPS
2) Preventing exploits
3) Preventing session hijacking from XSS, DNS and MITM attacks

and lastly, clearing cookies at the end of the session e,g use of Incoginto mode, sandbox/virtualize the browser or otherwise using an extension to do that. Note the browser itself also can clear browsing history but that's only after you exit the browser

Extension which can automatically clear browsing history with preset timing is the best. Chrome History Cleaner extension (no longer available in Chrome Web Store) can clear browsing history at every 1 minute minimum setting. In FF you can use Forget Me Not extension to prevent cookie creation
 
Last edited:
  • Like
Reactions: upnorth

SeriousHoax

Level 37
Verified
Mar 16, 2019
2,661
This isn't a must. Why did you recommend such as must? Nowadays browser provide own tracking protection and against Ads, a lot of other options exist.
Adblcoker's filter lists are much more enriched than built-in protection provided by the browsers (Maybe Brave is an exception) and even DNS-based solutions. Two, three weeks ago I wanted to watch a tennis match (Djokovic vs Nadal, French Open Semifinal) on a site on my mobile using Microsoft Edge with Strict protection and NextDNS as the DNS but couldn't because of constant VPN ads on the site. Opened the same site on Firefox for Android with uBlock Origin and watched for an hour without any ads whatsoever. So there goes just one real-life example.
Besides, the OP said, he uses Google Chrome which doesn't have built-in tracking/ads protection and not everyone will be willing to use NextDNS/Adguard DNS/piHole type solutions. Like, I'm using Cloudflare on my PC now as it's the fastest for me.
As gorhill says, uBlock Origin is not just an ad blocker, it is a content blocker. It does a lot more. Also ads like "There's a hot girl in your area, click here to talk to her" are not usually blocked by any built-in or DNS-based solutions. These types are ads are mostly malvertisements and believe it or not plenty of people still fall for this.
So, an adblocker is one of the first lines of defense in a browser. Oh also, only adblockers can block YouTube ads (Exception: Adguard Desktop).
That's not how it works but nice to see that you don't accept other opinions and facts. Here also a quote from GrapheneOS dev:
You have an opinion and I have a different one. Isn't it obvious that all of our opinions won't match? There are many things I agree with you and there are also many things I disagree with you. This is not exclusive to you. This is true for everyone on the forum. This is normal and it happens always in real life too. So there's nothing personal about it.
This will only end in endless cookie banner management, instead of only doing it once.
It's not worth it, nor adding any advantages.
You see those cookie banners because you rely on built-in and DNS-based protection which can't block/hide them. I use uBlock Origin with appropriate filters so I don't see any cookie notices. Good for me.
Deleting cookies isn't a must. Even I don't usually delete those but sometimes we visit some random sites that we may not visit anytime soon so deleting cookies would get rid of those unnecessary ones. One can also manually delete them separately from the browser of course.
But blocking all third-party cookies is very important in my opinion.
 

always_forever

Level 1
Jul 1, 2021
26
As already suggested by some members,

1) Try hardening the OS by using something like Hard Configurator/SimpleWindowsHardening. If using Microsoft Defender then also check Configure Defender. Both have dedicated threads here.
2) Use a password manager if you can like Bitwarden.
3) It's a must to install an adblocker like uBlock Origin. I would also like to mention another capable and trusted one which is Adguard. If uBlock Origin causes any issue by chance then there's always Adguard as an alternative solution.
4) Ignore whoever says not to use an Adblocker.
5) Set the browser to block all third-party cookies.
6) Delete cookies now and then. Maybe two, three times a month at least.
7) As Mr. oldschool is back after a long time, follow his motto, "Stay safe, not paranoid". ✌️

This is a highly actionable list - thanks!

Already on it and all of these are covered except for the hard configurator. I'll be working on that today but I have to get a better understanding of it first.

As far as cookies go, since I use a password manager with autofill, do I even have to worry about deleting them after each browser session? As I understand it, they're not stored in this scenario. Is other sensitive data like payment methods and whatnot stored? I've read the information at the links HarborFront posted but, frankly, some of it goes over my head.

Do you recommend MalwareBytes Browser Guard? I've turned off MWB Premium real-time protection so it doesn't conflict with KSC free.

Do you use anti-keyloggers? KSC free supposedly blocks them but I'm not sure how well.
 

always_forever

Level 1
Jul 1, 2021
26
They mainly talked of prevention like

1) Surf over secure sites e.g. HTTPS
2) Preventing exploits
3) Preventing session hijacking from XSS, DNS and MITM attacks

and lastly, clearing cookies at the end of the session e,g use of Incoginto mode, sandbox/virtualize the browser or otherwise using an extension to do that. Note the browser itself also can clear browsing history but that's only after you exit the browser

Extension which can automatically clear browsing history with preset timing is the best. Chrome History Cleaner extension (no longer available in Chrome Web Store) can clear browsing history at every 1 minute minimum setting. In FF you can use Forget Me Not extension to prevent cookie creation
Appreciate the links and doing my best to understand the technology and terminology. Is the safest best to use such an extension (clear at intervals) or is this unnecessary being that I use a password manager with autofill?
 
Last edited:

oldschool

Level 61
Verified
Mar 29, 2018
5,036
Maybe Brave is an exception
Indeed, it is. It even handles the situation @Gandalf_The_Grey had with private browsing on YT. PB @ YT on Brave is nice and clean. By far, THE BEST built-in adblocker available. And the µBO/adblocking community can thank the Brave team for all of their support in filter list maintenance.

And you are correct, sir: "Stay safe, not paranoid!" (y);):cool:
 
  • Like
Reactions: Gandalf_The_Grey
F

ForgottenSeer 85179

As far as cookies go, since I use a password manager with autofill, do I even have to worry about deleting them after each browser session?
No.

Is other sensitive data like payment methods and whatnot stored?
No. But you can separate your browsing best with Updates - Chromium-Edge "3-Browser-Profiles" Solution

Do you recommend MalwareBytes Browser Guard? I've turned off MWB Premium real-time protection so it doesn't conflict with KSC free.
Stay with one AV only. I recommend Defender but use what you want.
Combine that with SmartScreen (default already in Edge) and you're fine.
Edge can even natively be used in a much more secure way: Q&A - [HowTo] use extensions without compromise anything

Do you use anti-keyloggers?
No.
Secure your system like with Hard_Configurator so keyloggers/ malware can't even start. Hiding data against them is theatre.
 

Gandalf_The_Grey

Level 50
Verified
Trusted
Content Creator
Apr 24, 2016
3,913
Indeed, it is. It even handles the situation @Gandalf_The_Grey had with private browsing on YT. PB @ YT on Brave is nice and clean. By far, THE BEST built-in adblocker available. And the µBO/adblocking community can thank the Brave team for all of their support in filter list maintenance.

And you are correct, sir: "Stay safe, not paranoid!" (y);):cool:
No problems with YouTube anymore now I'm back to an almost default uBlock Origin configuration, but I agree Brave does a great job.
I just like Edge more.
 
  • Like
Reactions: oldschool

Gandalf_The_Grey

Level 50
Verified
Trusted
Content Creator
Apr 24, 2016
3,913
I must admit I like it more as time passes, though it still has that weird bug - a 2 second delay upon closing.

BTW, I trying Edge Dev on Android and so far so good, except they're still using Adblock.
I don't have that 2 second delay upon closing.
Maybe you have it set to delete cookies on closing?

I don't use my phone for browsing that often, so i still use Google Chrome on it with AdGuard systemwide.
Wil try Edge Chromium on it when it come sout od beta and hope they will consider adding extensions like uBlock Origin, but Adblock Plus is still better than nothing.
 
F

ForgottenSeer 85179

I must admit I like it more as time passes, though it still has that weird bug - a 2 second delay upon closing.
I also had the same problem when I deleted the cookies on exit.
Apparently the whole process doesn't work very effectively, but without deleting there is no more delay and everything works instantaneously (y)
 

always_forever

Level 1
Jul 1, 2021
26
No.


No. But you can separate your browsing best with Updates - Chromium-Edge "3-Browser-Profiles" Solution


Stay with one AV only. I recommend Defender but use what you want.
Combine that with SmartScreen (default already in Edge) and you're fine.
Edge can even natively be used in a much more secure way: Q&A - [HowTo] use extensions without compromise anything


No.
Secure your system like with Hard_Configurator so keyloggers/ malware can't even start. Hiding data against them is theatre.
Now we're getting somewhere!

I have to use Chrome for my work so I'm stuck with it. I try to keep extensions to a minimum, installed uBlock Origin, and disabled third-party cookies. Not sure what else I can do to further secure the browser.

Isn't Defender Windows firewall? I thought it was pretty standard to use AV in addition to that? Defender is active along with KSC free and MWB Premium with real-time protection turned off.

I didn't know Hard_Configurator was even a thing before posting on this site! I thought it would be overwhelming but, as suggested in one of the threads here, I just used the recommended settings and also activated FireWall Hardening. ConfigureDefender is grayed out and not clickable but thinking that's because I run KSC...not sure if that's a correct assumption.

I have to say that it's thanks to you and some other helpful members here that I've even been able to move forward with all this. I don't want to be paranoid (which keeps getting mentioned) but it's hard not to be when you know that you don't know what you don't know ;]
 
F

ForgottenSeer 85179

I have to use Chrome for my work so I'm stuck with it.
Chrome is fine too!

disabled third-party cookies. Not sure what else I can do to further secure the browser.
Keep with default browser settings as much as possible and avoid extensions at all - if possible.
If you are using uBlock Origin because of Ads, you should look at Tutorial - NextDNS: a DoH/ DoT guide and use NextDNS as DNS provider in Chrome.
If that's okay for you, but you visit some sites which used too annoying ads, install Application Guard, follow my posted guide above and install adblocker in that browser session. That's the way i do it.

Isn't Defender Windows firewall? I thought it was pretty standard to use AV in addition to that? Defender is active along with KSC free and MWB Premium with real-time protection turned off.
Defender is the complete Windows security package with AV, Firewall, Anti-Ransomware, Anti-Exploit, Network filter, ASR rules, ...

I didn't know Hard_Configurator was even a thing before posting on this site! I thought it would be overwhelming but, as suggested in one of the threads here, I just used the recommended settings and also activated FireWall Hardening.
(y)

ConfigureDefender is grayed out and not clickable but thinking that's because I run KSC...not sure if that's a correct assumption.
Maybe. You miss many Defender security features then. But as said above, if you're fine with your AV, ok.

I have to say that it's thanks to you and some other helpful members here that I've even been able to move forward with all this. I don't want to be paranoid (which keeps getting mentioned) but it's hard not to be when you know that you don't know what you don't know ;]
You can also look at my setup for some ideas: SECURITY: Complete - SecurityNightmares's Security Config 2021
Or look at my Windows guide: beerisgood/Windows10_Hardening
 
  • Like
Reactions: Jan Willy

always_forever

Level 1
Jul 1, 2021
26
Chrome is fine too!


Keep with default browser settings as much as possible and avoid extensions at all - if possible.
If you are using uBlock Origin because of Ads, you should look at Tutorial - NextDNS: a DoH/ DoT guide and use NextDNS as DNS provider in Chrome.
If that's okay for you, but you visit some sites which used too annoying ads, install Application Guard, follow my posted guide above and install adblocker in that browser session. That's the way i do it.


Defender is the complete Windows security package with AV, Firewall, Anti-Ransomware, Anti-Exploit, Network filter, ASR rules, ...


(y)


Maybe. You miss many Defender security features then. But as said above, if you're fine with your AV, ok.


You can also look at my setup for some ideas: SECURITY: Complete - SecurityNightmares's Security Config 2021
Or look at my Windows guide: beerisgood/Windows10_Hardening
I'm looking at both of those links but shouldn't I get a cybersecurity certification first so I understand at least some of it?

I used to work in IT and got an MCSE in 2002 but am really reminded of how little I know these days.

What does the average home user do, I wonder?

Do I need to understand all of that and apply it to truly have a secure setup? I know there are levels...
 
F

ForgottenSeer 85179

I'm looking at both of those links but shouldn't I get a cybersecurity certification first so I understand at least some of it?

I used to work in IT and got an MCSE in 2002 but am really reminded of how little I know these days.
I don't own any certificate so don't think you need one ;)

What does the average home user do, I wonder?
Well, nothing. They start their PC and use it.
That's the problem with at least Windows PCs and a reason Microsoft need to increase the default security.

Do I need to understand all of that and apply it to truly have a secure setup? I know there are levels...
You should start reading Hard_Configurator manual and you will see that many stuff is already handled by Andy's great tool :)
Then start reading about other stuff i list and pick ones you want starting with.

And if you can't get enough, look at anupritaisno's setup o_O
 
Top