The Brock Press and Internet Security and Privacy with Flash

Submitted by co60ca on Wed, 06/29/2016 - 14:39

The Brock Press website appears to include scripts from Facebook which allow Facebook to track the users from Facebook who have active cookies there. (Or just about anyone who has been on Facebook) This may have been done unknowingly by the developer of the site or The Brock Press. This allows Facebook to understand which sites, including The Brock Press, users of Facebook are visiting and target ads to them when they are on Facebook. Another use of tracking cookies is to potentially sell their browsing history to other companies. The Brock Press also includes a Flash player on their site which allows you to view their recent issue. We will discuss the problems with using Flash and 3rd party tracking cookies and scripts.

Cookies have positive uses, disabling cookies is often not an option if you wish to experience most sites fully as they keep track of the session of the user. For instance, it is almost impossible to use Facebook in a meaningful way without the use of cookies. The negative side of cookies is when harmful javascript is embedded into 3rd party sites that allow the embedded site to track the users of the site the script is embedded on. This happens with scripts included from sites like facebook.com, linkedin.com, twitter, or Google such as youtube.com.

The EU recently has created new laws with the intent of creating informed consent about cookies to users of their sites. This ended up being counter productive since the creation of these laws made websites embed scripts in their sites under the guise of a creating informed consent that have more tracking cookies in them.

Generally there are two reasons to create as script that you want other developers to embed on their site. 1. To generate notice, co-brand, or provide useful services. 2. To track, generate analytics, or maliciously infect users.

There are several banners or links that certain social media sites use to generate traffic on their site. Facebook has the like button, Linkedin has the connect button, Twitter has embeddable tweets. Often Web Developers can often include these as a quick way to link to a company social media page. These banners or links often contain tracking information as is evident by the use of Privacy Badger by the EFF in the image below. The better way is to responsibly use each sites branding guidelines to create a link that is personalized to match the theme of your own site while also respecting your users privacy. This is what I do on my personal site where it is available.

Image removed.
Image of the Privacy Badger extension on The Brock Press Website

Privacy Badger is available for most modern browsers and detects and blocks tracking sites/domains using an algorithm that is more complex than a white/blacklist.
It is generally well accepted in the last few years that there are no reasons to continue developing for Flash player considering the number of exploits that allow the transmission of malware to the visitors sites. There are also privacy concerns as Flash allows more access to uniquely identifiable data that allows trackers to identify these users uniquely. Being uniquely identifiable is like walking around with a number similar to a Social Security Number attached to every website that you visit. This is almost already possible but can be extended to physical location. An IP address can often be considered unique however an IP address is physically connected to a location. Without cookies it is nearly impossible to tell if a user from one location is the same as from another location. When you visit a friends house and log on to their WiFi any sites that you visit that track you now potentially know you are in communication with that person or visited at that time. The solution to the Flash problem is this, Flash can be replaced with HTML5 and javascript in every case now, Flash is insecure as it relies on persons actually updating their version of Flash. The number of Flash exploits that are used to deliver malware have been extensive in the last few years. This is often joked upon online that people don't update Flash. In Chrome/Chromium Flash is based on explicit enabling so the user experience is already poor in the Flash app that the Brock Press has on their site.

In conclusion, the Brock Press should consider removing all third party scripts that track their visitors and remove the Flash app on their sidebar. Replacing Facebook links with images and anchor tags and replacing Flash apps with JavaScript ones that respect visitor privacy.