Configuring Internet Explorer for Practical Security and Privacy – Part 3
Customizing the Internet Explorer Privacy tab settings
Before we start customizing the privacy settings, lets try and understand what are cookies, what do they do and how Internet Explorer tries but fails to protect your privacy optimally.
What are Cookies
Generally cookies are small text files sent to your browser by a website server containing information gathered about your visit to the site including, your log-in information, where you went, what you did, and any personal information you gave, that can be used to identify you individually on future visits.
Types of Cookies
Session cookies: These are temporary in nature, stored in memory during the browsing session and expire as soon as the browser closes. Session cookies can be used to gather information on how long a visitor stay on certain pages of a Web site, what browsers are used, what pages in the Website are more popular etc.
Persistent cookies: These are comparatively more permanent in nature, they have an expiration date ranging from couple of days to many years and are stored as a file in your hard disk.These type of cookies are designed to remain there until the set date has expired or until the visitor has deleted the file. The web site that placed the cookie also has the ability to extend the original expiry date without notice to the visitor.
First party cookies: These are those left on your machine by the web page that you are currently viewing. They can be either session or persistent cookies.
An example of first party session cookie prompt
An example of first party persistent cookie prompt
Third party cookies: These are those left on your machine by a domain other than the one that you are currently viewing. They can either be session or persistent cookies. The Third party persistent cookies are almost always evil, usually used by big advertising networks to track a particular surfer across different Websites enabling them to build a profile of that person for serving targeted advertising.
An example of third party persistent cookie prompt
An example of third party session cookie prompt
It would be worthwhile to note that although persistent cookies are considered more harmful, even session cookies can be configured to hold compromising data, thus it is not what type of cookies are used but rather, what information is gathered and how it is used is the cause for concern.
Why not block all cookies
If you block all cookies, you may not be able to view some Web sites or take advantage of customization features such as online banking, online shopping, local news and weather or stock quotes.
Internet Explorer's Methodology
While the new cookie handling options in IE6 do provide users with a more finely grained means for controlling cookies, the vast majority of IE6 users will find these options much too confusing and involved to be of any real use. Still worse, the default Privacy settings of IE6 are simply too lax for users to expect any meaningful improvement in the protection of their online privacy by IE6 straight "out-of-the-box." Given these lax default Privacy settings, as well as the confusion and frustration most IE6 users will likely experience when confronted with these new settings, IE6 arguably represents a step backwards in the struggle to offer internet users a reliable way to ensure their online privacy.
Unfortunately, in the light of the sheer complexity of the P3P specification as well as IE6's idiosyncratic way of classifying and sorting the P3P compact policies of individual web sites, many IE6 users will find that the simplest and most effective way to guarantee their privacy is to avoid IE6's P3P-based cookie settings altogether. Once users have dispensed with IE6's P3P-based configuration options, they can override the default Privacy settings, employ custom block lists, or use third-party filtering software, all of which provide simpler and more reliable ways for users to protect their privacy while surfing the web. Eric Howes - Spyware researcher and Privacy advocate.
What is the way out?
My suggestion is to follow Eric's advice above, dump IE's P3P based cookie filtering, employ custom block lists like IE-Spyad and Spywareblaster – to add dubious sites to your "Restricted sites" & "Per site Privacy actions" list and import a custom XML privacy file to control the "Trusted zone" effectively. This generally gives more options to tailor the privacy settings to your perceptions.
Check the following pages on how to install and setup IE-Spyad and Spywareblaster and how to use a custom XML file to protect your privacy in IE 6.
- How to effectively prevent Malware using SpywareBlaster
- How to effectively prevent Malware using IE-SPYAD
- Using a XML file to protect your privacy in Internet Explorer 6
If you prefer not to use a custom XML file for some reason, you can setup Internet Explorer in the following way to have some sense of privacy by restricting cookies in the Internet zone. This hopefully has the effect of accepting only first pary cookies. All third party cookies are rejected outright. You may have to manually clear out the first party persistent cookies periodically.
Also note that using the Privacy slider or the advanced option to override automatic cookie handling will only work in the Internet zone. All cookies are automatically accepted from Web sites in both the Trusted sites and Local Intranet zones, and all cookies are automatically blocked from Web sites in the Restricted sites zone.
Open Internet Explorer. Click "Tools" in the menu and "Options" to configure the "Internet Options" window. In the "Privacy" tab, click "Advanced".
Checkmark "Override automatic cookie handling".
Under First-party Cookies select the radio button "Accept".
Under Third-party cookies select the radio button "Block"
Make sure that "Always allow session cookies" is "Unchecked".
If you are a meticulous type you can have the option set to "Prompt" under First-party Cookies, so that every time your browser encounters a first party cookie it will prompt you with a "Privacy Alert" window to make a decision on how to handle the particular cookie.
The Privacy Alert prompt also lets you view more information about the cookie like whether it is a first party or a third party one and also whether it is a session only or a persistent cookie. It also provides an option to apply your decision – irrespective of Allow or Block – to all future cookies from the particular Website.
Per-Site Privacy Actions
Internet Explorer 6 provides an option to define cookie management practices on a per-site basis. This allows you to specify which Websites are allowed to set the cookies always or which Websites are always blocked from setting cookies. It is important to note that this overrides the privacy preferences set with the slider and also "Advanced Privacy Settings" dialog box settings.
By default, the Managed Websites list in Per-Site Privacy Actions dialog box is not populated. Spywareblaster adds hundreds of sites to this list with "Always Block" instruction which rejects most of the adware/spyware tracking cookies.
To manually add a Website to managed list, in the Privacy tab, Click "Sites" and type the exact address including the http:// part and then click Allow or Block.
You can view the privacy report also by clicking on the privacy icon that may appear on your status bar.
The appearance of this icon indicates that IE has taken a privacy protecting action by blocking or restricting a cookie or multiple cookies used by the current Web page.
The pop-up blocker is available only in Internet Explorer that comes with Windows XP service pack 2. This allows you to control most pop-up windows that appear over pages while you are using the Internet.
The pop-up blocker is turned on by default and set to the medium setting which supposedly blocks all automatic pop-up windows. This setting will not block pop-ups that open when you click a link on a Web site.
You can change the pop-up blocker setting either by going to the "Privacy" tab in Internet Explorer settings options window or by going to the "Tools" menu and selecting "Pop-up Blocker" and clicking on "Pop-up Blocker settings".
The settings allows you to set the filter level to low, medium or high.
You can also add individual Websites to the "Exceptions" list which will allow the specified Website to open pop-up windows irrespective of the setting in the "Filter Level"
Generally the default setting is sufficient to stop most of the un-wanted pop-ups.
Note: The pop up blocker also puts restrictions on the size and position of pop-ups. Pop-ups cannot be larger than or opened outside the viewable desktop area regardless of the blocker setting.
By default, the sites in the Trusted sites zone and Local Intranet zones can open pop-up windows irrespective of the pop-up blocker setting as they are considered safe. This behaviour can be configured in the Security tab in Internet options.
This ends the Internet Explorer Privacy tab settings tutorial.