Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Configuring Internet Explorer for Practical Security and Privacy – Part 3

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg | del.icio.us

Configuring Internet Explorer settings for Practical Security and Privacy


Customizing the Internet Explorer Privacy tab settings


Before we start customizing the privacy settings, lets try and understand what are cookies, what do they do and how Internet Explorer tries but fails to protect your privacy optimally.

What are Cookies

Generally cookies are small text files sent to your browser by a website server containing information gathered about your visit to the site including, your log-in information, where you went, what you did, and any personal information you gave, that can be used to identify you individually on future visits.


Types of Cookies

Session cookies: These are temporary in nature, stored in memory during the browsing session and expire as soon as the browser closes. Session cookies can be used to gather information on how long a visitor stay on certain pages of a Web site, what browsers are used, what pages in the Website are more popular etc.

Persistent cookies: These are comparatively more permanent in nature, they have an expiration date ranging from couple of days to many years and are stored as a file in your hard disk.These type of cookies are designed to remain there until the set date has expired or until the visitor has deleted the file. The web site that placed the cookie also has the ability to extend the original expiry date without notice to the visitor.

First party cookies: These are those left on your machine by the web page that you are currently viewing. They can be either session or persistent cookies.

An example of first party session cookie prompt

Configuring Internet Explorer settings for Practical Security and Privacy

An example of first party persistent cookie prompt

Configuring Internet Explorer settings for Practical Security and Privacy

Third party cookies: These are those left on your machine by a domain other than the one that you are currently viewing. They can either be session or persistent cookies. The Third party persistent cookies are almost always evil, usually used by big advertising networks to track a particular surfer across different Websites enabling them to build a profile of that person for serving targeted advertising.

An example of third party persistent cookie prompt

Configuring Internet Explorer privacy tab settings for Practical Security and Privacy

An example of third party session cookie prompt

Configuring Internet Explorer privacy tab settings for Practical Security and Privacy

It would be worthwhile to note that although persistent cookies are considered more harmful, even session cookies can be configured to hold compromising data, thus it is not what type of cookies are used but rather, what information is gathered and how it is used is the cause for concern.

Why not block all cookies

If you block all cookies, you may not be able to view some Web sites or take advantage of customization features such as online banking, online shopping, local news and weather or stock quotes.

Internet Explorer's Methodology

Configuring Internet Explorer privacy tab settings for Practical Security and Privacy

Internet Explorer 6 allows or blocks a cookie based on the availability and information in the P3P (Platform for Privacy Preferences) policy provided by the originating Website. P3P is a standard being developed by the World Wide Web Consortium (W3C). Many Web sites provide privacy statements as written documents that you can view on your browser, frequently these are written in complicated legalese whereas a P3P compliant policy contains basic machine-readable fields that will express a company's privacy practices. Internet Explorer is able to compare your privacy settings to the P3P privacy policy, and determine whether or not to allow the Website to save cookies on your computer. Internet Explorer is also able to display the P3P policy.

Configuring Internet Explorer privacy tab settings for Practical Security and Privacy

The major drawback of the above methodology is, an unscrupulous Website can literally make up a privacy policy as Internet Explorer cannot verify that the Web site complies with its own privacy policy. Further, there is no easy mechanism provided in the Internet Explorer to control the trusted zone, one has to use a custom import file as the slider settings applies only to the Internet zone. If ever the user opts to revert back to the default privacy settings, he has to edit the registry.



While the new cookie handling options in IE6 do provide users with a more finely grained means for controlling cookies, the vast majority of IE6 users will find these options much too confusing and involved to be of any real use. Still worse, the default Privacy settings of IE6 are simply too lax for users to expect any meaningful improvement in the protection of their online privacy by IE6 straight "out-of-the-box." Given these lax default Privacy settings, as well as the confusion and frustration most IE6 users will likely experience when confronted with these new settings, IE6 arguably represents a step backwards in the struggle to offer internet users a reliable way to ensure their online privacy.

Unfortunately, in the light of the sheer complexity of the P3P specification as well as IE6's idiosyncratic way of classifying and sorting the P3P compact policies of individual web sites, many IE6 users will find that the simplest and most effective way to guarantee their privacy is to avoid IE6's P3P-based cookie settings altogether. Once users have dispensed with IE6's P3P-based configuration options, they can override the default Privacy settings, employ custom block lists, or use third-party filtering software, all of which provide simpler and more reliable ways for users to protect their privacy while surfing the web. Eric Howes - Spyware researcher and Privacy advocate.


What is the way out?


My suggestion is to follow Eric's advice above, dump IE's P3P based cookie filtering, employ custom block lists like IE-Spyad and Spywareblaster – to add dubious sites to your "Restricted sites" & "Per site Privacy actions" list and import a custom XML privacy file to control the "Trusted zone" effectively. This generally gives more options to tailor the privacy settings to your perceptions.

Check the following pages on how to install and setup IE-Spyad and Spywareblaster and how to use a custom XML file to protect your privacy in IE 6.

If you prefer not to use a custom XML file for some reason, you can setup Internet Explorer in the following way to have some sense of privacy by restricting cookies in the Internet zone. This hopefully has the effect of accepting only first pary cookies. All third party cookies are rejected outright. You may have to manually clear out the first party persistent cookies periodically.

Also note that using the Privacy slider or the advanced option to override automatic cookie handling will only work in the Internet zone. All cookies are automatically accepted from Web sites in both the Trusted sites and Local Intranet zones, and all cookies are automatically blocked from Web sites in the Restricted sites zone.

Open Internet Explorer. Click "Tools" in the menu and "Options" to configure the "Internet Options" window. In the "Privacy" tab, click "Advanced".

Configuring Internet Explorer privacy tab settings for Practical Security and Privacy

Checkmark "Override automatic cookie handling".

Under First-party Cookies select the radio button "Accept".

Under Third-party cookies select the radio button "Block"

Make sure that "Always allow session cookies" is "Unchecked".

Configuring Internet Explorer privacy tab settings for Practical Security and Privacy

If you are a meticulous type you can have the option set to "Prompt" under First-party Cookies, so that every time your browser encounters a first party cookie it will prompt you with a "Privacy Alert" window to make a decision on how to handle the particular cookie.

Configuring Internet Explorer settings for Practical Security and Privacy

The Privacy Alert prompt also lets you view more information about the cookie like whether it is a first party or a third party one and also whether it is a session only or a persistent cookie. It also provides an option to apply your decision – irrespective of Allow or Block – to all future cookies from the particular Website.

Per-Site Privacy Actions

Internet Explorer 6 provides an option to define cookie management practices on a per-site basis. This allows you to specify which Websites are allowed to set the cookies always or which Websites are always blocked from setting cookies. It is important to note that this overrides the privacy preferences set with the slider and also "Advanced Privacy Settings" dialog box settings.

By default, the Managed Websites list in Per-Site Privacy Actions dialog box is not populated. Spywareblaster adds hundreds of sites to this list with "Always Block" instruction which rejects most of the adware/spyware tracking cookies.

To manually add a Website to managed list, in the Privacy tab, Click "Sites" and type the exact address including the http:// part and then click Allow or Block.

Configuring Internet Explorer settings for Practical Security and Privacy

Privacy Report – Review a Web site's Privacy Policy

If a Website has P3P compliant privacy policy, Internet explorer can display a summary of the policy called "compact policy" with a link to the complete policy available at the Website. To view the privacy report for a Website, click open the IE view menu and click on "Privacy report" near the bottom of the menu. This report displays links to parts of the Web page that can set or receive cookies and also displays the blocked, restricted or accepted cookies from that site.


Configuring Internet Explorer privacy tab settings for Practical Security and Privacy

Select any item under the heading "site", and click on "Summary" to view the Privacy policy for the site, if available. You can configure cookie handling for this particular site by choosing one of the option buttons near the bottom of the dialog box.


Configuring Internet Explorer privacy tab settings for Practical Security and Privacy

You can view the privacy report also by clicking on the privacy icon that may appear on your status bar.

Configuring Internet Explorer privacy tab settings for Practical Security and Privacy

The appearance of this icon indicates that IE has taken a privacy protecting action by blocking or restricting a cookie or multiple cookies used by the current Web page.

Pop-up Blocker

Configuring Internet Explorer settings for Practical Security and Privacy

The pop-up blocker is available only in Internet Explorer that comes with Windows XP service pack 2. This allows you to control most pop-up windows that appear over pages while you are using the Internet.

The pop-up blocker is turned on by default and set to the medium setting which supposedly blocks all automatic pop-up windows. This setting will not block pop-ups that open when you click a link on a Web site.

Configuring Internet Explorer setting for Practical Security and Privacy

You can change the pop-up blocker setting either by going to the "Privacy" tab in Internet Explorer settings options window or by going to the "Tools" menu and selecting "Pop-up Blocker" and clicking on "Pop-up Blocker settings".

The settings allows you to set the filter level to low, medium or high.

Configuring Internet Explorer privacy tab setting for Practical Security and Privacy

You can also add individual Websites to the "Exceptions" list which will allow the specified Website to open pop-up windows irrespective of the setting in the "Filter Level"

Configuring Internet Explorer privacy tab settings for Practical Security and Privacy

Generally the default setting is sufficient to stop most of the un-wanted pop-ups.

Note: The pop up blocker also puts restrictions on the size and position of pop-ups. Pop-ups cannot be larger than or opened outside the viewable desktop area regardless of the blocker setting.

By default, the sites in the Trusted sites zone and Local Intranet zones can open pop-up windows irrespective of the pop-up blocker setting as they are considered safe. This behaviour can be configured in the Security tab in Internet options.

This ends the Internet Explorer Privacy tab settings tutorial.


Configuring Internet Explorer for Practical Security and Privacy Part – 4 Content & Programs Tab



{ 0 comments… add one now }

Leave a Comment

{ 1 trackback }