Firefox 85 "Supercookies"?

[tzdvl]

I have noticed that since the latest Firefox update to v85.0, CCleaner now displays most cookies in a format similar to:

 www.xyzxyz.com^partitionkey=%28http%2cxyzxyz.com%29

where it used to just display:

 www.xyzxyz.com    and    xyzxyz.com

 

I think this is due to a change in how Firefox 85 handles (isolates?) cookies and "supercookies"?

I don't begin to understand this stuff, but previously it was easy to save login cookies in CCleaner. The cookies now displayed in the new format are duplicates of my previously saved cookies, but cleaning out the "new" versions does not affect logins or preferences.

In other words, it is not necessary to tell CCleaner to save the new versions instead of, or in addition to, the previous versions.

Could someone explain how a CCleaner user should interpret and work with the "new format" cookies now displayed in CCleaner?

Thanks!

 

 

Edited February 5, 2021 by tzdvl

[nukecad]

Yes Firefox changed the way that it handles cookies/supercookies with v85.

https://blog.mozilla.org/security/2021/01/26/supercookie-protections/

I'm still trying to get my head around the changes myself but as I understand it each of those 'partitions' is set up for each website that you visit.
So instead of one 'Supercookie' being generated that will span all websites, a new one one is generated for each website that references it.
Which means that the same 'supercookie' could now be stored multiple times rather than just once, but because of that it isn't as 'Super' as it used to be.

Think of it a bit like the difference between putting your telepone number in a directory once so that everyone in the world can see it, or giving it to your friends multiple times so that only they can see it.

It doesn't affect the 'Saved Logins' setting in CClearer though. (That only clears out the list of logins/passwords that you have saved to Firefox, use very, very, carefully or have your passwords saved elsewhere so you can put them back again).

Whether you stay logged into a site or not depends on if you clear 'Sessions' or not.

Are you seeing anything different other than the way that the cookies are now being listed in CCleaner with those partition keys?

[tzdvl]

Thanks for the excellent explanation. Makes sense.

I have never used CCleaner to clear or manage my logins or passwords in Firefox. I have always managed these directly in "Saved Logins & Passwords" under Firefox's privacy settings.

CCleaner is set like this:

 

I only use CCleaner to manage cookies in Firefox.

I move any cookies I need to preserve new logins or preferences to "Cookies to Keep" before cleaning.

 

That's why I was interested to know what to do with the  " ^partitionkey=%28http% " cookies now being displayed.

If I  just continue to ignore and delete them, am I defeating Firefox's new management strategy? Should I replace my previously saved login cookies with the version specific to the "partitioned" website?

How should users interpret the info shown in CCleaner?

We need some guidance!

Edited February 5, 2021 by tzdvl

[nukecad]

As I say I'm still getting my head around these changes myself; and I 've no doubt that the CCleaner developers are doing a bit of head scratching.

The reason I'm trying to work it out myself is because I use my own batch file for cleaning Firefox and a few other things, so all that stuff and more is gone before I get to CCleaner.
For example all the cookies and supercookies have always been removed by my batch and so I don't even see them in CCleaner.
My batch seem to still be working OK but the question is am I missing something because of the changes to Firefox?

I don't think it will make any difference to CCleaner unless you are trying to move cookies from 'Cookies on computer' to 'Cookies to Keep' in which case all these new partitions will make things confusing.
I think that anything already in 'Cookies to Keep' will still be respected. (But TBH I'm not entirely sure).

I'm sure that now this new issue with 'Cookies to Keep' has been brought up it will be being looked at by the CCleaner devs, but CCleaner is about due for another update so any changes (if they are possible) may not make it this time round.

I'll make a point of highlighting this thread to the staff, just in case it hasn't already been noticed as a new issue.

[nukecad]

I've been having a look and it seems that the cookies are each linked by the partitionkey to the website that they came from.

For instance this is the same google cookie but 'partitioned' by Firefox for each of 4 different websites:

So as long as you 'Keep' the cookie only for the site(s) you want and not for others then that should be fine and work as it always has.

If you edit a 'Kept' cookie to remove the partition key then I believe that it will be saved globally?
Not sure but from what you described above that is what seems to be happening with your old 'kept' cookies that don't have a partition specified.

Quote

The cookies now displayed in the new format are duplicates of my previously saved cookies, but cleaning out the "new" versions does not affect logins or preferences.

Because your (not partitioned) old version is globally keeping them?

PS. I see there is already an update to Firefox 85: https://www.mozilla.org/en-US/firefox/85.0.1/releasenotes/

[tzdvl]

7 hours ago, nukecad said:

So as long as you 'Keep' the cookie only for the site(s) you want and not for others then that should be fine and work as it always has.

If you edit a 'Kept' cookie to remove the partition key then I believe that it will be saved globally?
Not sure but from what you described above that is what seems to be happening with your old 'kept' cookies that don't have a partition specified.

Quote

The cookies now displayed in the new format are duplicates of my previously saved cookies, but cleaning out the "new" versions does not affect logins or preferences.

Because your (not partitioned) old version is globally keeping them?

 

That is what I've been thinking. Maybe I should replace the "global" cookies I've saved with the site-specific versions? I'll have to experiment.

I hope the developers can sort this out!

[nukecad]

I'd say that it is not something for CCleaner to 'sort out.
It's just a case of us users getting used to the fact that Firefox is now saving more cookies (or multiple copies of the same cookies for different sites).

Firefox has just made the cookies more specific, so that any partitioned cookies/supercookies that you 'keep' will now be kept for that particular site and not for any other site.
Which makes sense from a security point of view.

As long as you keep the cookie you want for the site you want then there is no real difference to what you have always done in the past.

It's just that Firefox is storing more copies of cookies, with longer names specific to a certain website, so you have to look at more cookies to decide which is the one you want to keep and for which site.

There is nothing that CCleaner can do about how many (copies of) cookies Firefox now stores. - Other than cleaning them when you tell it to of course.

I would not be at all surprised if Chrome and other browsers start doing the same and partitioning cookies as soon as they can make the changes.

 

[tzdvl]

OK, I did a little experimenting this morning, and it seems that the " ^partitionkey=%28http%2...." versions of cookies do not function to save logins or website preferences.

I used the Amazon.com website for a trial.

I cleared out my Amazon cookies, visited the website, signed in, and set my preference for saving my browsing history. I then opened CCleaner, and I see four cookies:

 

After a few trials of having CCleaner save each of the individual cookies, one at a time, then cleaning the others, I found that having CCleaner save only the www.amazon.com^partitionkey+%28http%2camazon.com%29 cookie does NOT preserve my login or saved preferences.

The only cookie that preserves my login/preferences is the  amazon.com  version. Curiously, saving just the  www.amazon.com  cookie does NOT work.

So, out of the four trials, this is how I must use CCleaner's "Cookies to Keep" feature so that it works as it should:

 

If I then clean the remaining three cookies, the Amazon website opens with me signed in, and my preferences intact, as I would expect.

Interesting!

 

 

Edited February 8, 2021 by tzdvl

[nukecad]

Interesting indeed, thanks for trying it.

It's not something that I've played about with because I prefer to stay logged out of sites unless I'm actually using them.
Especially sites like Amazon that have my debit card details.
(I just see that as basic security, and it only takes seconds to log in again).

I suppose it would need deeper digging to find out just what is inside each cookie, or some trial and error like you have done there.

I'm not sure that CCleaner could come up with a 'recommended' list of cookies to keep for Firefox, there would just be too many variants,especially with this new partitioning.

[nukecad]

They have now done it for cookies as well as supercookies:
https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/