<https://boingboing.net/2018/08/16/who-left-open-the-cookie-jar.html> Who Left Open the Cookie Jar? A Comprehensive Evaluation of Third-Party Cookie Policies <https://wholeftopenthecookiejar.eu/static/tpc-paper.pdf> won the Distinguished Paper prize at this year's Usenix Security Conference; its authors, researchers at Belgium's Catholic University in Leuven, revealed a host of devastating, never-seen tracking techniques for identifying web-users who were using privacy tools supplied by browser-vendors and third-party tracking-blocking tools. The techniques the KU Leuven team identified allowed them to track users across sites by means of the Appcache API; "lesser-known HTML tags"; the Location response-header; various <meta> redirects; Javascript in PDF tables, Javascript's location.href property; and through service workers. These techniques bypassed the stock browser privacy protections, including the latest, most extensive privacy settings in Firefox; they also worked against popular cookie-blocking/ad-blocking/script-blocking browser extensions. The good news is that the researchers found no evidence of these techniques being exploited in the wild and they tipped off the browser vendors before going public, which means that we can hope that future browsers will be better equipped to defend against these tactics. The bad news is that until then, we're all vulnerable to unscrupulous websites using these tactics to track us everywhere. Here's the researchers' catalog of exploits <https://wholeftopenthecookiejar.eu/> with suggested countermeasures. [...]