[Gnash-dev] Flash cookies and GNU Gnash

[John Gilmore]

Hi Ryan,  (cc gnash developers)

That was a great article on Flash cookies and the Berkeley research.
Here's more information we've learned while reimplementing Flash from
scratch for the GNU project.

At the Gnash project (the free re-implementation of the proprietary
Adobe Flash player) we offer an easy option to disable the writing of
.SOL files (flash cookies).  While playing any flash file, just do a
right-click, and pick Edit -> Preferences.  Pick the Security tab, and
click on "Do not write Shared object files".

It's not the default, unfortunately.  Perhaps when we tried making
those cookies non-writeable, too many web sites stop working.  Since
Gnash is free software, we or anyone can improve it, anytime we want.
(By contrast, Adobe Flash evolves only to meet the needs of its
corporate masters.  This is why gnash lets you save audio and video
files as they play, while Adobe flash doesn't.)  Maybe adding an
option to "Delete all Shared Object files (flash cookies) on exit", or
"Only keep Shared Object files in temporary RAM" would protect users,
while not breaking the web sites that attempt to sneak up on them.

We mention "flash cookies" once in our documentation, but we should
use that term throughout the doc and the program, now that it's become
the publicly accepted term.

Gnash also provides a "soldumper" command-line program that can decode
what's inside those .SOL files.  It works on .SOL files created by
Adobe Flash as well as those created by Gnash.  Example:

$ soldumper $HOME/.gnash/SharedObjects/www.hulu.com/BeaconService.sol
Will use "/home/home/gnu/.gnash/SharedObjects/www.hulu.com/BeaconService.sol" 
for sol files location
SOL file "/home/home/gnu/.gnash/SharedObjects/www.hulu.com/BeaconService.sol" 
read in
Dumping SOL file
The file name is: 
/home/home/gnu/.gnash/SharedObjects/www.hulu.com/BeaconService.sol
The size of the file is: 85
The name of the object is: BeaconService
computerguid: 88AC0B3C6655B76D35C09815E69328CA

Many such .SOL files appear to be empty (i.e. they are 30 or 40 bytes,
but have no objects in them).

Some web sites store these files deep in subdirectories.  Here are all
the ones I currently happen to have:

address@hidden:~$ find .gnash/SharedObjects/ -type f 
.gnash/SharedObjects/s.ytimg.com/yt/swf/watch-vfl78056.swf/InVideoAdsUserSettings.sol
.gnash/SharedObjects/s.ytimg.com/soundData.sol
.gnash/SharedObjects/s.ytimg.com/videostats.sol
.gnash/SharedObjects/s.ytimg.com/restore.sol
.gnash/SharedObjects/us.js2.yimg.com/us.js.yimg.com/lib/fi/200902050845/us/swf/yfcv3/flashchart.swf/chartdata.sol
.gnash/SharedObjects/www.hulu.com/player.swf/NewSitePlayer.sol
.gnash/SharedObjects/www.hulu.com/player.swf/Lightningcast.sol
.gnash/SharedObjects/www.hulu.com/BeaconService.sol
.gnash/SharedObjects/www.youtube.com/soundData.sol
.gnash/SharedObjects/www.youtube.com/videostats.sol

Note how YouTube is sneakily storing a few under "www.youtube.com" but
has twice as many in the less visible "s.ytimg.com" (YouTube Images.com).

I'm shocked that I have this many.  I'd thought gnash was protecting me
from them.

"soldumper -l" is supposed to list all the cookies (like the above), but it
doesn't actually work in the current release.

I use NoScript and have seldom or never allowed "addthis.com" to run
Javascript in my browser.  Now that I know what it is, I'll be sure to
add it to the Untrusted list (along with google.com and
googlesyndication.com).

I run Gnash as my only flash player.  It plays Youtube and many other
sites without trouble.  It has trouble with Google Video and other web
sites that require the newest versions of Flash.  I recommend it for
people who believe strongly in free software.  I don't yet recommend
it as a replacement for Adobe Flash by the general public -- but
we get closer with every release.

        John