I'm the author of that add-on. Maybe I can add to the discussion by outlining my motivation for writing SDC. I'm currently in the process of compiling the results of an automated crawl of thousands of popular sites that I did last month. I think that every www user should be aware of this:
- The privacy model of browsers relies on the same-origin policy. The same origin policy is in practice routinely circumvented by active identifier sharing. The difference between 1st party identifiers and 3rd party identifiers has become meaningless.
- Self-Destructing Cookies is a proof of concept for a model that actively derives the minimum set of identifiers that you need to browse the web at any given moment. This is a possible workaround for a world without the same-origin policy.
- Cache abuse is rampant. The cache must be considered a store of identifying tokens. If you use SDC, you should definitely enable the automatic cache cleaning. Set the timeout to 3 minutes or so. Remember that identifiers are frequently shared. It only takes a single party to identify you from something they put in your cache.
I simply turned off disk and memory caching in Firefox (details in link above) and have been running this way for nearly two years. Browsing the web with cache is not as efficient, but with my ~8Mbit Internet connection, practically, I don't really notice any difference.
To get around the tracking issues, ideally, browsers would cache content, but it would be keyed on the domain in the address bar as well as the url of the content being cached. Also, content should be wiped from the cache when you leave the site it is linked to, ie there are no more tabs with the site open.
I am thinking that the RequestPolicy add-on would practically eliminate cache-based tracking by simply blocking all requests to unnecessary 3rd party sites. I would appreciate hearing your analysis of it.
RequestPolicy would help against this sort of attack when performed cross-site. However, there is still a leak if a site can identify that you're the same user they previously saw. RequestPolicy wouldn't help against this as it's not cross-site.
- The privacy model of browsers relies on the same-origin policy. The same origin policy is in practice routinely circumvented by active identifier sharing. The difference between 1st party identifiers and 3rd party identifiers has become meaningless.
- Self-Destructing Cookies is a proof of concept for a model that actively derives the minimum set of identifiers that you need to browse the web at any given moment. This is a possible workaround for a world without the same-origin policy.
- Cache abuse is rampant. The cache must be considered a store of identifying tokens. If you use SDC, you should definitely enable the automatic cache cleaning. Set the timeout to 3 minutes or so. Remember that identifiers are frequently shared. It only takes a single party to identify you from something they put in your cache.