< In Defence of Vulnerability Researchers | Password Strength Checker & Generator >
This problem was mostly easy to solve by blocking third-party cookies, i.e. cookies for domains other than the page you are on. Things got a bit self-moderating too when the Network Advertising Initiative's members decided to push for tracking opt-out. This spawned tools like the Targeted Advertising Cookie Opt-Out which let's you opt-out of all the advertisers you can (currently at 90). There's problems with both of those options, but they at least provide mostly n00b-proof privacy. For the slightly less n00by Firefox add-ons like CookieSafe provide default-deny with one-click enable capabilities to drastically reduce the number of cookies you find in your jar.
The problem came in with providers who try and rule the world, while providing services I want to use. The most obvious of these is Google. When I first started using Gmail, I realised that Google forced you to accept a cookie from google.com to use the service, and you couldn't just accept cookies for mail.google.com. What's more, Google's code, either in the form of AdWords or Analytics is embedded on most of the internet, and I use several of their other services like Search & YouTube. This means that I have to accept their root, long expiring cookie and have my browser regularly send it to Google associated to my Google account identifying nearly every page I'm on.
My solution to this problem was previous in two parts. The first was to make sure than any "logged on" interactions I had with Google were in a separate Firefox profile. This ensures that the necessary google.com cookie set there would be isolated from my usual surfing. The second part was to limit my direct use of Google services. This lead me to Scroogle, a privacy enhancing Google scraper; and GoogleSharing.net, Moxie's identity randomizer for Google services. That meant that I could happily never have a google.com cookie set in my main browser, except in a isolated Firefox profile.
However, recently, the next challenge for the internet has created a new problem, Facebook. Facebook's recent salvo to rule the internet has lead to a plethora of sites embedding Facebook scripts in their pages for their like buttons. This means I am faced with the same problem as Google, a site I regularly log-in to, which sets a cookie strongly associated to my identity, and is regularly sent to the provider as I surf the internet. Initially, I just added Facebook to my isolated Firefox profile. However, this is where I discovered Stainless.app
Stainless.app is a very simple web-browser build off WebKit. Their key feature, is that they take Google's Chrome browser's per-tab process+sandbox a bit further providing per-tab sessions. What this means is that each tab (or sub-tabs you choose to spawn from it) is a self-contained session, and a cookie for google.com or facebook.com set in the one tab, would not be available to the next tab. This provides a per-default session isolation, preventing cookies from existing across a browser session, and not just cookies, sessions. Thus, if I were to log in to Facebook and have a cookie set for facebook.com, navigating to memeburn's website will mean the included "like" button's script won't be able to query that cookie, and will set a whole new one.
What's more, is that this buys you some security too, and has the potential to kill authenticated CSRF as an attack vector (by itself, but "please log in" style CSRF's would still work), because the tab you open up the CSRF attack in, wouldn't have access to your logged in session in another tab.
To enable this, you will need to install Stainless.app (OSX currently), then set Preferences -> Security -> "Create new single session tabs by default", and restart the browser.
Unfortunately, in using Stainless, I loose the ability to block third-party cookies entirely (they are still set, just per tab), the ability to block ads with AdBlock Plus and the extra security afforded by NoScript. The first isn't a big problem, given the built in isolation, the second can be somewhat recreated with Squid(or SquidMan for OSX)+SquidGuardian+Easylist, and the third, we'll just have to wait.
In short, this means I can consolidate into one default browser profile for by usual browsing, but I'll still need Firefox for anything else.