Cookies set by the Safe Browsing servers to
protect the service from abuse are stored in
a separate cookie jar so that they are not
mixed with regular browsing/session cookies.
And how are these cookies cleared? Seems like as soon as some sort of ID appears in one of these cookies, XKeyScore will track your every (physical) move with it even if you take care to delete all your regular cookies and don't browse the same sites on different networks. Why does this protocol even allow for cookies to be set at all in the first place?
> Why does this protocol even allow for cookies to be set at all in the first place?
The answer is right there in the sentence you quoted: "to protect the service from abuse". How that's supposed to work (i.e. how cookies are supposed to protect against abuse) is another question.
They are cleared the same way as normal cookies: they are visible in the cookie manager where they can be manually deleted, and they are generally included in all of the other cookie-clearing mechanisms.
By default, doesn't firefox query OCSP responder for every TLS connection (unless the server offers OCSP stapling [1]) ? The privacy implications are pretty similar to Safe Browsing.
Not quite.
In the case of OCSP, in the absence of OCSP stapling, all TLS connections are verified with an external server(s).
In that case of SafeBrowsing however, as noted in the article, for those URLs whose hash prefix doesn't match one of the hashes on one of the blacklists, the browser doesn't contact any other server.
Only when there's a partial match does the browser ask for a full hash from the SafeBrowsing server.
"Safe browsing" is one of the first things I turn off when installing a new profile in a browser. I personally dislike any commercial service turned on by default in my software that continually and without my consent pings back to some place on the net - using my real IP address and leaking anything remotely related to destination addresses. And cookies?
I think there should be better ways of protection than trusting such a service anyway.