Cookies

From SI410
Jump to: navigation, search
Back • ↑Topics • ↑Categories

Cookies are text files that are sent from a website and uploaded to a user's browser when they enter the website.[1] They enable websites to store user information on the user’s hard disk so that the information is more quickly accessible between sessions on the website, and there is less data storage for the server to process.[2] Cookies identify a user through a name-value pair and are assigned times when they will be discontinued or expired. [3] A user can be notified when a website is using cookies, or they can have the option to choose the setting that prevent cookies from being implemented. The tracking of cookies poses ethical concerns such as user privacy and the ability for parties using cookies to see what sites the user has previously visited.[2]

Example of a cookie


Setup of a Cookie

Cookies are set using a name-value pair. For example, a sample of a cookie used by goto.com:

UserID      A9A3BECE0563982D

In this case, "UserID" is the "name" part of the name-value pair and "A9A3BECE0563982D " is the "value"[3]. A cookie also contains a domain, which is the website that issued the cookie. The domain allows the browser to send the right cookies as a user browses a site, and prevents websites from viewing cookies of another domain. A path value is also stored, to specify which pages within a website the cookie should be sent.

Uses

Cookies allow websites to easily maintain a user’s preferences whenever a user logs in or visits that site. Cookies ensure that preference is maintained for the duration of future visits to that site. For example, Facebook uses cookies to customize its advertisements, products, and features to a particular user, maintaining the user's privacy and other various settings. After the user logs out, Facebook would alert the user if someone tries to get through the same account or violates Facebook's policies[4]. Cookies can also be used for browser-based gaming so that games might store a player’s state and allow returns for more play. E-commerce sites use cookies as a "shopping cart". This allows a server to hold on to the items that the user picked out to purchase while they continue to shop for other items. Cookies are a means of distributing some of the burden of information management to the client and the user’s browser, rather than the e-commerce business using costly server-side operations to save all data. If it were not for cookies, servers would have a difficult time retrieving the user's information.[2]

Types

Session Cookies

Session cookies, also called transient cookies, are temporarily stored on a person's computer while the user is browsing on the website. This allows the user to move from page to page on the site. The session cookie is deleted upon closing the browser and is not saved to a user's hard drive.

Persistent Cookies

Persistent cookies - also called permanent cookies or stored cookies - are not deleted when you leave a website. They allow the site to identify individual users repeatedly. These cookies allow a site to keep track of and maintain a user's settings or preferences when the user logs out of a website and later logs back in.[5] The permanent cookie is given a specified time to live (TTL) before it expires, specified by the website issuing the cookie. The cookie remains on a user's browser until it runs out, allowing the user to authenticate themselves with the cookie instead of using their username and password.

First Party Cookies

First party cookies have the same domain that a user is currently browsing. For example, if a user is on Amazon.com, the cookie will have the same domain name: Amazon.com.

Third Party Cookies

Third party cookies have a different domain than what is in the user's address bar. For example, a user may be on Amazon.com, but the cookie could have a domain name other than Amazon.com. Third Party Cookies are the subject of debate when it comes to cookies and privacy. Browsers such as Firefox, Internet Explorer, and Google Chrome allow the use of third-party cookies by default but give users the option to turn third-party cookies off.[6]

Zombie Cookies

These are cookies that automatically recreate themselves after a user initially destroys them.[3] They are stored outside of allocated cookie storage locations and this allows them to persist after a user deletes their cookies. They can be stored either online or on your computer, and because they do not behave like traditional cookies, they can be attached to your browser even if you have chosen not to allow cookies.[7] This type of cookie was first discovered at UC Berkley when researchers found they could not delete cookies, as they kept returning.[8] These cookies are often installed and used by web traffic tracking companies, most often for marketing and research purposes. Because they stay tracking a user as they move from website to website, the cookie collects continuous data on the users browsing patterns and then can return this to the main tracking server. Commonly these are used to retain a users site ID so that a website appears customized for a user, even for someone who deletes cookies regularly.[7]

Ethical Concerns

Cookies are not viruses, but there have been concerns about privacy on the internet, especially with Third Party Cookies. Cookies of this sort can have the capability to track the data for other sites that a user browses and can allow other sites access to a user's information without the user going to that site, and/or can give a user's information to another site without the knowledge and consent of the user. Zombie cookies can track users across different browsers used by the same computer because the cookies are stored in places that are common between browsers.[7]

This seems unethical because it limits the user's ability to say what they do and don't want collected about them, and because there is no incentive for the user, meanwhile the companies that collect this information are profiting off of this invasion of privacy. This also goes against the principles of anonymity and privacy in online activities. Even for sites that do not require a login, users are being tracked and their "identity", albeit not their traditional name or other bio-physical factors about them, is being surveilled as it moves across sites.

Privacy

There is a concern that data about a user can be intercepted by a third party as the connection between the browser and the user is not encrypted. This would give the third party actor, possibly an ill-minded actor, access to sensitive cookie data including anything a user has entered themself into a website, for example, filling out a form online.[9]

In regards to privacy, a major ethical concern regarding Third Party Cookies is their ability to track a user's most frequently visited websites as well as having the ability to store data and patterns about that user's activity online on various web pages. These functions are often used by advertisers to watch what other sites and products the user is viewing. It is often advised to turn off cookies or only accept cookies from trusted or frequently visited sites. Within these sites, cookies help a user who visits the webpage often by remembering their specific information for the frequently visited website. Zombie cookies are also considered a privacy breach as they can be stored right on your computer and are not removed when a user explicitly expects to do so.[8] There is also concern that cookies give user data to other companies for advertising purposes. This means keeping data on the number of items you buy, what brand you are buying, price ranges you have purchased within before for a product, etc. This data can be used by advertisers to market another product or brand that they think the user might like, based on their data. Some may consider this a privacy breach because they do not want other companies to know their personal preferences without their consent.

Session Hijacking

Session Hijacking is used to gain access to information or services that are not directly provided. Session attackers duplicate data from a user to mislead the communication receiver into believing that the attacker is the original user. The data obtained by the attacker is then replicated and authenticated for future use.[10] Cookies and sessions are not encrypted, and because of this, make it easier for online predators to access unauthorized information and services. There are many different ways to hijack a session. Once the predator obtains the cookie information, they now have the ability to monitor and trace a user's network traffic, which could potentially contain sensitive information.[11]

Exploitation

Cookie pop-up

Users can opt to disable cookies from websites, but some functionalities will be disabled. Some websites alert users of cookie usage and require compliance with the use of cookies in order for the user to continue on the website. Users are often times not made aware that a website is collecting cookies. Cookie policies are hidden in the privacy policy of a website. [12] Cookies collect behavioral data from each site a user visits through tracking. These behaviors and trends curate specific ads as a user browses from site to site. This data can be sold to increase a websites new visitors and sales. This subtle explanation is not made aware by a user. There is no information transparency between websites and its users. Users are unaware of how their data is being collected, stored, and used when visiting new and old websites. Per the Privacy and Electronic Communication Regulations, users have the right to know when information is being stored and how it is being used. It violates a users rights ethically.[13]


Cookie tracking

Cookies that are used to authenticate a user to a website (such as Facebook) can be used to track user behavior on third-party websites. A third party website may contain images that are pulled from Facebook, such as the like button. When the image is downloaded from the browser, Facebook identifies the user's cookie and associates that third party website visit to the user.[14] Facebook is able to identify the user without them clicking or interacting with the page. Simply loading the page allows for data collection. Browser extensions such as Ghostery[15] allow a user to block tracking technologies.

Airline prices

Consumers have long accused airline companies of using internet cookies to unfairly price tickets. Robert Weiss, an attorney who published a how airlines exploit cookies to price gouge tickets, found that travel sites used cookies to actually determine their pricing of tickets. Bill McGee, a journalist with USA Today and researcher for Consumers Union, conducted an experiment to demonstrate this phenomenon. McGee searched one major travel site for a ticket from New York City to Sydney, Australia with two different browsers (one was clear of all cookies and one had a history of purchasing flights).[16] McGee ultimately found that the browser with no history offered fares ranging from $1,770 to $1,950 while the browser that had past history had fares listing at $2,116.[16] This experiment proved how the use of cookies and other tracking information raises serious ethical issues about privacy and the use of stored information.[16]

Consumers have since been adapting to practices like these from major online commerce sites. A common solution is to simply delete your cookie history. Another solution is to use Google Chrome Incognito. Chrome Incognito ensures that your browsing history, cookie storage, and other sensitive information will not be kept.

Such behavior arises the debate whether or not agencies and companies have the moral right to use user-specific data. Many situations are viewed on a case-by-case basis. For instance, the NSA has in the past used Google cookies to pinpoint targets to "hack" and surveil.[17] The NSA has found particular use in a Google-specific tracking technology called the "PREF" cookie, which contains numeric code that allows the NSA to specifically track an individual's browsing data.[17]

Vulnerabilities

Browser cookies give attackers the opportunity to steal private information about one's personal life, sensitive finances, and even identity. In September 2015, The US Computer Emergency Response Team (Cert) found a loophole in major browsers like Internet Explorer, Mozilla Firefox, and Apple Safari that allows remote attackers to essentially bypass industry-secure HTTPS protocol to reveal confidential data.[18]. A website that uses cookies can be exploited through common vulnerabilities if the website is not developed with common attacks in mind. An attacker can use common attacks such as Cross Site Scripting and Cookie Poisoning[19]. To reduce the threat, the content of cookies can be encrypted. Additionally, evaluating the vulnerabilities through penetration testing can reduce the risk of an attack.

Laws Regarding Online Privacy

Europe

In 2002, the European Union made rules regarding the use of cookies. In particular, "the user is provided information about how this data is used" and the opportunity to deny a website from storing their information. In 2009, the European Union amended this law to include giving "a user advanced written notice that a cookie is being placed on his or her device and describes what the cookie is doing" and "obtains the user’s consent to the placement of the cookie before placing the cookie on the user’s device". On May 26, 2011, the European Union set guidelines for websites about using cookies. In order for a site to keep cookies on a user's hard drive, the website must get the consent of the user and gain acceptance.[3][5][6][20]

United States

The site of the National Security Agency was caught putting cookies on user's computers that were capable of tracking a user's web activities.[21] There currently exist no laws in the U.S. that directly target the use of cookies.

See Also

References

  1. Wikipedia: HTTP Cookie http://en.wikipedia.org/wiki/HTTP_cookie
  2. 2.0 2.1 2.2 What Are Cookies Website: Computer Cookies Explained http://www.whatarecookies.com/
  3. 3.0 3.1 3.2 3.3 How Stuff Works Website: "How Internet Cookies Work" http://computer.howstuffworks.com/cookie.htm
  4. Facebook Website: Cookies, Pixels, and Similar Technologies: "How Cookies Work" http://www.facebook.com/help/cookies/
  5. 5.0 5.1 About Cookies Website: Frequently Asked Questions http://www.aboutcookies.org/default.aspx?page=5
  6. 6.0 6.1 Open Tracker Website: "Third-Party Cookies vs. First-Party Cookies" http://www.opentracker.net/article/third-party-cookies-vs-first-party-cookies
  7. 7.0 7.1 7.2 Wikipedia: Zombie Cookies http://en.wikipedia.org/wiki/Zombie_cookie
  8. 8.0 8.1 Helium Website: "Zombie Cookies: What zombie cookies are and how to delete them" http://www.helium.com/items/1905717-zombie-cookies-what-zombie-cookies-are-and-how-to-delete-them
  9. Cookie Central Website: Frequently Asked Questions http://www.cookiecentral.com/n_cookie_faq.htm#sens_info
  10. “Cookie Hijacking: Learning through Replay Attack Examples !” Cookie Hijacking: Learning through Replay Attack Examples ! | TCS Cyber Security Community, securitycommunity.tcs.com/infosecsoapbox/articles/2017/01/05/cookie-hijacking-learning-through-replay-attack-examples.
  11. Sivakorn, Suphannee, et al. “The Cracked Cookie Jar: HTTP Cookie Hijacking and the Exposure of Private Information.” 2016 IEEE Symposium on Security and Privacy (SP), 2016, doi:10.1109/sp.2016.49.
  12. Jegatheesan, Sowmyan. "Cookies Invading Our Privacy for Marketing Advertising and Security Issues."
  13. Jegatheesan, Sowmyan. "Cookies Invading Our Privacy for Marketing Advertising and Security Issues."
  14. Charlotte Rottgen, Like or Dislike - Web Tracking, October 18 2017 [link.springer.com]
  15. Ghostery home page, faster, safer, and smarter browsing [ghostery.com]
  16. 16.0 16.1 16.2 Airfare Expert: Do cookies really raise airfares?, http://www.usatoday.com/story/travel/columnist/seaney/2013/04/30/airfare-expert-do-cookies-really-raise-airfares/2121981/, Bill McGee, April 30th, 2013
  17. 17.0 17.1 NSA uses Google cookies to pinpoint targets for hacking, The Washington Post, Ashkan Soltani, December 10, 2013
  18. Exploiting Browser Cookies to Bypass HTTPS and Steal Private Information, The Hacker News, Swati Khandelwar, September 25th, 2015
  19. Surajit Sarma, A study on Common Web Based Hacking and Preventive Measure, July 2017 [ijsrcseit.com]
  20. Open Tracker Website http://www.opentracker.net/
  21. Dummies Website: "Defining and Dealing with Web Cookies http://www.dummies.com/how-to/content/defining-and-dealing-with-web-cookies.html