-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All, This is rather a long article, so feel free to skip to the summary at the end if you just want the 'bottom line'! [Note that the discussion below assumes you have the latest version, or patch level, of your Web browser] In recent weeks, there have been a few occasions where someone has raised the subject of Web browser cookies with me, and the range of emotions (yes, believe it or not, emotions) caused by these tiny little text files have amazed me, including: * Physical fear that they are being used to track whereabouts or hand over personal information, in some cases leading to people not using the Web at all for fear of identity theft or worse [The definition of 'personal information' may be a topic for another time - do you consider your IP address to be 'personal information'? Your e-mail address? The unique ID allocated to you for a period of 20 minutes while you browse a Web site?] * Milder concern along the same lines, usually leading to a blanket 'Block All Cookies' approach * Total disregard for cookies, whether they are being set, referenced or whatever, leading to a blanket 'Allow All Cookies' approach [I am, for now, going to avoid the topic of 'browser information' in general, another area which fills some users with dread - are you worried that a Web site knows your IP address? Whether you have JavaScript enabled? Your screen dimensions? Where you just came from? Again, that's a topic for later - if I don't get too busy, I hope this will become a series of articles!] It has been very rare indeed for me to hold a discussion with someone that understands the technology and issues in any depth, and so I hope this article will serve as a 'backgrounder' so you can: a) Make an informed decision about your attitude towards cookies in general b) Make changes to your browser settings to allay your fears or improve your protection c) Use the technology to your advantage - many Web sites use cookies to great effect I'm sure you will all have come across a site which says: "You must have cookies enabled to use this site/service" This kind of message is not terribly helpful, as it doesn't tell you what kind of cookie will be used, how long it will last, what information it will contain and so forth. Let's begin with: Cookie Persistence ================== There are, essentially, two kinds of cookie: * Session cookies, which only last for your browser session (i.e. they are deleted once you close your browser, navigate away from the site, sit inactive for a certain time, etc.) * Persistent cookies - these are set by the server to stay on your machine until their expiry (which is also set by the server - they could last an hour, a week, a day, a year, or even expire immediately, essentially turning them into session cookies) Here's a typical session cookie: Name: ASPSESSIONIDXXXXXXXX (where XXXXXXXX is a random string of characters) Domain: www.whatever.com Path: / Expires: End of session Value: [Another random string of characters] Note that I didn't obtain this information from a text file on my machine - this is a session cookie, and so it is simply stored in memory by the browser process. As it's due to be deleted when the browser closes (or before), there's no point storing it anywhere. So what does it all mean? The server is identifying your browser session so that, in the event that the server needs to store information for you in memory, it can do so without: a) Giving it out by accident to a different user on the site b) Losing the information you may have spent the entire session building up When looking at, for example, shopping cart applications, use of session cookies is common, if not almost essential (there are alternative solutions which do not use cookies, but they require some complex coding and are less reliable). Now, the important question - does a session cookie invade my privacy? The answer is no. Absolutely not. Here's why: * The server has not stored anything about you - it couldn't, because you haven't given it anything in the first place! * The cookie does not survive after closing your browser * The information within the cookie is gibberish to anyone/anything except the server that set it [I will discuss the options for allowing/denying cookies of all kinds in modern browsers later] And so on to the second type of cookie - persistent. It is this kind of cookie which has caused most of the over-hyped furore in the past. The media have had great fun over the years, causing people to fear the worst when a Web site presents their browser with a cookie. Indeed, even those clever bods in the European Parliament have only recently been discussing a proposal to ban *all* cookies - the last time I looked at the proposed Directive, I don't recall there being any distinction between session and persistent cookies. I hope the legislation has either been altered or withdrawn - if it went through with no distinction, it could cost industry a fortune, as a large number of serious Web applications would have to be rewritten, by very expensive developers! Here's a typical persistent cookie: Name: id Domain: fumbleclick.net Path: / Expires: Wed, Mar 01 2006 17:13:03 Data: [Random string of characters] Compact Policy: [Long string of special characters] Now, we see a cookie being set to 'live' for 3 years. Looking at the content, it might seem rather similar to the session cookie we looked at earlier - a bunch of random characters that don't mean anything except to the server that set it. True enough, but remember this one doesn't go away when the browser closes. When you visit the same Web site again, the server is given the cookie you allowed to be set. Does this invade your privacy? Not exactly - all your browser is doing is giving the server back the same gibberish it gave you in the first place. But it *is* now able to identify you as a previous visitor. Now we start getting into the tricky area of privacy - the server can identify you as having visited before, and can recall any information you gave it last time. All fair enough, and may add to your overall experience (allowing the server not to present you with news stories you've read, give you back your customised colours, etc.). If you're in the habit of scrutinising persistent cookie contents, I'm sure you'd agree that the server hasn't done anything to invade your privacy - in fact, it's helped you, as you haven't had to log in, use the same IP address or anything... The problems come about when we start looking at cookies set by banner advertising and other commonly-used Web page insertions (such as 1x1-pixel graphics, referred to as 'Web Bugs', and used for statistical usage analysis). Say, for example (!), there was a single organisation providing dynamic banner ads for lots of Web sites, or providing usage analysis for the same. That organisation would be in the unique position of being able to track Internet usage for individuals, albeit anonymous individuals. The sticky bit comes when we consider this imaginary organisation forging relationships with other organisations, for example advertising agencies, and agreeing to share data. It is feasible that this 'anonymous' usage information could quickly be tied to real data about individuals. So, perhaps personal privacy is being invaded right now? Well, it's possible, but unlikely - there are far more effective mechanisms for organisations to gather information on individuals than examining cookies - the amount of personal information you can retrieve from a cookie is very limited, as any site or organisation that started storing very personal information in cookies would rapidly be drummed off the Internet! However, that argument will continue - are organisations like 'fumbleclick.net' creating enormous databases of user information and integrating them with those of credit card agencies, government departments, service organisations, etc.? Somehow I doubt it - if there exists an organisation that well organised, technically competent, ethically twisted and expert in subterfuge, I would be amazed! Conspiracy theories and evidence are mutually exclusive ;o) I'm not saying that cookies are harmless - they *can* be used to track you, but only to a limited extent, given that browsers are designed to never present a cookie from one server to a different one. Looking at the fumbleclick.net example above, if blackhats.com asked for the fumbleclick.net 'id' cookie, the browser would not give it to them (note that there have been a few issues on this front in the past, hence my mention at the beginning of running the latest version of your browser). Good Cookies? ============= Let's take a quick look at how a persistent cookie can be beneficial, so that we can counteract the negatives of the previous example. One well-known forum (discussion) application used on many Web sites stores a persistent cookie with your username and password in it, but in strongly-encrypted format. If you are the only user on your machine, allowing this cookie (you don't have to) is extremely beneficial, as after registration with the system, your password is never sent in plain-text (readable) format across the Internet - only the encrypted version is ever sent. If you did not accept the cookie (and you shouldn't if you aren't the only user on your machine), you would be sending this sensitive information in readable format across the Internet every time you logged on. Browser Settings ================ Having looked at the types of cookies and the types of information they may hold, the next obvious question is how to set your browser to accept/deny in a reasonable way - you don't want to lose the benefits of session and 'good' cookies, but you do want to reduce the risk of persistent cookies you are uncertain about. The way I have mine set up is: * Always allow session cookies * Prompt when presented with first-party cookies (I then examine them) * Deny third-party cookies (this covers situations such as fumbleclick.net, above, where cookies are set by embedded content in Web sites) How you do this in your specific browser will (obviously!) vary. If you have problems finding the right incantation, drop me a line and I'll see what I can do... If you are very concerned about the cookies you may already have on your machine, there's no reason why you can't just delete them. Their location will vary from system to system, and many browsers offer you the function in their Options dialogs anyway. Always remember that cookies are just small text files, and that you, as the user of a machine, have total control over them. They are not malicious little bits of software that will jump up and pass your credit card details to any dodgy Web site that asks for them. Neither are they little databases for all your personal information (note my comment earlier on the definition of 'personal information') ready for someone to access just by sending you a URL via e-mail. There is commercial and free software out there to block and clean all manner of things from your machine (in this case, what might be referred to as 'SpyWare'), but I wouldn't recommend them for any user - - - most software of this kind will produce a huge list of potential issues, and deleting all of the offending files could seriously corrupt your system! If you would like some recommendations, please feel free to drop me a line. Summary ======= * Session cookies can safely be allowed * Not all persistent cookies are bad * Modern browsers give you total control over the cookies you accept or are asked about * Many aspects of this 'issue' have been over-hyped - believe it or not, there is no huge international data-gathering organisation examining your cookies while you browse - ----------------------------------------- Until next time, enjoy your cookies... Yum ;o) - -- Peter SJF Bance CEng MBCS CESG and BCS Listed Security Adviser http://www.minstrel.org.uk/ -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQIVAwUBP684Ab4wsfF3G+5LAQJrKg//dMheYCpe5FrLZgOV0+dLnHqowZqlcxMn 4nG96jLWPR8Ilk3VEin7P0KjpzX9HDFXoxOKtSXsKGelgipQNztooEa9yYiEGztW J8oZz+8A/yHZoubFUcbvjaCd+2vMEAZq0EThG1PaOW6Cdx2MPSXsgdpKrAV7MTW2 TWM9yrlmKbBrKWIybn+1bhxHiJ+IUbTZ+Moxi+6pfHJ17yfWUFdnROyr5gHq5zcy z9fN0vEcrgHlZ68paRQQcR8gOh4wFAyD/jpF2+Qtho2uPqmrJZorb1Fn3j0BlAPJ 1Hy/XlrJgMuBAUhmHmIS2AEw6P9vDHa1HvRvKehY94MO66lf4pshDpZbY/jBY1k/ CslXAMDwOaHLNvLF5vgfx1dywlcvxjOKnZ4SGP/g9XRwHl0em2A49nXQA5nMnGoc lzHYL4VCFvHqoH0h6quHzH6wLZJmuGJCu9JfxI6ykeG0zR10skO5GKr3Xbs5Pfvt 5X07tu62Q/FOYGFqucb9K61bU0RneO/KaXP4nzrQtQz80DxMkdVSEgEtseggwx/z tLZTwVzmI4RPCEyQQzxilq4/MO0zMRPu1hf/trYdQb+46EFTgux3Ey7KsBmoGXJ0 sEr8bPCZsCf06sV3zzwyfZbCC20JYo/HUAtT7o5l4AzOgzWyxXZrbTsFV+DAPC/m bHtguYb9iGk= =z1D9 -----END PGP SIGNATURE-----