Web Cookies

1
Web Cookies
2
Sources

• Most of the content for this presentation came
  from these Web sites
• http//www.cookiecentral.com
• http//www.techtv.com/screensavers/print/0,23102,3
  317313,00.html
• http//www.techtv.com/screensavers/twistedlist/sto
  ry/0,24330,3366496,00.html

3
Cookie Definition

• Cookies are pieces of information generated by a
  Web server and stored in the user's computer,
  ready for future access.
• Cookies are embedded in the HTML information
  flowing back and forth between the user's
  computer and the servers.
• Cookies were implemented to allow user-side
  customization of Web information. For example,
  cookies are used to personalize Web search
  engines, to allow users to participate in
  WWW-wide contests (but only once!), and to store
  shopping lists of items a user has selected while
  browsing through a virtual shopping mall.

4
Definition (cont.)

• Essentially, cookies make use of user-specific
  information transmitted by the Web server onto
  the user's computer so that the information might
  be available for later access by itself or other
  servers.
• In most cases, not only does the storage of
  personal information into a cookie go unnoticed,
  so does access to it.
• Web servers automatically gain access to relevant
  cookies whenever the user establishes a
  connection to them, usually in the form of Web
  requests.

5
Two Stage Process

• First the cookie is stored in the user's computer
  without their consent or knowledge.
• For example, with customizable Web search engines
  like My Yahoo!, a user selects categories of
  interest from the Web page. The Web server then
  creates a specific cookie, which is essentially a
  tagged string of text containing the user's
  preferences, and it transmits this cookie to the
  user's computer.
• The user's Web browser, if cookie-savvy, receives
  the cookie and stores it in a special file called
  a cookie list.
• This happens without any notification or user
  consent. As a result, personal information (in
  this case the user's category preferences) is
  formatted by the Web server, transmitted, and
  saved by the user's computer.

6
Two Stage Process (cont.)

• During the second stage, the cookie is
  clandestinely and automatically transferred from
  the user's machine to a Web server.
• Whenever a user directs her Web browser to
  display a certain Web page from the server, the
  browser will, without the user's knowledge,
  transmit the cookie containing personal
  information to the Web server.

7
Virus Danger?

• A normal text based cookie cannot be of any
  danger to your computer or spread any viruses.
• Whether or not other cookies can be dangerous or
  spread viruses has to do with whether or not a
  file is "executable," meaning if it's a program
  rather than data.
• UNIX files, for instance, have some combination
  of the properties "readable," "writable" and
  "executable." The executable property is
  necessary to enable a program in a file to do
  something.

8
Virus Danger? (cont)

• If a cookie is not stored in an executable format
  for that platform, it cannot do something hostile
• In general Cookies are stored as text files and
  cannot be of danger or pass on viruses.
• Basically cookies cannot harm your computer.
• The general controversy is not what cookies can
  do to your computer, but what information they
  can store, and what they can pass on to servers,
  there is currently a new proposal to limit the
  features of the cookie protocol, which would give
  people a greater control over what cookies they
  can accept and from where.

9
Cookies How They Work

• The Internet is predominantly built on a
  technology called HTTP.
• HTTP doesn't hold any notion of "state" between
  the browser and the server application.
• Therefore, when writing applications for the Web,
  developers need to pass a token between the
  browser and the client.
• This is how the "cookie" was born.

10
Cookies How They Work (cont.)

• Cookies come in two forms, persistent and
  nonpersistent.
• Persistent cookies stay with your browser even
  after you've exited it. The next time you open
  your browser and access the website that placed
  the cookie on your browser, it will find the
  cookie still there.
• Nonpersistent cookies, as their name suggests, do
  not stay around after you exit your browser.

11
Cookie Contents

• The information stored in a cookie allows the
  browser to know which Web servers to send the
  cookie back to.
• The cookie also includes the payload, as well as
  information about when the cookie is valid.
• Normally, a site will encrypt the information
  contained in the cookie. When you ask a website
  to save your user name and password, it will
  either take those values and encrypt them before
  storing them on the file system or create an
  encrypted token that takes the place of your
  login. In many cases, when you examine the cookie
  information you'll notice a long string of
  characters that most probably doesn't make any
  sense to you.

12
Cookie Contents (cont.)

• A TechTV.com cookie from that website
• .techtv.com TRUE / FALSE 1108418573 Visitor
  80c59448.484ec627.216.200.223.239.1013810251524
• The following slide has the different parts of
  the cookie and what they mean
• Domain (.techtv.com in this instance)The website
  that created the cookie, and the one that the Web
  browser will send it back to.
• Flag (TRUE)A flag that tells the Web browser
  whether all the machines within TechTV.com or
  only specific ones can get the cookie.
• Path (/)This is the URL's paths within
  TechTV.com that can receive the cookie. Setting /
  as the path tells the Web browser to send it to
  all requests to .techtv.com.
• Secure (FALSE)Tells the Web browser that the
  cookie can be sent over HTTP instead of a secure
  HTTPS connection.
• Expiration (1108418573)Number of seconds from
  January 1, 1970, when this cookie will expire.
• Value (Visitor 80c59448.484ec627.216.200.223.239.1
  013810251524)This is the actual value that the
  TechTV.com Web server wants back when it receives
  the cookie. Just looking at it tells us that it's
  most likely using this to track repeat visitors.
  The site has assigned me a visitor number that it
  will use to look me up in some database of repeat
  visitors.

13
Cookie Contents (cont.)

• Domain (.techtv.com in this instance)The website
  that created the cookie, and the one that the Web
  browser will send it back to.
• Flag (TRUE) - A flag that tells the Web browser
  whether all the machines within TechTV.com or
  only specific ones can get the cookie.
• Path (/) - his is the URL's paths within
  TechTV.com that can receive the cookie. Setting /
  as the path tells the Web browser to send it to
  all requests to .techtv.com.

14
Cookie Contents (cont.)

• Secure (FALSE) - Tells the Web browser that the
  cookie can be sent over HTTP instead of a secure
  HTTPS connection.
• Expiration (1108418573) - Number of seconds from
  January 1, 1970, when this cookie will expire.
• Value (Visitor - 80c59448.484ec627.216.200.223.23
  9.1013810251524)
• This is the actual value that the TechTV.com Web
  server wants back when it receives the cookie.
  Just looking at it tells us that it's most likely
  using this to track repeat visitors. The site has
  assigned me a visitor number that it will use to
  look me up in some database of repeat visitors.

15
Managing Cookies

• Use this link to examine the options below.
• Strategies
• Manually delete cookies from your system
• Set your browser's security to warn you about
  cookies
• Download a cookie killer
• Surf anonymously
• Ignore them

16
Cookie Buster Programs

• Burnt Cookies (for Internet Explorer on Windows
  platform).
• Cookie Cruncher (Windows).
• Cookie Crusher (Windows).
• Cookie Cutter 1.0 (for Netscape on Macintosh
  platform). Direct download.
• Cookie Jar (UNIX).
• MagicCookie Monster (for Netscape on Macintosh
  platform).
• Spy Blocker.

http//www.epic.org/privacy/tools.html