Exploiting the User

1
Exploiting the User
Privacy and Security Concerns with HTTP Cookies
Presentation by Robert Bobek
2
Introduction

• What are HTTP Cookies?
• We need some understanding of HTTP first!
• Hypertext Transfer Protocol (HTTP) is the
  communication protocol used to transfer data on
  the Internet.
• HTTP is a request /reply protocol
• Stateless Protocol!
• Breaks Web Applications!
• So, what are HTTP Cookies?
• Cookies have become and attractive solution to
  solve this problem
• Textual piece of information

3
HTTP Cookies First Party

• HTTP Cookies are either First Party or Third
  Party
• Web Applications use First-Party Cookies for many
  purposes
• User session tracking
• Personalization of profiles
• Auto-complete fields

4
Security Concerns

• Executing basic attacks on First Party Cookies
• Browser history fishing
• Cookie theft and data extraction
• Easily accomplished on
• Public terminals
• Single user-account OS configurations

5
Security Concerns

• Executing Advanced attacks on First Party Cookies
• Cookie Theft (packet sniffing)
• Cookie Poisoning
• Cross-Site Cooking
• Used to hijack sessions

6
HTTP Cookies Third Party

• Cookies sent by servers that are located outside
  the domain of the Web Site that the User was
  visiting.
• Companies such as DoubleClick raise privacy
  concerns!
• Use third party cookies
• Occurs without users attention

Bus. C ad loaded
Business A
Bus. B ad loaded
DoubleClick
Business C
Bus. A ad loaded
Business B
Bus. A ad loaded
7
CookiesCard

• Mobile Cookies Management on a Smart Card
  created by Alvin T.S. Chan
• Motivation
• General Security and Privacy problems
• Removing Machine-Cookie dependency
• Cookies held on Smart Card Technology
• Secured by PIN Authentication

8
CookiesCard Architecture

• Graphic Reference Alvin T.S Chan. "Mobile
  Cookies Management on a Smart Card".
  Communications of the ACM.
• November 2005/Vol.
  48, No. 11. Pages 38-43.

9
CookiesCard

• The CookiesCard is an effective solution but it
  is still suffering from minor drawbacks
• Smart Readers Technology not very popular
• Proxy must reside with the browser
• No Cookies Management Interface

10
CookiesCard 1.1

• The CookiesCard can be improved using the
  following suggestions
• Replace Smart Card Technology with USB Flash
  devices
• Affordable
• Popular
• Ultra-portable
• Running Proxy Server from USB Flash device
• Localhost left untouched
• Control Panel Interface created as a 3rd module
• Can be accessed through another listening port

11
CookiesCard 1.1 Architecture

• Cryptainer Mobile provides on the fly
  encryption/decryption technology on mobile
  devices
• Does not require installing device drivers on the
  host machine to decrypt
• Uses Blowfish encryption algorithm
• Free Download!

• Graphic Reference Alvin T.S Chan. "Mobile
  Cookies Management on a Smart Card".
  Communications of the ACM.
• November 2005/Vol.
  48, No. 11. Pages 38-43. (modified by Rob Bobek)

12
Conclusion

• CookiesCard 1.1better but not perfect!

13
References

• David M. Kristol. "HTTP Cookies Standards,
  Privacy, and Politics". ACM Transactions on
  Internet Technology. November 2001/Vol. 1, No. 2.
  Pages 151-198.
• Alvin T.S Chan. "Mobile Cookies Management on a
  Smart Card". Communications of the ACM. November
  2005/Vol. 48, No. 11. Pages 38-43.
• The Cookie Controversy Cookies and Internet
  Privacy. http//www.cookiecentral.com/ccstory/cc3
  .htm
• Wikipedia on HTTP Cookie
• http//en.wikipedia.org/wiki/HTTP_cookieDrawbac
  ks_of_cookies
• CookieCentral
• http//www.cookiecentral.com
• Cryptainer Mobile can be downloaded at
• http//www.cypherix.com/cryptainerle/

14
Questions?