Cookies
Cookies
Client/Server Audit: One Bite At A Time
Configuring Cisco Denial of Service Security Features - Part 1
Configuring Cisco Denial of Service Security Features - Part 2
Configuring Cisco Lock-and-Key
Configuring Cisco Reflexive Access Lists
Dysfunctional Controls: Useless, Impractical, Inefficient and Poorly-Designed
When Getting the Audit Done Is the Only Thing
What is a cookie? This is a question I frequently field in the courses I teach. Well, it's information. And it could be on your computer right now. The Magic Cookie, originally conceived by Netscape, and adopted by Microsoft Internet Explorer and Mosaic, exists as a single text file on your hard disk. A Web site can write information to the file and retrieve information from it every time you visit.
When you enter an URL for a page, the browser compares the URL against it's cookie file, and should it find a matching cookie, it will send the cookie to the server along with the request for the page.
When you close your browser, it writes any cookies that haven't expired to a cookie file so it can reload the file the next time you browse the Web. The file is named "cookies.txt" in Windows, "MagicCookie" in MacOS, and "cookies" in UNIX.
A cookie can contain whatever information the site wants. For instance, you could create a unique user ID, save it as a cookie and then the browser would never have to enter it again. Or a cookie could contain your e-mail address. When you go to a site that asks for your e-mail address, say in a form, the Web site could then set a cookie containing the e-mail address. Then, your browser could send your e-mail address every time you revisit the site.
Cookies aren't executable, so, they can't contain programs or viruses. Someone cannot use a cookie to get data from your hard drive, surreptitiously get your e-mail address, or steal sensitive information.
Simply, cookies allow a Web site to track where you have been on the Web. People are revealing personal behavior without realizing it. Knowing that cookies exist is important. Taking control over when, where, and to whom you provide information about yourself, also is important. Here, then, are some preliminary thoughts on controlling cookies.
-
Test your browser to see whether it will accept a cookie. Digital Equipment Corp. provides a test script at http://www.research.digital.com/nsl/formtest/html/UserInput.html to do this.
-
Should you want to disallow cookies in Netscape version 3.0 or greater: Go to the Options menu, select Network Preferences, from the window that appears, select Protocols, locate Show an Alert Before, check the box Accepting a Cookie. Henceforth, you will get an Alert telling you that a server is trying to set a cookie.
-
Lock the cookies.txt or MagicCookie file to stop cookies from working. Cookies still will reside in memory, but they won't get saved past your current browsing session.
-
Get Cookie Monster to trash the MagicCookie or cookies.txt file every time it is launched.
-
Use Netscape's new Communicator to set preferences allowing you to deny cookies automatically. Expect more vendors to jump on the anti-cookie bandwagon.
-
"Use with caution" as Netscape suggests. If you don't like the idea of someone using this information, delete the contents of the file. Get PGPcookie.cutter or Cookie Cutter 1.0 to selectively delete cookies.
But software solutions can only do so much. In the end, only user awareness will tame the cookie monster. One place to increase your awareness is on the Internet. Start by checking out Illuminatus, Digital Equipment Corporation, HotWired, Netscape, Malcolm Humes, Jasmin, and Guy Smiley. You also might want to try reading the FAQ. Well there, that should get you started.