Author Guidelines for 8 by yantingting


									                HTTP COOKIES: EXPLOITING THE USER
                                                Robert Bobek

ABSTRACT                                                        This leads us into the topic of security and
                                                            privacy and how any user can be easily exploited if
HTTP Cookies is an essential technology on the              proper precautions are not taken. This paper will
Internet. Along with it though, it has introduced a         discuss specifically Hypertext Transfer Protocol
number of security problems and has raised user             (HTTP) Cookies; a technology that has been spoken
privacy concerns. The article will address some of          of before in regards to user privacy. It will also
issues and security risks with HTTP Cookies. An             address a solution to solve the problems of HTTP
analysis on an already proposed solution will given         cookies without eliminating anything that would
and following that is a discussion on some                  decrease the value of this technology.
improvement that should be made to enhance the
proposed solution.                                          2. COOKIES ROLE TO HTTP

1. INTRODUCTION                                                In order to understand why web applications and
                                                            the why the Internet uses Cookies will require a little
    The Internet is a big complex realm. It’s made          understanding of HTTP.
up of thousands of inter-connected computer,                      Cookies have become an attractive solution for
providing us with endless information. Over the             web application developers because HTTP suffers
evolution of the Internet, it became a very interactive     against keeping state communication. What does this
environment, providing user’s with a variety of             mean? When a user navigates to a particular website,
different types of services and entertainment. Soon,        HTTP will transfer data between the user and the
user’s were able to shop, bank, and auction. For            remote computer through continuous request and
them, these services in which were once only                reply operations. This will occur until finally the
accessible from reality, became replaced with the           HTML that makes up the website is loaded in the
online versions.                                            user’s computer memory. Now, when a browser
    These types of services attracted mass audiences        makes a request, it will connect to the remote
to the Internet. All of which wanted to become              computer and finally disconnect when it receives the
involved because of the convenience and many other          reply. Because the browser disconnects from the
benefits they provided. Individuals were even               remote computer for every reply it receives, each
willing to share private and personal information and       request becomes independent from the previous and
trust the other end of the wire that the information        therefore no history or state is kept between
they provided would be kept private.                        connections.
    The majority of online user’s use these services             Without Cookies, web applications of many
with the mentality of knowing that it safe because          types such as e-commerce, e-auctions and e-banking
the service itself claims to be. If the service claims to   become more difficult to create. For example, an e-
use multiple layers of the strongest encryption             commerce application will utilize Cookies to keep
available on your financial information, it has to be       track of user’s shopping baskets.
safe, right? Unfortunately this is incorrect. A poorly           Cookies can also help in offloading server side
designed web application hosting any service can in         work load to users. Microsoft Hotmail uses this
fact create many security and privacy problems for          approach to store personalized display setting in
the user.                                                   user’s Cookies. So when a user returns back to their
Hotmail account, their personalized preferences are       browsing history are saved under the same profile;
loaded from their computer as apposed to from             easily for anyone to retrieve.
Microsoft servers (assuming the user is logging in              A basic attack scenario with Cookies can be
on the same previously used computer– discussed           easily accomplished at a location where public
later).                                                   terminals are accessible to user’s, such as at a
     In a nutshell, HTTP Cookies provide an               library. Just by navigating through the browser
application based solution to keeping state over an       history, a malicious user might have a chance to
underlying stateless protocol. It also provides           stumble across a service with saved credentials.
enhanced functionality to web applications and other      Logging into another individual’s Hotmail or GMail
benefits to the user.                                     account couldn’t be easier. Also, because Cookie are
                                                          generally not very big in size, anyone with a USB
3. ISSUES, CONCERNS, SECURITY RISKS                       storage device can easily copy the Cookies data and
                                                          try to find and extract some sensitive information
     HTTP Cookies are textual pieces of information       from their own computer.
that get passed back and forth between the browser              There is also the existence of third party
and the remote server. Web applications can use           Cookies. Many might already have guessed it but
such Cookies for       many things but they primarily     these Cookies are created by domains other then
serve functions such as authentication, user session      what the user was currently viewing. See, Cookies
tracking and personalization of user profiles. These      are meant to be domain specific, meaning, Cookies
types of HTTP Cookies are usually known as first          were only to be read by the domain that originally
party Cookies; Cookies that are created on user           set them. However, there are clever tricks that can
machines by the domain at which they were viewing         remove this limitation.
at the time.                                                    The Internet is full of advertisements because
     First party Cookies can be further broken into       advertisements make people rich. Therefore
two different types, persistent and non-persistent. A     companies want there advertisement to be seen by
persistent Cookie is a Cookie in which will never         everyone, especially to those user’s that will be
expire to the application (or at least not for a very     interested to what is being advertised. DoubleClick
long time). A non-persistent Cookie is usually kept       and other companies like it provide ad serving
valid during the duration of a web session. For           services that can do this, help target particular ads to
example, when a user logs into their GMail account,       particular people. What business will do then is host
a token known as a session Cookie is created on the       advertisements on there website but DoubleClick
user’s machine. This type of Cookie is a non-             and companies alike will serve these images off their
persistent Cookie and will immediately expire when        servers or domain. When a user navigates to a page
the user gracefully logs out. Persistent Cookies are      with this setup, as the browser downloads the
more for user convenience. Many web applications          advertisement components, a third party Cookie
will ask the user if whether or not it should save the    from DoubleClick will also be created.
logon credentials to the service that they were                 Many websites will use first party Cookies to
logging into. If the user confirms to have this done, a   track the pages a user visits. This helps determine
persistent Cookie can make this possible. Anytime         which information is most popular so that it can be
the user returns back to the corresponding web            re-located in places that are easier to find for
application, the login credentials will automatically     visitors. Third party Cookies are being used for the
be received from the corresponding persistent             same purpose. Ad serving companies can track the
Cookie.                                                   websites in which they are visiting to determine
      Now that we better understand some of the           what they are interested to find.
roles in which Cookies can provide, we can come to            Website tracking has helped companies like
the conclusion that they can hold some pretty             DoubleClick build rich profiles on users. These
sensitive information. It can be dangerous when an        profiles would help DoubleClick target specific
operating system is configured for a single user          advertisements to users and determine what
account but have multiple users’ accessing the            advertisements have been seen already and for how
system. This means all Cookies and essentially all        long. Over time, the profiles provided enough
                                                          information to DoubleClick to help them decide
what the best advertisement strategy was for              His focus in the article is providing a mobile
anybody.                                                  mechanism to carry Cookies around with the user.
     This issue has raised many privacy concerns             HTTP Cookies by nature are machine dependent.
because of the fact that information was collected on     For example, a user that has his or her Hotmail
Internet user’s without there attention. Although         personalized in a specific way on one computer will
DoubleClick has claimed that these profiles are kept      not have these same personalization details saved on
anonymous, there have been problems in the past;          other computers. Therefore, the fact that Cookies
                                                          can be exposed to information extraction,
[T]he merger of database marketer Abacus Direct           modification, as well as become limited to machine
with online ad company DoubleClick hit front pages        dependence, drove Alvin to solve this problem in an
and sparked a federal investigation in January 2000       interesting way.
when it was revealed that the company had compiled            A CookiesCard uses smart card technology to
profiles of 100,000 online user’s—without their           hold user Cookies. By this, Cookies become mobile-
knowledge—and intended to sell them [PF 2000].[1]         enabled, so personalized information is retained and
                                                          can be deployed across different client machines.
4. PARTIAL SOLUTION TO COOKIES                            Smart cards are also secured using PIN
                                                          authentication. So in the event that some malicious
     Cookies are still accepted by default by all well-   user has got a hold of a CookiesCard, a PIN would
known browsers and that won’t change anytime              be required in order to probe the information on the
soon because of the many benefits it has for HTTP.        card.
However, browsers nowadays come bundled with
good Cookie management systems that give user’s           6. COOKIESCARD ARCHITECTURE
full control of what to do with first party and third
party Cookies. Note that it is not advisable to block          The CookiesCard architecture is made up three
Cookies all together considering that many web            primary devices, a smart card, a smart card reader
applications rely on this technology to function          and a proxy server. A proxy server is a device that is
correctly.                                                responsible for forwarding browser requests to
       There are also third party companies that          remote web servers and forwarding browser
produce advanced Cookie management systems that           responses to the clients. These devices are used for
will provide features like automatic deletion and         many purposes but within the CookiesCard
filtering of Cookies. However, they cost money and        architecture, the proxy intercepts and parses all
it is likely that most of the machines that user’s will   HTTP requests and responses to facilitate Cookies
use, no matter where they are, will not come bundled      management on the proxy and the smart card[2].
with such software.                                            The proxy consists of two important modules,
      Big problems with Cookies still remain with         the Interceptor and the Off-Card Cookie
systems of single user accounts. Users could              Manager[2]. The Interceptor will perform either of
perhaps delete Cookies and all temporary Internet         the following. If a web response comes through, it
files after every web use. This would prevent             will capture the response, parse the Cookie headers
malicious users from extracting any information           and check for HTTP Cookies. If the Cookie headers
from other user Cookies, but that could also delete       contain a Cookie, the interceptor will strip it from
Cookies that might contain personalization details or     header, send to the Off-Card Cookie Manager and
other useful Cookie that serve some function on the       pass the remaining HTTP request to the browser.
web.                                                      The Off-Card Cookie Manager functions as a
                                                          Cookie management cache and acts as the host
5. COOKIESCARD SOLUTION                                   interface to the smart card. This means that the Off-
                                                          Card Cookie Manager will perform uploads and
   A man by the name of Alvin T.S. Chan has               updates to the smart card. When a web request takes
published an article titled “Mobile Cookies               place, the Interceptor will capture the request, parse
Management on a Smart Card” in which he speaks            it and check with the Off-Card Cookie Manager
on HTTP Cookie security and solving this problem.         cache to determine if any Cookies destined for that
                                                          URL need to be appended.
    With the CookieCard method, Alvin                    therefore USB storage devices can be utilized on all
demonstrates an interesting and an effective solution    computers now.
to the overall problem with HTTP Cookies. His                USB storage devices can also be secured using
method will free the browser from persisting any         passwords and different encryption technologies
Cookies on the user’s machine and also provide           such like TrueCrypt. For the purpose of improving
mobile Cookies to eliminate machine Cookie               the CookiesCard, TrueCrypt would be ideal. It
dependency.                                              supports AES, Serpent and Twofish encryption
                                                         algorithms and supports drag-and-drop on-the-fly
7. COOKIESCARD DRAWBACKS                                 encryption.

    The CookiesCard is an effective solution to the      8. COOKIESCARD 2.0 ARCHITECTURE
overall security risks of HTTP Cookies but it is still
suffering from some drawbacks. Here is a list.               The USB storage device would consist of the
    1) To make the CookiesCard completely mobile,        proxy server and an encrypted cookie folder (created
it would require the user to carry his or her own        with TrueCrypt) to store HTTP Cookies. The
smart card reader device and plug it into the            encrypted folder would support drag-and-drop on-
computer they wish to use. If however, we lived in       the-fly encryption to enable encryption on all
an age where all computers came with an integrated       Cookies on the fly as they are dropped into the
smart card reader, then we have a different story.       folder. The Proxy server would be created in the
But because we don’t, it is really inconvenient to       Java Language so that it can easily be run by just
have the user carry the reader with them incase they     executing the binary, eliminating anything on the
ever wanted to use a public terminal securely.           localhost to be installed. It would also consist of two
    2) Since the proxy must be located where the         modules that would perform similarly to the
browser resides, the CookiesCard again will fail if      Interceptor and the Off-Card Cookie Manager like
the system that the user is sitting on doesn’t have a    discussed in the original CookiesCard architecture.
proxy to connect to. Again this would require the        The only difference however, would be to build the
user to carry a proxy software and then the user         Off-Card Cookie Manager with the PassCode hard-
would be required to install it on the host machine.     coded so that it would be able read from the
Most public terminals do not allow third party           encrypted cookie folder.
software to be installed and without a proxy server,          The proxy server would also be developed to
the CookiesCard will not function.                       listen on two ports. Port 8080 would be used to use
    3) Lastly, the CookiesCard is lacking a control      the Proxy as a forwarding device and 8081 would be
panel interface. A control panel interface would         used to connect to the proxy’s control panel
allow a user to modify the behaviour of the              interface.
Interceptor. For example, the Interceptor filters all
3rd party Cookies by default. If the user wishes to      9. CONCLUSION
keep 3rd party Cookies (for testing/other reasons), or
have them accepted atleast from particular domains            HTTP Cookies can create security problems and
only, the user should have the capability to make        raise privacy concerns to the user. However, it is a
this possible.                                           required technology that can enhance functionality
     The smart card has not become a widespread          from web applications and provide many convenient
technology for the general public and therefore the      aspects to the user. I showed the security risks
Cookies Card will have a difficult time gaining          involved with Cookies but also the advantages of
popularity. However, USB storage devices are             them. Alvin has created the CookiesCard that allows
carried by almost everyone nowadays and have             user’s use Cookies but without the many security
come down in price to become affordable for              risks and problems involved. Although it was an
everyone. Since they are ultra-portable, they can        effective solution, it was lacking features and had
conveniently be carried around on such things like       drawbacks that did not make CookiesCard the most
key chains. As well, all computers that fall within      feasible solution. The improvements discussed on
the 10 year age will have available USB inputs and       the CookiesCard would help make it a better product
                                                         and have it gain more popularity around the general
audience. However, even with an improved
CookiesCard, HTTP Cookies are susceptible to
advance security threats such as Cookie theft and
cross-site cooking. There is no way to be 100% safe
on the Internet, a user can only protect themselves as
much as they can to decrease as much exposure to
Internet security threats.


1. David M. Kristol. "HTTP Cookies: Standards,
Privacy, and Politics". ACM Transactions on
Internet Technology. November 2001/Vol. 1, No. 2.
Pages 151-198.

2. Alvin T.S Chan. "Mobile Cookies Management
on a Smart Card". Communications of the ACM.
November 2005/Vol. 48, No. 11. Pages 38-43.

3. CookieCentral.

4. The Cookie Controversy – Cookies and Internet

5. Wikipedia on HTTP Cookie.

To top