HTTP COOKIES: EXPLOITING THE USER
ABSTRACT This leads us into the topic of security and
privacy and how any user can be easily exploited if
HTTP Cookies is an essential technology on the proper precautions are not taken. This paper will
Internet. Along with it though, it has introduced a discuss specifically Hypertext Transfer Protocol
number of security problems and has raised user (HTTP) Cookies; a technology that has been spoken
privacy concerns. The article will address some of of before in regards to user privacy. It will also
issues and security risks with HTTP Cookies. An address a solution to solve the problems of HTTP
analysis on an already proposed solution will given cookies without eliminating anything that would
and following that is a discussion on some decrease the value of this technology.
improvement that should be made to enhance the
proposed solution. 2. COOKIES ROLE TO HTTP
1. INTRODUCTION In order to understand why web applications and
The Internet is a big complex realm. It’s made understanding of HTTP.
up of thousands of inter-connected computer, Cookies have become an attractive solution for
providing us with endless information. Over the web application developers because HTTP suffers
evolution of the Internet, it became a very interactive against keeping state communication. What does this
environment, providing user’s with a variety of mean? When a user navigates to a particular website,
different types of services and entertainment. Soon, HTTP will transfer data between the user and the
user’s were able to shop, bank, and auction. For remote computer through continuous request and
them, these services in which were once only reply operations. This will occur until finally the
accessible from reality, became replaced with the HTML that makes up the website is loaded in the
online versions. user’s computer memory. Now, when a browser
These types of services attracted mass audiences makes a request, it will connect to the remote
to the Internet. All of which wanted to become computer and finally disconnect when it receives the
involved because of the convenience and many other reply. Because the browser disconnects from the
benefits they provided. Individuals were even remote computer for every reply it receives, each
willing to share private and personal information and request becomes independent from the previous and
trust the other end of the wire that the information therefore no history or state is kept between
they provided would be kept private. connections.
The majority of online user’s use these services Without Cookies, web applications of many
with the mentality of knowing that it safe because types such as e-commerce, e-auctions and e-banking
the service itself claims to be. If the service claims to become more difficult to create. For example, an e-
use multiple layers of the strongest encryption commerce application will utilize Cookies to keep
available on your financial information, it has to be track of user’s shopping baskets.
safe, right? Unfortunately this is incorrect. A poorly Cookies can also help in offloading server side
designed web application hosting any service can in work load to users. Microsoft Hotmail uses this
fact create many security and privacy problems for approach to store personalized display setting in
the user. user’s Cookies. So when a user returns back to their
Hotmail account, their personalized preferences are browsing history are saved under the same profile;
loaded from their computer as apposed to from easily for anyone to retrieve.
Microsoft servers (assuming the user is logging in A basic attack scenario with Cookies can be
on the same previously used computer– discussed easily accomplished at a location where public
later). terminals are accessible to user’s, such as at a
In a nutshell, HTTP Cookies provide an library. Just by navigating through the browser
application based solution to keeping state over an history, a malicious user might have a chance to
underlying stateless protocol. It also provides stumble across a service with saved credentials.
enhanced functionality to web applications and other Logging into another individual’s Hotmail or GMail
benefits to the user. account couldn’t be easier. Also, because Cookie are
generally not very big in size, anyone with a USB
3. ISSUES, CONCERNS, SECURITY RISKS storage device can easily copy the Cookies data and
try to find and extract some sensitive information
HTTP Cookies are textual pieces of information from their own computer.
that get passed back and forth between the browser There is also the existence of third party
such Cookies for many things but they primarily these Cookies are created by domains other then
serve functions such as authentication, user session what the user was currently viewing. See, Cookies
tracking and personalization of user profiles. These are meant to be domain specific, meaning, Cookies
types of HTTP Cookies are usually known as first were only to be read by the domain that originally
party Cookies; Cookies that are created on user set them. However, there are clever tricks that can
machines by the domain at which they were viewing remove this limitation.
at the time. The Internet is full of advertisements because
First party Cookies can be further broken into advertisements make people rich. Therefore
two different types, persistent and non-persistent. A companies want there advertisement to be seen by
persistent Cookie is a Cookie in which will never everyone, especially to those user’s that will be
expire to the application (or at least not for a very interested to what is being advertised. DoubleClick
long time). A non-persistent Cookie is usually kept and other companies like it provide ad serving
valid during the duration of a web session. For services that can do this, help target particular ads to
example, when a user logs into their GMail account, particular people. What business will do then is host
a token known as a session Cookie is created on the advertisements on there website but DoubleClick
user’s machine. This type of Cookie is a non- and companies alike will serve these images off their
persistent Cookie and will immediately expire when servers or domain. When a user navigates to a page
the user gracefully logs out. Persistent Cookies are with this setup, as the browser downloads the
more for user convenience. Many web applications advertisement components, a third party Cookie
will ask the user if whether or not it should save the from DoubleClick will also be created.
logon credentials to the service that they were Many websites will use first party Cookies to
logging into. If the user confirms to have this done, a track the pages a user visits. This helps determine
persistent Cookie can make this possible. Anytime which information is most popular so that it can be
the user returns back to the corresponding web re-located in places that are easier to find for
application, the login credentials will automatically visitors. Third party Cookies are being used for the
be received from the corresponding persistent same purpose. Ad serving companies can track the
Cookie. websites in which they are visiting to determine
Now that we better understand some of the what they are interested to find.
roles in which Cookies can provide, we can come to Website tracking has helped companies like
the conclusion that they can hold some pretty DoubleClick build rich profiles on users. These
sensitive information. It can be dangerous when an profiles would help DoubleClick target specific
operating system is configured for a single user advertisements to users and determine what
account but have multiple users’ accessing the advertisements have been seen already and for how
system. This means all Cookies and essentially all long. Over time, the profiles provided enough
information to DoubleClick to help them decide
what the best advertisement strategy was for His focus in the article is providing a mobile
anybody. mechanism to carry Cookies around with the user.
This issue has raised many privacy concerns HTTP Cookies by nature are machine dependent.
because of the fact that information was collected on For example, a user that has his or her Hotmail
Internet user’s without there attention. Although personalized in a specific way on one computer will
DoubleClick has claimed that these profiles are kept not have these same personalization details saved on
anonymous, there have been problems in the past; other computers. Therefore, the fact that Cookies
can be exposed to information extraction,
[T]he merger of database marketer Abacus Direct modification, as well as become limited to machine
with online ad company DoubleClick hit front pages dependence, drove Alvin to solve this problem in an
and sparked a federal investigation in January 2000 interesting way.
when it was revealed that the company had compiled A CookiesCard uses smart card technology to
profiles of 100,000 online user’s—without their hold user Cookies. By this, Cookies become mobile-
knowledge—and intended to sell them [PF 2000]. enabled, so personalized information is retained and
can be deployed across different client machines.
4. PARTIAL SOLUTION TO COOKIES Smart cards are also secured using PIN
authentication. So in the event that some malicious
Cookies are still accepted by default by all well- user has got a hold of a CookiesCard, a PIN would
known browsers and that won’t change anytime be required in order to probe the information on the
soon because of the many benefits it has for HTTP. card.
However, browsers nowadays come bundled with
good Cookie management systems that give user’s 6. COOKIESCARD ARCHITECTURE
full control of what to do with first party and third
party Cookies. Note that it is not advisable to block The CookiesCard architecture is made up three
Cookies all together considering that many web primary devices, a smart card, a smart card reader
applications rely on this technology to function and a proxy server. A proxy server is a device that is
correctly. responsible for forwarding browser requests to
There are also third party companies that remote web servers and forwarding browser
produce advanced Cookie management systems that responses to the clients. These devices are used for
will provide features like automatic deletion and many purposes but within the CookiesCard
filtering of Cookies. However, they cost money and architecture, the proxy intercepts and parses all
it is likely that most of the machines that user’s will HTTP requests and responses to facilitate Cookies
use, no matter where they are, will not come bundled management on the proxy and the smart card.
with such software. The proxy consists of two important modules,
Big problems with Cookies still remain with the Interceptor and the Off-Card Cookie
systems of single user accounts. Users could Manager. The Interceptor will perform either of
perhaps delete Cookies and all temporary Internet the following. If a web response comes through, it
files after every web use. This would prevent will capture the response, parse the Cookie headers
malicious users from extracting any information and check for HTTP Cookies. If the Cookie headers
from other user Cookies, but that could also delete contain a Cookie, the interceptor will strip it from
Cookies that might contain personalization details or header, send to the Off-Card Cookie Manager and
other useful Cookie that serve some function on the pass the remaining HTTP request to the browser.
web. The Off-Card Cookie Manager functions as a
Cookie management cache and acts as the host
5. COOKIESCARD SOLUTION interface to the smart card. This means that the Off-
Card Cookie Manager will perform uploads and
A man by the name of Alvin T.S. Chan has updates to the smart card. When a web request takes
published an article titled “Mobile Cookies place, the Interceptor will capture the request, parse
Management on a Smart Card” in which he speaks it and check with the Off-Card Cookie Manager
on HTTP Cookie security and solving this problem. cache to determine if any Cookies destined for that
URL need to be appended.
With the CookieCard method, Alvin therefore USB storage devices can be utilized on all
demonstrates an interesting and an effective solution computers now.
to the overall problem with HTTP Cookies. His USB storage devices can also be secured using
method will free the browser from persisting any passwords and different encryption technologies
Cookies on the user’s machine and also provide such like TrueCrypt. For the purpose of improving
mobile Cookies to eliminate machine Cookie the CookiesCard, TrueCrypt would be ideal. It
dependency. supports AES, Serpent and Twofish encryption
algorithms and supports drag-and-drop on-the-fly
7. COOKIESCARD DRAWBACKS encryption.
The CookiesCard is an effective solution to the 8. COOKIESCARD 2.0 ARCHITECTURE
overall security risks of HTTP Cookies but it is still
suffering from some drawbacks. Here is a list. The USB storage device would consist of the
1) To make the CookiesCard completely mobile, proxy server and an encrypted cookie folder (created
it would require the user to carry his or her own with TrueCrypt) to store HTTP Cookies. The
smart card reader device and plug it into the encrypted folder would support drag-and-drop on-
computer they wish to use. If however, we lived in the-fly encryption to enable encryption on all
an age where all computers came with an integrated Cookies on the fly as they are dropped into the
smart card reader, then we have a different story. folder. The Proxy server would be created in the
But because we don’t, it is really inconvenient to Java Language so that it can easily be run by just
have the user carry the reader with them incase they executing the binary, eliminating anything on the
ever wanted to use a public terminal securely. localhost to be installed. It would also consist of two
2) Since the proxy must be located where the modules that would perform similarly to the
browser resides, the CookiesCard again will fail if Interceptor and the Off-Card Cookie Manager like
the system that the user is sitting on doesn’t have a discussed in the original CookiesCard architecture.
proxy to connect to. Again this would require the The only difference however, would be to build the
user to carry a proxy software and then the user Off-Card Cookie Manager with the PassCode hard-
would be required to install it on the host machine. coded so that it would be able read from the
Most public terminals do not allow third party encrypted cookie folder.
software to be installed and without a proxy server, The proxy server would also be developed to
the CookiesCard will not function. listen on two ports. Port 8080 would be used to use
3) Lastly, the CookiesCard is lacking a control the Proxy as a forwarding device and 8081 would be
panel interface. A control panel interface would used to connect to the proxy’s control panel
allow a user to modify the behaviour of the interface.
Interceptor. For example, the Interceptor filters all
3rd party Cookies by default. If the user wishes to 9. CONCLUSION
keep 3rd party Cookies (for testing/other reasons), or
have them accepted atleast from particular domains HTTP Cookies can create security problems and
only, the user should have the capability to make raise privacy concerns to the user. However, it is a
this possible. required technology that can enhance functionality
The smart card has not become a widespread from web applications and provide many convenient
technology for the general public and therefore the aspects to the user. I showed the security risks
Cookies Card will have a difficult time gaining involved with Cookies but also the advantages of
popularity. However, USB storage devices are them. Alvin has created the CookiesCard that allows
come down in price to become affordable for risks and problems involved. Although it was an
everyone. Since they are ultra-portable, they can effective solution, it was lacking features and had
conveniently be carried around on such things like drawbacks that did not make CookiesCard the most
key chains. As well, all computers that fall within feasible solution. The improvements discussed on
the 10 year age will have available USB inputs and the CookiesCard would help make it a better product
and have it gain more popularity around the general
audience. However, even with an improved
CookiesCard, HTTP Cookies are susceptible to
advance security threats such as Cookie theft and
cross-site cooking. There is no way to be 100% safe
on the Internet, a user can only protect themselves as
much as they can to decrease as much exposure to
Internet security threats.
1. David M. Kristol. "HTTP Cookies: Standards,
Privacy, and Politics". ACM Transactions on
Internet Technology. November 2001/Vol. 1, No. 2.
2. Alvin T.S Chan. "Mobile Cookies Management
on a Smart Card". Communications of the ACM.
November 2005/Vol. 48, No. 11. Pages 38-43.
3. CookieCentral. http://www.cookiecentral.com
4. The Cookie Controversy – Cookies and Internet
5. Wikipedia on HTTP Cookie.