In my email newsletter recently, I wrote about cookies — what they were and what they’re used for. SubsequentlyI received feedback from several readers, one pointing out that there were some security issues with cookies and the other saying that I understated the need for cookies in making websites work.
First, subscriber John C. wrote:
Hello Terry! In your email "Article 0" , you discussed cookies. You seemed to dismiss them as being benign. Although most may be, I think, on balance, you should have referenced the following article in InformIT: http://www.informit.com/guides/content.aspx?g=security&seqNum=232 .
I would like you to pay particular to the following statements: "…cookies are passed as plaintext unless there is an encrypted session. As a result, anyone with a sniffer can capture the cookies contents and use them as their own.
In other words, if a person logs into a web application at an unprotected wireless hotspot, an attacker can grab the session value and insert it into their own cookie, thus hijacking the session from the valid user. Third, and possibly the most significant, cookies can be stolen via cross-site scripting exploits on a vulnerable web application.
For example, numerous blogging sites have been found to have persistent XSS vulnerabilities over the last few years. If a malicious hacker wants to steal a user’s session id cookie information, they can easily do this by injecting a simple "document.cookie" request into a blog post. This type attack can be used to steal hundreds of session values, all of which can be used by the attacker to collect sensitive information or create chaos by posting fake content under a stolen account."
Considering the Author of the article had real life examples, I would not consider his article the work of a "paranoid" person. I think the issue is that most people who write newsletters, blogs or have "free" websites, depend on advertising or 3rd party software sales to support their site.
As you explain, this helps support the site, but I think, also produces a bias among people who tell users there is no danger and nothing wrong with accepting cookies. Your “Article 0” should have included more of a balance of the risks, as well as benefits of cookies.
John C. has some good points, but I think he missed my main point. The problems he mentioned are all issues from USING cookies during CURRENT visits to web sites. My article was about cookies stored on your computer.
Reading his message, I also realized something that I had missed earlier. Cookies really are not transmitted via encrypted connections normally.
Security of the transmission is the key — if the cookie is transmitted in the clear (unencrypted connection – that is, not an https connection or via wireless encryption), the captured encrypted cookie value still could be intercepted (if broadcast wirelessly) as could any other data.
Similarly, if someone had high-level access to the wired network that you’re using at the corporate or Internet Service Provider level, they could sniff any data transmissions that way. If you’re using a wired hub, the data could similarly be sniffed, but if you’re using a "switch" it can not.
If a site doesn’t use an encrypted connection, as he pointed out, anyone sniffing the wireless transmission could pick up the cookie being transmitted (of course, they could pick up everything else, too).
The cookie does no good on another site — and is not pertinent to the scare tactic "cookies are spyware and bad."
Simply, if you use unencrypted wireless networking, your cookies and everything else you transmit and receive are subject to observation and possible hijacking.
Another issue John mentioned was cross-site scripting security problems. These require web host program vulnerabilities — which most web site operators are quick to fix as soon as they are identified by researchers — and web browser vulnerabilities. As users, we have to keep our web browsers up to date. If you’re on a large ecommerce site, you can bet they’re making the changes.
But, still, if you run a web site and allow users to post content, your programming better check the content and not trust it without testing.
John wrote back to say:
I don’t mean to pile on Terry, but Tom at TeMerc just posted this:
I think you should give it a read and maybe do a follow-up on your next newsletter.
This article at temerc.com was again an issue with third-party interception of cookies being broadcast wirelessly without encryption. You would have a similar security issue if you did your email at a wifi hotspot — you broadcast and receive everything in the clear including passwords (most ISP’s don’t provide secure connections for email).
Next, let’s see what reader Janusz Lukasiak has to say on the subject…
Longtime subscriber and occasional commenter Janusz Lukasiak wrote to say:
Your description of cookies, while accurate, IMHO does not sufficiently emphasize that they are _necessary_ for certain web applications.
For example a ‘shopping cart’ at a merchant’s site is really a cookie, or a set of cookies, which identifies a purchase from one page, another purchase from another page, delivery address given here, and payment information entered elsewhere, as being part of one transaction.
So there is more to cookies than just bypassing the log in procedure, and generating income from ads.
On a related subject: site you mention every now and then as a source of useful utilities, http://www.karenware.com/, has a Cookie Viewer program, which allows you to view and/or delete cookies collected by FF or IE.
Janusz is right. Not only do I occasionally mention Karen Kenworthy’s Karen’s Power Tools website, I use several of her utilities on a regular basis and have purchased a license.
Replicator runs on several of my computers to do daily backups (of changed files) to another computer across my home network. Karen’t Power Tools are free for personal, non-commercial use, and have a very inexpensive license fee for business use.
As Janusz points out, cookies are necessary for some types of web site functions. If all you want to do is read content on the web, you can do that successfully on most web sites. But, if you do anything that requires information of any kind to be carried from page to page, cookies are the way this is done.
It might be a text cookie on your computer or it might be a "session cookie" that expires when you close your browser, but cookies are the way the web works.
There are a couple of HTML alternatives, the GET statement, which actually embeds all the data into the URL, and the POST statement, which sends all the data along with the URL request, but the browser doesn’t see it as part of the URL. The GET and POST functions are normally used for passing data from embedded forms (when you click a button on the web form).