Internet Cookies and Confidentiality
From Computing and Software Wiki
(New page: Internet Cookies and Confidentiality) |
|||
(78 intermediate revisions not shown) | |||
Line 1: | Line 1: | ||
- | Internet Cookies and | + | '''What is a Cookie''' |
+ | |||
+ | ---- | ||
+ | |||
+ | |||
+ | '''Internet cookies''' or just '''cookies''' are small text files that are used by web site designers to enhance the browsing experience by enabling quick authentication, storing user preferences, and tailoring sites for individual experience. Although cookies allow for a better browsing experience there is much misguided confusion and concern regarding these cookies by the general public which will be addressed below. Internet cookies are not programs and cannot collect data, surfing tendencies debit or credit card information stored on a user’s computer. However there are some confidentiality and privacy concerns regarding internet cookies that users should be aware of when browsing the internet. | ||
+ | |||
+ | [[Image:Cookiemonster.jpg|thumb]] | ||
+ | |||
+ | |||
+ | == '''Definition''' == | ||
+ | An internet cookie is a text file that is placed on your hard drive by a web server when you access certain sites. These text files can contain data about your login information, preferences, and keep track of current shopping carts. The text files only contain information that the user has given to the current site. Sites that do not share specific domains cannot share cookie information, collected or access another sites cookie. | ||
+ | |||
+ | |||
+ | == '''Purpose''' == | ||
+ | Cookies are used for several different purposes when creating a web site. They are used both by the site developers for keeping track of how many people visit the site, how many new versus repeat users are visiting the site and how often people visit the site. This information allow owner and developers to monitor the success of their site or parts of their site. Cookies can also be used to enhance the users experience as well. Cookies allow website to save specific user preferences when they browse, such as page layouts, visual designs and favourite sections. Cookies have also allowed sites to implement shopping carts which allow for e-commerce. | ||
+ | |||
+ | |||
+ | == '''How It All Works''' == | ||
+ | |||
+ | === '''Name-Value Pairs''' === | ||
+ | Cookies are all stored using '''Name-Value Pairs'''. Name-Value pairs are simply named pieces of data. More specifically each piece of data a website stores has the form identifier=value. | ||
+ | Examples of this would be NAME=VALUE which would be a unique user id. Any kind of information can be stored in cookies but there is certain information that most cookies use: | ||
+ | |||
+ | '''NAME=VALUE''' is always used to identify the user. It assigns a unique identification number | ||
+ | to each user so that the site can identify which settings belong to which users. | ||
+ | |||
+ | '''EXPIRES=DATE''' is used to set the life time of the cookie. It can be set for one session only, a week, year or indefinitely. | ||
+ | |||
+ | '''DOMAIN=DOMAIN_NAME''' this is set so that the browser can identify which cookie belongs to which sites. Sites can only access cookies with the same domain. Domains must contain two dots. For example '''.com''' is not acceptable since it does not have two dots, '''amazon.com''' would be acceptable, and any site that contains .amazon.com would access that cookie. | ||
+ | |||
+ | |||
+ | ==='''Interaction'''=== | ||
+ | Cookies are created by sites when a users visits. When a user visits a website they first enter a URL into a browser. The browser then searches for any cookies that the corresponding website has set. If it finds a cookie for that website it then sends the request for the page to the sever along with the cookie. If no cookie is found the request for the page is sent without a cookie. The server then sends the request back to the browser for viewing. If the sever does not receive a cookie the site knows that this is a first time viewer to the site and creates a cookie which is sends back to the user to store on the hard drive for future use. If a cookie is send the site will take the information in the cookie (usually a login) and applies it to the site. | ||
+ | |||
+ | [[Image:cookie.jpg]] | ||
+ | |||
+ | |||
+ | == '''Problems & Misconceptions'''== | ||
+ | |||
+ | ==='''Personal Information'''=== | ||
+ | Although cookies cannot search your computer for personal information cookies can store personal information that you give to a site. This can cause some confidentiality issues that will be examined below. | ||
+ | |||
+ | === '''Common Machines''' === | ||
+ | Cookies are stored on a specific computer; any user that uses that computer will have access to those cookies. If you user purchases something online and enters a credit card number for the purchase, that site may create a cookie keep that information for future use. Since multiple people have access to this computer the next person could gain access to that credit card number through the cookie. To avoid this problem refrain from entering personal information on public computers and if you must clear the history and cache of the computer after use. | ||
+ | |||
+ | ==='''Cookie Hijacking'''=== | ||
+ | Cookie Hijacking comes when someone is monitoring the transmission of data between a browser and server. If you are sending personal information over the internet via cookies and someone is collecting the transmission, an attacker could gain access to confidential information. Although this is not a fault with cookies it is a reality when using cookies that contain sensitive information. To avoid this, only enter personal information to sites that use a secure connection. | ||
+ | |||
+ | ==='''Cross-site cooking'''=== | ||
+ | Each site is supposed to have its own cookies, which is why cookies set domain settings so one site should not be able to alter or set cookies for another site. Cross-site cooking vulnerabilities in web browsers allow malicious sites to break this rule. The attacker exploits non-malicious users with vulnerable browsers, instead of attacking the actual site directly. Users are advised to use the more recent versions of web browsers in which such issue is mitigated. | ||
+ | |||
+ | ==='''Cross-site Profiling'''=== | ||
+ | Cross site profiling occurs when certain companies collect data from numerous sites. This can happen in cases where advertising companies put banner adds on multiple sites. They gain access to surfing information but no personal information. This technique can amass information from multiple sites. This cannot happen if the advertisements are not clicked on though since the site doesn't have access to the same domain they are just on the site. In certain cases these advertising companies have bought other sites to gain access to the personal information linking it with previously collected data. This however has legal ramifications and most sites have security policies that prevent this from happening. To avoid this make sure that you check untrustworthy sites policies. | ||
+ | |||
+ | == '''Conclusion''' == | ||
+ | Internet Cookies are surrounded by a common misconception that cookies have a singular purpose of collection personal data for devious purposes. Although cookies can present a security risk, if used properly and with caution that risk is marginal compared to the benefits that cookies provide. | ||
+ | |||
+ | |||
+ | =='''See Also'''== | ||
+ | [[http://www.cas.mcmaster.ca/wiki/index.php/Identity_Theft Identity Theft]] <br> | ||
+ | [[http://www.cas.mcmaster.ca/wiki/index.php/Phishing Phishing]] <br> | ||
+ | [[http://www.cas.mcmaster.ca/wiki/index.php/Anti-spam_Systems_and_Techniques Anti-Spam]] <br> | ||
+ | [[http://www.cas.mcmaster.ca/wiki/index.php/Payment_Card_Industry_Data_Security_Standard Payment Card Industry Data Security Standard]] <br> | ||
+ | [[http://www.cas.mcmaster.ca/wiki/index.php/Autocomplete Autocomplete]] <br> | ||
+ | [[http://www.cas.mcmaster.ca/wiki/index.php/Identity_Theft Identity Theft]] <br> | ||
+ | |||
+ | =='''External Links'''== | ||
+ | http://computer.howstuffworks.com/cookie.htm <br> | ||
+ | http://en.wikipedia.org/wiki/HTTP_cookie#Inaccurate_identification <br> | ||
+ | http://computer.howstuffworks.com/cookie1.htm <br> | ||
+ | http://www.webopedia.com/DidYouKnow/Internet/2002/Cookies.asp <br> | ||
+ | |||
+ | |||
+ | |||
+ | == '''References''' == | ||
+ | # ''Wikipedia'' [Web]. Retrieved December 8, 2007, from http://en.wikipedia.org/wiki/HTTP_cookie#Inaccurate_identification | ||
+ | # Brian, Marshall. How Internet Cookies Work. Retrieved December 8, 2007, Web site: http://computer.howstuffworks.com/cookie1.htm | ||
+ | # ''Webopedia'' [Web]. Retrieved December 8, 2007, from http://www.webopedia.com/DidYouKnow/Internet/2002/Cookies.asp | ||
+ | # Bishop, Matt. ''Introduction to Computer Security''. Boston: Addison-Wesley, 2006. | ||
+ | |||
+ | --Adam Schulz[[User:Schulza|Schulza]] 23:11, 9 December 2007 (EST) |
Current revision as of 04:11, 10 December 2007
What is a Cookie
Internet cookies or just cookies are small text files that are used by web site designers to enhance the browsing experience by enabling quick authentication, storing user preferences, and tailoring sites for individual experience. Although cookies allow for a better browsing experience there is much misguided confusion and concern regarding these cookies by the general public which will be addressed below. Internet cookies are not programs and cannot collect data, surfing tendencies debit or credit card information stored on a user’s computer. However there are some confidentiality and privacy concerns regarding internet cookies that users should be aware of when browsing the internet.
Contents |
Definition
An internet cookie is a text file that is placed on your hard drive by a web server when you access certain sites. These text files can contain data about your login information, preferences, and keep track of current shopping carts. The text files only contain information that the user has given to the current site. Sites that do not share specific domains cannot share cookie information, collected or access another sites cookie.
Purpose
Cookies are used for several different purposes when creating a web site. They are used both by the site developers for keeping track of how many people visit the site, how many new versus repeat users are visiting the site and how often people visit the site. This information allow owner and developers to monitor the success of their site or parts of their site. Cookies can also be used to enhance the users experience as well. Cookies allow website to save specific user preferences when they browse, such as page layouts, visual designs and favourite sections. Cookies have also allowed sites to implement shopping carts which allow for e-commerce.
How It All Works
Name-Value Pairs
Cookies are all stored using Name-Value Pairs. Name-Value pairs are simply named pieces of data. More specifically each piece of data a website stores has the form identifier=value. Examples of this would be NAME=VALUE which would be a unique user id. Any kind of information can be stored in cookies but there is certain information that most cookies use:
NAME=VALUE is always used to identify the user. It assigns a unique identification number to each user so that the site can identify which settings belong to which users.
EXPIRES=DATE is used to set the life time of the cookie. It can be set for one session only, a week, year or indefinitely.
DOMAIN=DOMAIN_NAME this is set so that the browser can identify which cookie belongs to which sites. Sites can only access cookies with the same domain. Domains must contain two dots. For example .com is not acceptable since it does not have two dots, amazon.com would be acceptable, and any site that contains .amazon.com would access that cookie.
Interaction
Cookies are created by sites when a users visits. When a user visits a website they first enter a URL into a browser. The browser then searches for any cookies that the corresponding website has set. If it finds a cookie for that website it then sends the request for the page to the sever along with the cookie. If no cookie is found the request for the page is sent without a cookie. The server then sends the request back to the browser for viewing. If the sever does not receive a cookie the site knows that this is a first time viewer to the site and creates a cookie which is sends back to the user to store on the hard drive for future use. If a cookie is send the site will take the information in the cookie (usually a login) and applies it to the site.
Problems & Misconceptions
Personal Information
Although cookies cannot search your computer for personal information cookies can store personal information that you give to a site. This can cause some confidentiality issues that will be examined below.
Common Machines
Cookies are stored on a specific computer; any user that uses that computer will have access to those cookies. If you user purchases something online and enters a credit card number for the purchase, that site may create a cookie keep that information for future use. Since multiple people have access to this computer the next person could gain access to that credit card number through the cookie. To avoid this problem refrain from entering personal information on public computers and if you must clear the history and cache of the computer after use.
Cookie Hijacking
Cookie Hijacking comes when someone is monitoring the transmission of data between a browser and server. If you are sending personal information over the internet via cookies and someone is collecting the transmission, an attacker could gain access to confidential information. Although this is not a fault with cookies it is a reality when using cookies that contain sensitive information. To avoid this, only enter personal information to sites that use a secure connection.
Cross-site cooking
Each site is supposed to have its own cookies, which is why cookies set domain settings so one site should not be able to alter or set cookies for another site. Cross-site cooking vulnerabilities in web browsers allow malicious sites to break this rule. The attacker exploits non-malicious users with vulnerable browsers, instead of attacking the actual site directly. Users are advised to use the more recent versions of web browsers in which such issue is mitigated.
Cross-site Profiling
Cross site profiling occurs when certain companies collect data from numerous sites. This can happen in cases where advertising companies put banner adds on multiple sites. They gain access to surfing information but no personal information. This technique can amass information from multiple sites. This cannot happen if the advertisements are not clicked on though since the site doesn't have access to the same domain they are just on the site. In certain cases these advertising companies have bought other sites to gain access to the personal information linking it with previously collected data. This however has legal ramifications and most sites have security policies that prevent this from happening. To avoid this make sure that you check untrustworthy sites policies.
Conclusion
Internet Cookies are surrounded by a common misconception that cookies have a singular purpose of collection personal data for devious purposes. Although cookies can present a security risk, if used properly and with caution that risk is marginal compared to the benefits that cookies provide.
See Also
[Identity Theft]
[Phishing]
[Anti-Spam]
[Payment Card Industry Data Security Standard]
[Autocomplete]
[Identity Theft]
External Links
http://computer.howstuffworks.com/cookie.htm
http://en.wikipedia.org/wiki/HTTP_cookie#Inaccurate_identification
http://computer.howstuffworks.com/cookie1.htm
http://www.webopedia.com/DidYouKnow/Internet/2002/Cookies.asp
References
- Wikipedia [Web]. Retrieved December 8, 2007, from http://en.wikipedia.org/wiki/HTTP_cookie#Inaccurate_identification
- Brian, Marshall. How Internet Cookies Work. Retrieved December 8, 2007, Web site: http://computer.howstuffworks.com/cookie1.htm
- Webopedia [Web]. Retrieved December 8, 2007, from http://www.webopedia.com/DidYouKnow/Internet/2002/Cookies.asp
- Bishop, Matt. Introduction to Computer Security. Boston: Addison-Wesley, 2006.
--Adam SchulzSchulza 23:11, 9 December 2007 (EST)