Computer cookies are an interesting aspect of web browsing that has baffled many people for years, with news channels constantly talking about cyber-security breaches many mistakenly think that cookies play a core component in them. The truth is that they play an important role in the IT privacy issue as there are still murky laws and regulations about how the collected information is handled but they don’t necessarily pose a security risk in and of itself.
Let’s delve into cookies:
What are Computer cookies: in layman’s terms, a computer cookie is a file that stores information about your browsing history, technical information such as your OS version, browser version, and even information about you such as sex, age, geolocation, etc. The files are stored on your computer and when you revisit the site the web browsers pull those stored files and load the information memory to offer a more customized experience. What information is collected is up to the “cookie creator”, legitimate site’s cookies collect basic information you have entered to the site in various ways such as filling out or signing up forms.
Cookies are not malware, as a matter of fact, they make the life of the end-user easier by providing functions that make for better interaction between the browser and the web server. At the same time cookies can be abused or sold without your consent and that’s where the whole privacy and security dilemma kicks in. There are some cookies that“watch” the different sites you visit and show interest in, in other words, it profiles your online behavior to deliver the personalized advertisement. This specific has opened a can of legal warms, how legitimate – and not so legitimate -companies handle our information has become a debate in courts around the world.
Another interesting point is that cookies’ control falls on the end user’s domain, meaning we all have the ability to accept or deny cookies on our computers regardless of the OS or browser we use. It becomes, however, a catch 22 for those concerned with privacy, because if you block cookies or restrict them you may not be able to navigate websites properly, but if you allow them without restriction you may fear privacy violations. To address this very issue, some countries around the world adopted what was known as the Cookie Law where websites had to make aware their visitors about what cookies are installed when visiting a site. The law was shortly implemented by many European countries but its enforcement was discontinued after receiving heavy criticism and backslash from the technical and user community. Another less invasive implementation is making available a Privacy Policy that outlines the purpose of information collected information, usage, etc.
There are different categories of cookies and they can be optional depending on the function of the site and the section of the site you are visiting. For instance, you can disable accepting cookies on your computer and still be able to browse many websites such as www.wekipidia.com, www.precisetek.com, www.msn.com, or any other site. However, there are websites that require you to allow cookies in order for you to access them or certain functions in them, sites such as www.bankofamerica.com, www.discoverycard.com, etc., or any other sites that require cookies enabled to deliver a higher level of security.
Let’s go over a couple of examples about how cookies work:
Disable Cookies: You may have your reasons to disable cookies on your browser and create a customized web browser experience. Although it is possible it is very time-consuming as you’d need to provide explicit access to specific sites that require cookies for you to interact with properly. Remember, not all websites require cookies enabled so it will be able to browse without issues for the most part.
If using Internet Explorer you can go to Control Panel Internet OptionsPrivacyAdvanced to modify the settings.
If using Google Chrome you select the Chrome MenuSettingsShow Advanced settings
Close your browser and open it again after making the changes and do an online search. For the most part, you’ll be able to access websites, especially informational sites, that don’t require cookies enabled on your browser. In this case, those sites don’t really see a need to collect information about you. However, there are other sites that do require cookies enabled, if you visit banking websites like www.wellsfargo.com or www.bankofamerica.com you’ll notice that you won’t be able to properly interact with the site. Depending on the browser and its version you may get strange results on some sites with cookies when cookies are disabled, for instance on a basic install of Windows OS with no patches a connection was rejected when trying to access Bank of America’s website, however, Chrome will be able to load the site as it manages cookies slightly different but you won’t be able to do any online banking activity.
IE with cookies disabled accessing Bank of America.
Google Chrome with cookies disabled accessing Bank of America. You can navigate the “general” site but can’t do online banking.
Google Chrome with cookies disabled accessing Bank of America. Can’t successfully access the login portal, the connection is rejected in the form of an unrecognized user.
On another site, however, the outcome is different over both browsers. Wells Fargo, for instance, allows connections to their main page www.wellsfargo.com but if you attempt to do any online banking the connection will be rejected. Again, there are a lot of components that work together in order for web pages to load properly on the web browser. OS updates, applications updates and compatibilities, etc., but for now we’ll concentrate only on cookies.
In both cases, the sites needed cookies at different sections to allow proper access. If we go ahead and enable session cookies you’ll notice that access will be granted as normal, even Bankofamerica will load correctly. So what is then that when cookies are disabled you can’t load the sites properly but when session cookies are enabled you can? We’ll talk about each type of cookie in detail later but for now, you realized the importance of session cookies.
I can proceed and enable the session cookies on IE browser settings and be able to log in without any issues. In this case, the website does not need to install or keep track of my whereabouts but rather needs to keep track of the session, that is why after some time of inactivity you’ll get a message from the browser asking if you are still doing online banking if you don’t respond the session will be closed for your protection.
As you may have already realized browser settings handle cookies a little bit differently so cookie management has a lot to do with the internal architecture of the software.
Do you want complete control over what cookies are installed on your computer? If using IE you can select the option to be prompted before cookies are downloaded to your pc, however, you’ll soon realize it’s not a good idea after all as you’ll be prompted multiple times to allow cookies on every site you visit, an alternative to it would be to create Browser exceptions to override the cookie settings.
When you select the browser option to Prompt before cookies are installed you’ll receive multiple pop-ups asking you if you want to allow the cookies. This behavior is per site and per page.
You can also create Cookies exception by adding sites to the list, you have the power to Allow or Block cookie access that will override the global setting for the specific sites on the list.
So far we have gone over cookies in general and scratched the surface of session cookies but there’s more to it than meets the eye. If you tried the cookie Prompt setting in IE you realized how many cookies are run on every site you visit. You can also spot them by performing a network capture to see how the browser pulls cookies down to your computer as the web pages load.
Let’s talk a bit about First and Third-party cookies:
First-party cookies are “direct” cookies from the website you are visiting and Third-party cookies are cookies belonging to domains other than the one you are visiting, they also can be in the form of java or flash script. When you access a website you can get First and Third-party cookies downloaded to your computer.
In the following example, we visited www.macys.com, first-party cookies are all cookies that fall under the .macys.com domain, as you can see you see segments.macys.com, www3.macys.com, and www1.macys.com. Each has its own unique cookies for the session.
At the same time, when visiting Macy’s website third-party cookies load on your system. In the example below all those you can see cookies from different domains such as helim.adextent.com, criteo.com, etc. are loaded (not in our case since we blocked them) as the site opens. Third-party cookies for the most part are for marketing and web browsing profiling purposes.
As mentioned earlier Third-party cookies can be built on flash, also known as super cookies, they have the ability to collect more information, store on a location different than regular cookies, and be able to load from any web browser calling for flash plugins. If you open the flash setting on your computer you’ll notice the various settings you can customize, including the ability to allow or block how websites store information on your computer.
Different types of cookies: Cookies can be classified differently depending on their function, they are implemented “as needed” on websites depending on what they would like to accomplish, with that in mind let’s go over the most common cookies:
- Authentication Cookies: This type of cookies contains information about user authentication to the site such as user name, password, etc. When you visit a site and log in to it the credentials you entered are temporarily stored on a cookie that will be used to authenticate you as you to navigate other pages in the site. As long as session is active and the authentication cookie in cache the connection will remain active even if you navigate away from the site itself and come back at a later time. The web browser keeps track of authentication cookie, if you close the browser tab you used to access the website from the cookie still active, if you go ahead and close the browser then the session is close. You as see authentication cookies are very convenient is web browsing, however its designed may be abused posing a huge security risk. Sophisticated attacks such as Cross-site-scripting (XSS) and Man in the Middle (MIM) may allow for the exploitation of browser vulnerabilities allowing an attacker to access the cookie files from memory to authenticate as that user without know the credentials.
- Session Cookies: Conceptually speaking session cookies store information in memory (RAM) about your current web browsing session and once your web browser is closed the session cookies are erased. This type of cookies don’t store personal or system information like other cookies do but rather creates an identifier and stored on the server to maintain the connection active. In our previous examples we disabled session cookies when browsing Bank of America and Wells Fargo websites, we were able to browse through some functionalities but we couldn’t access the “secured” section of the site. Session cookies need to be enable for the server to interact securely with the web browser by maintaining an identifier as the users navigates the site.
- Persistent Cookies: These are cookies that last longer (is up to the developer), retrieve information about your last session and present it to the website when revisiting it the website. All persistent cookies have an expiration date, if they don’t then they are session cookies which will be deleted when the browser is closed. The expiration date varies and it could be anything between hours and years. As time goes by your web browsers keeps on storing persistent cookie file on your computer, even if the cookie expiration date is past due the file still remain on your computer. Depending on the browser you are using you can set a limit to the amount of hard disk space allocated for temporary internet files (which include cookies) or you can delete the cookies all together.
- Secure Cookies: This is an attribute that flags the cookies as having the ability to transmit information over HTTP and HTTPS, meaning that they should not be accessed from JavaScript thus offering a level of protection against XSS vulnerabilities.
General Questions and casual answer:
- Are cookies evil?: not necessarily but it all depends what your definition of evil is. As stated earlier, many website have legit use for it to provide a secure and personalized service to users. The issue arises when those cookies are exploited by the company whose website you are accessing and third party companies. Though so far cookies do not spread viruses or malware they are fertile ground adware and may pose an invasion of privacy if the collected information is misused.
- Can I disable cookies: yes you can, however you may encounter issues when accessing website that require cookies to offer the end user a desired session, there are even website that won’t allow you to connect if you don’t allow cookies.
- Will my computer work faster if I delete the cookies: Unless cookies are taking up a lot of space on your computer deleting cookies will not have any real impact on its general performance, However you will see an improve in your web browsing activity.
- Can I see what information the cookies collect? Not really, they are not files in a readable format for you to edit, they simply hold information usable to the websites you are accessing.
- Is there a way to completely erase your web browsing history? You can use your browser setting to delete the browsing history and all stored cookies, this by no means represents total anonymity. You can also use web browser options such as: InPrivate Browsing, Igcognito, Turnon Tracking Protection if you worry and cookies stored on your pc.
For many people cookies are a privacy concern, for a smaller number cookies represent a security issue. There are different ways to achieve a higher level of privacy security during web browsing, things such as InPrivate Browsing, Incognito, Enable Tracking protection, installing browser security plug-ins, setting your browser to delete cookies after the session ends, and even using Tor browser for your online activity. The truth is that total anonymity takes more than that and if it’s something you are looking for your lifestyle will change dramatically to avoid leaving traces.
_____________________________________________________________________________
About us: JDTechSolutions is a Managed IT service company providing technical support services to small and mid-sized businesses in Northern NJ and the NYC area. We align technical solutions with business goals to help them increase productivity and automate processes, our area of expertise is in desktop support, network administration, information security, and project management services. Contact us for more details about our services and solutions.
