Cookies

From MgmtWiki
Revision as of 08:11, 30 May 2018 by Tom (talk | contribs) (Tracking)

Jump to: navigation, search

Full Title and Meme

Cookies are chunks of data that are placed in a user agent (typically a browser) that allow a web site to maintain continuing of user experience.

The problem with cookies is the power that it gives the web site, or a widget hosted on the web site to track the user.

Context

History

Starting from the entry on HTTP Cookie in Wikipedia we find that Lou Montulli of Netscape ported cookies from Unix to the Mosaic browser to enable an e-commerce application that was requested by Vint Cert, inter alia in 1994. The point was to save state on the client computer rather in the browser. While this was not the only solution to create session state between the user (as a client) and the web site (as a server), it proved to be the most flexible. David Kristal at Bell Labs started the standardization process in April 1995[1], the same time Netscape applied for a patent. The IETF issued RFC 2106 in February 1997. By then advertising companies were already using third-party cookies. The recommendation about third-party cookies of RFC 2109 was not followed by Netscape and Internet Explorer. RFC 2109 was superseded by RFC 2965 in October 2000.

RFC 2965 added a Set-Cookie2 header, which informally came to be called "RFC 2965-style cookies" as opposed to the original Set-Cookie header which was called "Netscape-style cookies".[2][3] Set-Cookie2 was seldom used however, and was deprecated in RFC 6265 in April 2011 which was written as a definitive specification for cookies as used in the real world.[4]

Problems

Tracking

One of the things that web sites are permitted to do is store cookies within your browser that are

The RFC 2109 recommends that users be aware of the data stored on the user's computer and be given the power to accept or reject that action. Technically this is true of modern browsers, but as a practical matter normal users are not expected to know how to find the controls for the cookie, and certainly not the cookie itself, which is stored in hidden folders and is typically encrypted and at least encoded in non legible format.

Security

The first of the Laws of Security says that if an attacker can run code on your computer, it is not your computer any longer. Ever since JavaScript became necessary to render most web pages, the page that you see on your browser is running code that is not under your control. If it's not your computer, an attacker can do anything that the code allows it to do, including just hijacking the computer power for its own purposes. In particular it can

Solutions

References

  1. Kristol, David; HTTP Cookies: Standards, privacy, and politics, ACM Transactions on Internet Technology, 1(2), 151–198, 2001 arXiv:cs/0105018v1 [cs.SE])
  2. {{#invoke:citation/CS1|citation |CitationClass=web }}
  3. The edbrowse documentation version 3.5 said "Note that only Netscape-style cookies are supported. However, this is the most common flavor of cookie. It will probably meet your needs." This paragraph was removed in later versions of the documentation further to RFC 2965's deprecation.
  4. {{#invoke:citation/CS1|citation |CitationClass=web }}