Full Title and Meme

Cookies are chunks of data that are placed in a user agent (typically a browser) that allow a web site to maintain context of user experience, more commonalty called state data.

The problem is the capability to track the user that cookies give to the web site, or a widget hosted on the web site. This capability has been targeted by privacy regulations that are not effective.

Context

Cookies have been targeted as evil primarily due to tracking of the user (the second party) by the web site (the first party) and by other widgets hosted by the web page (the third party).

But as we will see below, third party cookies have other security vulnerabilities that are potentially more severe.

Third Party Cookies

Third party cookie is the current term of art for which RFC 2109 used the more descriptive term unverifiable; to quote from the RFC:

  A transaction is verifiable if the user has the option to review the request-URI prior to its use in the transaction.
  A transaction is unverifiable if the user does not have that option.
  Unverifiable transactions typically arise when a user agent automatically requests
  inlined or embedded entities or when it resolves redirection (3xx) responses from an
  origin server.  Typically the origin transaction, the transaction
  that the user initiates, is verifiable, and that transaction may
  directly or indirectly induce the user agent to make unverifiable transactions.

History

Starting from the entry on HTTP Cookie in Wikipedia we find that Lou Montulli of Netscape ported cookies from Unix to the Mosaic browser to enable an e-commerce application that was requested by Vint Cert, inter alia in 1994. The point was to save state on the client computer rather in the browser. While this was not the only solution to create session state between the user (as a client) and the web site (as a server), it proved to be the most flexible. David Kristal at Bell Labs started the standardization process in April 1995 ^[1], the same time Netscape applied for a patent. The IETF issued RFC 2109 "HTTP State Management Mechanism" in February 1997. By then advertising companies were already using third-party cookies. The recommendation about third-party cookies of RFC 2109 was not followed by Netscape and Internet Explorer. RFC 2109 was superseded by RFC 2965 in October 2000 and it remains as a listed standard in May 2018.

RFC 2965 added a new definition of cookie that was deprecated in RFC 6265 in April 2011 which was written as a definitive specification for cookies as used in the real world. ^[2] This RFC is also a standards track document, but it is not listed in IEFT STD 1 (May 2018) which leaves the question as to what a standard cookie is right now. But that is merely a technical issue as the world of cookies seems to have been standardized by fiat.

Problems

Security

The first of the Laws of Security says that if an attacker can run code on your computer, it is not just your computer any longer. Ever since JavaScript became necessary to render most web pages, the page that you see on your browser is almost certainly running code that is not under your control. If it's not your computer, an attacker can do anything that the code allows it to do, including just hijacking the computer power for its own purposes. In particular it can save cookies and communicate with any site on the web that is not blocked by a firewall. that is why the term "Unverified Transactions" is better than "Third Party Cookie". It gives the real threat posed by these chunks of code.

A large amount of effort has been expended to block vulnerabilities, like cross-site scripting attacks, that could have been avoided by blocking third party cookies. The monetary benefit of advertising, and user unwillingness to directly pay for the content that they consume has resulted in the current payment structure for the internet. It is not likely that attempts to block third party cookies will make any headway until some other payment mechanism is created.

Privacy

Recall that the original Warren and Brandeis definition of the right to privacy was the right to be let alone. In the web that would mean the right not to be tracked.

One of the things that web sites are permitted to do by the HTTP protoocol is store cookies within your browser that are normally returned to the origin web site whenever the user sends any request or posts any data to that site. The RFC 2109 recommends that users be aware of the data stored on the user's computer and be given the power to accept or reject that action. Technically this is true of modern browsers, but as a practical matter normal users are not expected to know how to find the controls for the cookie, and certainly not the cookie itself, which is stored in hidden folders and is typically encrypted and at least encoded in non legible format. In the case of first party cookies it can be argued that the user consented to the user experience of the origin site which includes cookies. In the case of advertisement space sold to the highest bidder, neither the user nor the web site has any knowledge of the identity of the code that is running in the iFrame hosting that advertisement. Ad blockers that impact all cookies will likely have adverse impact on the user experience. There is no such justification for code running on the user's computer from some unknown site, especially since the security boundary between an iFrame and the main web page is known to be porous. Blocking cross-site scripting attacks is an art that has been mastered by few web masters. That does not impact the money that web sites can get from hosting advertisements that are sold to the highest bidder, it is just too profitable to host them.

Solutions

• The original RFC 2109 proposed that users be given control of what cookies are stored on their computer. Even though this was never tried by a browser in wide deployment, the projected and actual volume of cookies and their opacity to the browser makes that proposal unlikely of success no matter how much work is thrown at it.

• Vendor Relationship Management (VRM) was proposed in the book The Intention Economy^[3] as a way to let the customer take charge. Which is the same solution of RFC 2109 that did not work. Customers just want to complete the transactions, not to make multiple trust decisions first. Not that trust is unimportant. As Amazon has shown the customer wants to make trust decisions only very seldom, and then stick with that decision until they are disappointed.

References

1. ↑ Kristol, David; HTTP Cookies: Standards, privacy, and politics, ACM Transactions on Internet Technology, 1(2), 151–198, 2001 arXiv:cs/0105018v1 [cs.SE])
2. ↑ Jeff hodges and Bill Corry'HTTP State Management Mechanism' to Proposed Standard [1]
3. ↑ The Intention Economy Doc Searls, Harvard Business Review Books 2012 ISBN:9781422158524