The Dark Side of Cookies

One of the joys of continuing my education is having getting to write a mini-article once a week for my fellow students and instructors. I’ve decided to share some of the better ones here. B.

Long ago, in what sure seems like a galaxy far, far, away, I got a job working for a small ISP in the Inland Empire in California. We were literally in the attic above a Birkenstock store in the Claremont Village shopping center. Back then, AOL was cool and still on the rise, rotary phones were still common, and this whole “world wide web” thingy was just taking off.

Yep, I remember the web before Javascript, CSS, SSL, and before cookies.

Each of the technologies listed above was invented to solve a problem. Javascript made mouse rollovers possible, among other client-side special effects. CSS let us move away from using tables and frames for webpage layout. SSL introduced the first practical security implementation for the web and made ecommerce viable. And then there were cookies.

You see, the problem with web browsing was and is that it is “stateless.” The web was never intended for all the uses we take for granted today. It was intended as a way for scientists to share information in a platform independent manner. At the time when Tim Berners-Lee wrote the first proposal for the World Wide Web in 1989, Mac and Windows systems really did not play well together, and if you were using a NeXt system or any flavor of UNIX, you could forget all about sharing documents with anyone using a different kind of system than what you used. This was a big problem at CERN, where Sir Tim[1] worked (“A short history of the web,” n.d.).

Fast forward a mere five years later, to 1994. By the end of that year, over 10,000 web servers had been implemented around the world (“A short history of the web,” n.d.). While a lot of people didn’t see the point of this web thingy, quite a few businesses realized that the web opened up business opportunities and new ways to both market and sell goods and services. But the stateless nature of the web was a serious problem. If every single request sent to a web server was made without context or data retention about the history of the user’s actions and behaviors, there was no way for a potential customer to put anything into a virtual shopping cart.

Cookies to the rescue! Sort of…

Browser cookies, in case you didn’t know, are files stored on your computer with information to be used by your web browsers. Each web browser handles cookies a little differently, with some storing them as separate text files and others storing them in data files that contain profile information and settings data (“Cookies – Information that websites store on your computer,” n.d.). The reason that cookies exist is to provide persistence of data from one client/server interaction to the next (Richardson & Thies, 2013, p. 328).

The problem security-wise isn’t necessarily the cookies themselves. Rather it is how they are used.

First, understand that Cookies are NOT encrypted. They are sent, received, and stored in plain text. That means anything and everything contained within cookies as they are set or echoed is fully readable by anyone who might be listening in (BÎZGĂ, 2021). So, if a web developer stores PII or other sensitive information in a cookie, that data may as well be posted in public.

Then there are tracking cookies used by Google, Facebook, and other companies heavily invested in online advertising. They are used to track user behaviors across as many websites as possible, building ever more detailed profiles so that marketing campaigns can be tailored more and more effectively against you (“What are computer cookies?,” 2021). As someone who has used Google Analytics for years and on multiple websites, I can vouch for how much detailed information Google shares with people who are using its free tools. I can only imagine how much more data they harvest and use for their own ends.

And then there are “super-cookies” which combine cookies and other browser traits to track you even when you go incognito (“What are computer cookies?,” 2021). So-called super-cookies involve a more in depth tracking of information about your browser, your network, your device, and combines it together to create a set of characteristics that is mostly unique to you. The data profile can include the language you use, keyboard layout, your time zone, whether you have cookies turned on, the version of the operating system your device runs, and much more (Burgess, 2022).

The unfortunate reality is that, while cookies were created to solve one set of problems, once the web became mainstream, lots of people figured out ways to leverage them for their own ends. Some of those uses may seem innocuous on the surface, but in an age where data can and will be used against you by marketing types, malicious actors, and even by governments, the ability to track your online habits can become a serious threat to individual privacy and, by extension, your very life.

References

BÎZGĂ, A. (2021, October 1). The good, the bad and the ugly side of internet cookies. Bitdefender. https://www.bitdefender.com/blog/hotforsecurity/the-good-the-bad-and-the-ugly-side-of-internet-cookies/

Burgess, M. (2022, February 26). The quiet way advertisers are tracking your browsing. Wired. https://www.wired.com/story/browser-fingerprinting-tracking-explained/

Cookies – Information that websites store on your computer. (n.d.). Mozilla Support. https://support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer

Richardson, T., & Thies, C. N. (2013). Secure software design. Jones & Bartlett Publishers.

A short history of the web. (n.d.). CERN. https://home.cern/science/computing/birth-web/short-history-web

What are computer cookies? (2021, September 16). Malwarebytes Labs. https://blog.malwarebytes.com/malwarebytes-news/2021/09/what-are-computer-cookies/


[1] Berners-Lee was knighted due to his work creating and developing web technologies.

Leave a Reply

Your email address will not be published. Required fields are marked *