This paper will discuss “how cookies are used on the Internet and the risks associated with cookies”. The essay will explain what computer cookies are, how they are used, the security issues that are associated with cookies and whether are needed for Internet browsing.
Computing cookies are used by many commercial websites to hold variables when you jump through different pages, however, they can be used for more sinister purposes. This is why a browser will allow a user to turn the storing of cookies off. A computing cookie is a file which helps a server recognize who a user is. When a user is browsing the Internet, the server that provides the websites does not know who they are.
This is not a problem when the user visits static websites. However, when a user visits an interactive website that requires them to log in or remember a shopping list, the browser does need to remember who you are (Schneier, 2004:171). The reason for this is that, if it could not remember who the user is, then you would have to log in every time you visited a different page within the same company’s website and it would not remember a shopping cart when the browser moved from a main page to a checkout page (All about cookies, 2011). The way it remembers this information is by using a cookie. A cookie comes in two forms; temporarily or persistent. A temporarily cookie is stored in the browser’s memory and is destroyed when the browser is shut down.
This type of cookie is used so the server can remember what activity has taken place throughout a website. This is useful on an e-commerce website where there is a shopping cart because, the website needs to remember what has been placed in the shopping cart when the user moves between pages and then ultimately to the checkout page. If a cookie was not used the shopping cart would appear empty every time a different page that was visited within the same website (All about cookies, 2011). A persistent cookie is stored on the computer’s hard drive as a file; it could be stored for any amount of time that the server sets (Pfleeger & Pfleeger, 2006: 434). It is used for remembering login details and preferences so that every time a user visits a website, the server remembers their selections. An example of this could be the language that the user has chosen to view the website in (All about cookies, 2011).
The whole idea is to make the browsing experience much more pleasant. Persistent cookies are also used to track the websites a user visits; this is done to target advertisements to specific users. This means that “cookies can reduce the chance that a 25 year old single man is served an ad for diapers when he goes on his favourite sports site”(ARA, 2005). Many reputable sites including Google, Yahoo and Sesame Street use this method target adverts (Penenberg, 2005). However, the method raises concerns about the privacy of users as profiling software can determine many different aspects of a user’s identity with fairly good precision, things like: gender, race, age, income, religion, location, marital status, children, pets and sexual orientation. A public outcry followed and for this reason it has been possible to turn cookies of in Internet Explorer since version 3 (Kayne, 2011), which was released in 1996.
In 2009 the European Union passed a law on the way cookies are used within websites based in Europe. The new law means that a cookie will not be allowed to be placed unless the user has been briefed about what it is for and how it works and also given their consent for it to be placed (Chacksfield, 2009), the only exception to this law will be if the cookie is strictly necessary for the service the user has requested like in the case of an e-commerce website (Robertson, 2009). Security issues are associated with the use of cookies, this is because the nature of a cookie is to collect data, although this is normally a username and password, they can be used to collect other data. “Cookies can store anything about a client that a browser can determine: keystrokes the user types, the machine name, connection details (such as IP address), date and type, and so forth.”(Pfleeger & Pfleeger 2006: 434) The reason this can become a security issue is because, cookies are not designed to provide protection so there is no way of confirming a cookies integrity, also, not all companies encrypt cookies.
When a company does not encrypt a cookie, “an eavesdropper can steal and reuse the cookie, impersonating a user indefinitely.”(ibid: 236) Cookie poisoning is another problem that can arise from storing cookies; cookie poisoning is when the data inside the file is modified. This can result in the bypassing of security mechanisms, meaning an attacker can gain unauthorised information about another user and then steal their identity. (Imperva, 2011) Cookie poisoning is a Parameter Tampering attack, a parameter tempering attack is where an attacker will modify the parameters entered into a hidden or fixed field. These fields are the only security measure for certain operations. This makes this kind of attack useful to an attacker because a cookie can hold sensitive information about the user.
Other parameter attacks including SQL Injection, Cross-Site Scripting and Buffer Overflow can be executed using cookie poisoning. (Imperva, 2011) In conclusion if cookies are used for the purpose they were intended they are a good thing. They make the browsing of websites a much more pleasurable experience with the cookies saving the user preferences; this means a website tailored to the users likes. They also provide a good platform for marketers to target adverts to a specific user, meaning they see adverts for things they are much more likely to buy.
As with anything over a network there are security risks from cookie poisoning and the privacy concerns, however, with browsers allowing cookies to be switched off the concerns can be overcome.