Web-browser cookies, you either love or hate them. There is no in between. Well, get ready to be either more in love or more upset.
Like most technical aspects of the Internet, cookies seemed to make sense when they were first introduced. In some regards, they're still useful. But, there's a dark side. Cookies can be used to track our movement on the Internet and many say, that's not right.
What exactly is a cookie?
Technically, a cookie is a benign piece of text originating at the web server and sent to the web browser, where it is stored in preparation for the user's next visit. Cookies can be used to automate web site authentication, retain web site preferences, shopping choices, or other bits of information intended to facilitate the visitor's experience.
There are two types of HTTP cookies. First-party cookies are sent from the web server listed the address bar. Third-party cookies arrive from different web servers usually serving ads on the displayed web page.
Not being associated with the currently-displayed domain, third-party cookies allow advertisers to compile an online history of users. The ad companies then use behavioral targeting to serve directed ads. This is where it gets complicated. Do you allow your movements on the Internet to be tracked, just to get ads that are better-suited for you?
In an on-going struggle, advertisers develop evermore-persistent cookies. Then, security experts devise new ways to prevent cookies from being installed. Each web browser has its own way of handling cookies. Check the web-browser options or preferences tab. Privacy pundits suggest at least disallowing third-party cookies.
Last year, a new type of cookie was quietly introduced. It's officially called the Local Shared Object (LSO), commonly called a Flash cookie. More persistent than HTTP cookies, it requires additional-web browser extensions to remove.
The cookie war continues
For the most part, users control what cookies are installed. That's about to change. While researching an article, I came across Samy Kamkar's (@samykamkar) web site, Evercookie—never forget. The title grabbed my attention. What is an Evercookie? Here is Mr. Kamkar's description:
Here we go again.
If the name Samy Kamkar sounds familiar, it's because he is best known for the Samy worm, the first XSS worm, infecting over one million users on MySpace in less than 24 hours. Currently, he's an independent security researcher and co-founder of Fonality Inc., an IP PBX company.
However, Evercookie not only uses the cookie, but a number of other locations such as Flash cookies, Silverlight isolated storage, and various locations of HTML5 storage. When a user deletes their standard cookies, the other locations remain and are able to rebuild the original cookie.I built Evercookie as a proof of concept, wanting to show how web sites are able to track users even if they delete standard cookies and LSOs. Evercookie also sheds light on the fact that there are numerous methods for storing cookies locally. Finally, Evercookie acts as a litmus test for users who want to see if they're protected from web sites that track like this. TechRepublic: Several experts have commented that the following two storage methods are brilliantly devious.
- Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out
- Storing cookies in Web History
Could you explain what they are and why the experts feel that way?Samy Kamkar: Storing cookies in the PNG image is interesting, since an image is really just data. The data you want to store gets converted to color values. The color values are strung together in an image to produce a PNG file.
Evercookie then tells the browser to store that image for 30 years in its cache. When the user returns to the site, the image is accessed via cache and the page then reads each pixel of the image, extracting the colors from each pixel. The colors are converted back to text which produces the original cookie data.
Storing cookies in web history uses an interesting feature of web browsers.
Let's assume the cookie data we want to store is "bcde". Evercookie then accesses the following URLs in the background:
These URLs are now stored in the browser's history. When checking for a cookie, Evercookie loops through all the possible characters on google.com/Evercookie/cache/, starting with "a" and moving up, but only for a single character.
"I hope Evercookie simply demonstrates to people what types of methods are being employed to track them and to decide whether or not they want to prevent those methods. Evercookie took less than a day to create for me as a security hobbyist, so I can only imagine the technology that funded developers is producing."
What are your thoughts about the pending lawsuits related to cookies and their ability to track online travels?Samy Kamkar: I'm not sure it's enough of an issue that lawsuits are necessary, but I do believe users should have the full right to prevent any web site from tracking them. I also believe the web browser should make it extremely easy for a user to prevent this sort of tracking. However, no web browser currently makes it easy to do. I'm hoping Evercookie can spawn some new features that will make it easy to prevent Evercookie-like tracking.
Removing the Evercookie
Mr. Kamkar was correct. I found two researchers who have developed methods to remove Evercookies. Jeremiah Grossman founder and CTO of WhiteHat Security has written a blog showing how to remove the Evercookie from Chrome and Firefox. Dominic White a security consultant working for SensePost has written a tool for removing Evercookies from Safari.
I asked Mr. Kamkar if these were indeed solutions:
"It appears they provide information on how to remove the Evercookie. It's just such a cumbersome and difficult process that the typical user would not make use of them."
A special thanks to Mr. Kamkar — I asked a lot of questions.