Cookie Uses:Tracking across Multiple Sites A web page often contains objects from other sites. When browser retrieves these objects from these sites that users do not know, these sites may set cookies.These cookies are called third-party cookies.The cookies set by the site in user's browser address bar is called first-party cookies. Modern browsers,such as Mozilla Firefox,Internet Explorer and Opera,by default,allow third-party cookies,although users can change the settings to block them. There is no inherent security risk of third-party cookies(they do not harm the user's computer)and they make lots of functionality of the web possible, however some internet users disable them because they can be used to track a user browsing from one website to another.This tracking is most often done by on-line advertising companies to assist in targeting advertisements.For example:Suppose a user visits www.domain1.com and an advertiser sets a cookie in the user's browser,and then the user later visits www.domain2.com. If the same company advertises on both sites,the advertiser knows that this particular user who is now viewing www.domain2.com also viewed www.domainl.com in the past and may ayoid repeating advertisements. 11
11 Cookie Uses: Tracking across Multiple Sites A web page often contains objects from other sites. When browser retrieves these objects from these sites that users do not know, these sites may set cookies. These cookies are called third-party cookies. The cookies set by the site in user’s browser address bar is called first-party cookies. Modern browsers, such as Mozilla Firefox, Internet Explorer and Opera, by default, allow third-party cookies, although users can change the settings to block them. There is no inherent security risk of third-party cookies (they do not harm the user's computer) and they make lots of functionality of the web possible, however some internet users disable them because they can be used to track a user browsing from one website to another. This tracking is most often done by on-line advertising companies to assist in targeting advertisements. For example: Suppose a user visits www.domain1.com and an advertiser sets a cookie in the user's browser, and then the user later visits www.domain2.com. If the same company advertises on both sites, the advertiser knows that this particular user who is now viewing www.domain2.com also viewed www.domain1.com in the past and may avoid repeating advertisements
Cookie Privacy Concerns and Misconceptions In 2005,Jupiter Research published the results of a survey,according to which some people believed some of the following false claims: Cookies are like viruses in that they can infect the user's hard disks Cookies generate pop-ups Cookies are used for spamming Cookies are used only for advertising ■ In 1998,CIAC,a computer incident response team of the United States DoE, found the security vulnerability caused by cookie "essentially nonexistent" and explained that "information about where you come from and what web pages you visit already exists in a web server's log files". The possibility of building a profile of users is considered by some a potential privacy threat,especially when tracking is done across multiple domains using third-party cookies.For this reason,some countries have legislation about cookies. Third-party cookies can be blocked by most browsers to increase privacy and reduce tracking by advertising and tracking companies without negatively affecting the user's Web experience. 12
12 Cookie Privacy Concerns and Misconceptions In 2005, Jupiter Research published the results of a survey, according to which some people believed some of the following false claims: ─ Cookies are like viruses in that they can infect the user's hard disks ─ Cookies generate pop-ups ─ Cookies are used for spamming ─ Cookies are used only for advertising In 1998, CIAC, a computer incident response team of the United States DoE, found the security vulnerability caused by cookie "essentially nonexistent" and explained that "information about where you come from and what web pages you visit already exists in a web server's log files". The possibility of building a profile of users is considered by some a potential privacy threat, especially when tracking is done across multiple domains using third-party cookies. For this reason, some countries have legislation about cookies. Third-party cookies can be blocked by most browsers to increase privacy and reduce tracking by advertising and tracking companies without negatively affecting the user's Web experience
Secure Cookie Scheme -Requirements Authentication -Login phase -Subsequent-requests phase Confidentiality -Need to toggle the "secure"flag.Then this cookie is only sent over SSL Integrity -Need to detect whether a cookie is compromised. Anti-replay Detect replay of stolen cookies. 13
13 Secure Cookie Scheme - Requirements Authentication ─ Login phase ─ Subsequent-requests phase Confidentiality ─ Need to toggle the “secure” flag. Then this cookie is only sent over SSL. Integrity ─ Need to detect whether a cookie is compromised. Anti-replay ─ Detect replay of stolen cookies
Insecure Cookies Schemes a Example of a silly mistake: -Shopping cart software: ●Set-cookie: shopping-cart-total 100 ($ -User edits cookie file (cookie poisoning): ●Cookie: shopping-cart-total =1 ($) Not so silly ones:http://xforce.iss.net/xforce/xfdb/4621 D3.COM Pty Ltd:ShopFactory 5.8 @Retail Corporation:@Retail Adgrafix:Check It Out Baron Consulting Group:WebSite Tool ComCity Corporation:SalesCart Crested Butte Software:EasyCart 一 Dansie.net:Dansie Shopping Cart Intelligent Vending Systems:Intellivend Make-a-Store:Make-a-Store OrderPage McMurtrey/Whitaker Associates:Cart32 3.0 一 pknutsen@nethut.no:CartMan 1.04 一 Rich Media Technologies:JustAddCommerce 5.0 SmartCart:SmartCart Web Express:Shoptron 1.2 14
14 Insecure Cookies Schemes Example of a silly mistake: ─ Shopping cart software: ● Set-cookie: shopping-cart-total = 100 ($) ─ User edits cookie file (cookie poisoning): ● Cookie: shopping-cart-total = 1 ($) Not so silly ones: http://xforce.iss.net/xforce/xfdb/4621 ─ D3.COM Pty Ltd: ShopFactory 5.8 ─ @Retail Corporation: @Retail ─ Adgrafix: Check It Out ─ Baron Consulting Group: WebSite Tool ─ ComCity Corporation: SalesCart ─ Crested Butte Software: EasyCart ─ Dansie.net: Dansie Shopping Cart ─ Intelligent Vending Systems: Intellivend ─ Make-a-Store: Make-a-Store OrderPage ─ McMurtrey/Whitaker & Associates: Cart32 3.0 ─ pknutsen@nethut.no: CartMan 1.04 ─ Rich Media Technologies: JustAddCommerce 5.0 ─ SmartCart: SmartCart ─ Web Express: Shoptron 1.2
Recommended Cookie Scheme Kevin Fu identified the vulnerabilities in many home brewed cookie schemes -Dos and don'ts of client authentication on the web.Kevin Fu,Emil Sit, Kendra Smith,and Nick Feamster.In Proceedings of the 10th USENIX Security Symposium,Washington,D.C.,August 2001 -Example: username crypt (output authentication cookie bitdiddle MaRdw2J1h6Lfe bitdiddleMaRdw2J1h6Lfe bitdiddler MaRdw2J1h6Lfc bitdiddlerMaRdw2J1h6Lfc Recommended Cookie Scheme: user nameexpiration timedata HMAC(user name expiration timedata) Further improvement:data can be encrypted by a temporary key generated using user name,expiration time,and master key k. 15
15 Recommended Cookie Scheme Kevin Fu identified the vulnerabilities in many home brewed cookie schemes ─ Dos and don'ts of client authentication on the web. Kevin Fu, Emil Sit, Kendra Smith, and Nick Feamster. In Proceedings of the 10th USENIX Security Symposium, Washington, D.C., August 2001 ─ Example: Recommended Cookie Scheme: user name|expiration time|data|HMACk(user name|expiration time|data) Further improvement: data can be encrypted by a temporary key generated using user name, expiration time, and master key k