Last Updated: 2007-10-29 01:43:47 UTC
by William Stearns (Version: 3)
It's tuesday morning, and your morning briefing is for a group of new employees. You have a bunch of network and security topics to cover in a short time, and the audience is generally non-technical.
What do you tell them about cookies? What risks are there, and what risks have been blown out of proportion? What straightforward practical steps can they take to minimize privacy issues? Have you done some behind-the-scenes work for them in setting up their applications to similarly protect their privacy?
I'll update the diary with your tips; please submit them at http://isc.sans.org/contact.html .
Cookies have an odd role in the security debate. They get lumped in with malware, trojans, and other exploits. This gets confusing for non-technical users; it sounds like cookies can capture keystrokes and take over their machines.
The first thing I try to make clear is that cookies are a privacy issue. The servers at the other end of a web session can remember who you are and what rights you have; this is generally a good thing. If you don't want this, don't log in to that site or even create an account.
They can also track what IP addresses you use and what pages you visit in what order, whether you sign up for an account or not. This raises an interesting question; is it a problem if, for example, Barnes and Noble knows what pages you visit?
The theory is that cookies should only be served up from the web site you're visiting. But what about cookies associated with content served up by sites like Doubleclick? The privacy issues become much more severe here; Doubleclick and similar sites can track your actions across all the sites they serve (for some more coverage of this, see http://www.spywarewarrior.com/uiuc/btw/browser-sec-intro.htm#cookies ).
Since we can't know how this tracking information is used, I encourage coworkers and friends to disable cookies in their web browsers. For the sites that they trust that do require cookies, most browsers allow exceptions.
Here are some tips submitted by readers:
- Someone sniffing your web sessions may be able to capture the cookies coming back from the web server and take over your login.
- Don't log into your online bank, credit cards, company web sites from Internet Cafes or airports.
- Make sure that the site reads https:// before submiting userid and passwords.
- Make sure the URL/Domain you are at is the one you meant to go to. A link that says "https://your-bank.com" is not the same as "https://yourbank.com"
- Don't depend on security tools that remove cookies after the fact; don't store them in the first place.
- Allow only some first-party cookies, using an exceptions list (a whitelist)
- Allow those cookies only for the current session
- Deny *all* third-party cookies
- Delete all cookies on browser exit
Many thanks to Dan, Mario, Mark, and one anonymous submitter for their submissions.
-- Bill Stearns, http://www.stearns.org