Problem

Insecure cookies

Nature:
The recording of information about specific Internet activities has become one of the biggest emerging threats to Internet privacy. Every time a user accesses a web page, the server holding the page logs the user's Internet address along with the time and date. Some sites place "cookies" on a users machine to help track people's activities at a much more detailed level. Others ask for the users name, address and other personal details before allowing access. Internet purchases are similarly recorded. On-line stores value such data very highly, not least for the potential to sell the data on to marketers and other organizations. Some technical solutions have been devised to counter such activities. "Anonymizing" software allows users to browse the Web without revealing their Internet address. "Cookie cutter" programs stop sites from putting cookies on a users machine, and are now built into most browsers. Anonymous digital cash lets consumers make payments without revealing their identity.
Background:
"Cookies" are small pieces of software that identify a computer to another computer, typically an Internet server. A cookie is sent by the server at the time of first contact and subsequently enables the server to recognize that computer on each return visit. Cookies are a matter of convenience, but some people do not like them on privacy grounds.

Digital certificates are like smart cookies. They have to be signed up for. They do more than identify a computer -- they verify the person's identity and thus his/her credit rating, address, etc. They are intended to be a secure proof of identity, saving you time and possibly trouble. Credit card information may be required for verification.

Incidence:
The US Environmental Protection Agency (EPA), having made efforts to put a large amount of information on its web site, asserts in its online privacy notice that "Cookies are not enabled on this site and no information is collected to personally identify you." However, EPA's Environmental Data Registry web site was designed to set cookies on users' hard drives. Of greater concern is EPA's Terminology Reference System. Currently, this site will not only set cookies but its data download option requires users to provide their name, organization, email address, and phone number. If a user does not fill in a blank, it will not download the information. EPA's policy is clear. Other than collecting an email address to respond to a direct request, no personally-identifiable information is collected.
Claim:
A cookie should be an "opaque token"; an apparently meaningless string of characters, which only has meaning to the entity which created it. Instead many companies are they storing customer names and private email addresses from an e-commerce transaction, as "plain text" in cookies and sending it out without any security whatsoever.
Broader Problems:
Invasion of Internet privacy
Problem Type:
G: Very specific problems
Date of last update
19.09.2000 – 00:00 CEST
Web Page(s):