Guest Post by Mike Alvarez.
In the English speaking world, the term “cookie” has developed a drastically different meaning in the past few years, signifying a huge departure from the times when they were originally served with milk and eaten by a furry blue monster on Sesame Street. When adults speak about cookies without a child in sight, it’s quite probable they are referring not to baked goods but small packets of data that have caused quite a controversy in the IT world over the past few years. As with many technical terms, the exact meaning of a computer cookie is often misunderstood. This article discusses the history of cookies, the roles they play in today’s networked world and steps users can take to protect themselves from their improper usage.
The term “cookie” actually derives from the computing term “magic cookie.” A magic cookie was used as a token passed between communicating systems to identify various events and transactions. The token itself has no meaning but serves as a unique identifier within a larger context. This can be compared to a ticket received when depositing bags at a department store’s courtesy desk. The ticket itself is only valuable in the sense that it uniquely identifies one’s bags when they are ready for retrieval. Interestingly enough, the term “magic cookie” stems from real life fortune cookies which contain hidden information on a piece of paper. The idea was that, like a fortune cookie in the real world, magic cookies in the computer world also carried hidden information.
The concept of magic cookies has been in use for decades as part of the computing world’s technical parlance. It wasn’t until widespread consumer use of the World Wide Web gained momentum that computer cookies started developing their notoriety. Unlike the fattening, chocolate chip variety, cookies in the computing sense are used by web servers to maintain session and state data. Netscape, one of the early pioneers in web browser technology, began serious use of cookie technology around 1994 as a way to develop e-commerce websites. Microsoft followed suit in 1995 with integration of cookie technology in the second release of its infamous Internet Explorer web browser.
The idea of cookie technology is technically sound. Session cookies are used to maintain information about a user’s current browsing activity, such as items in a shopping cart. Persistent cookies are used to track a user for longer periods of time like a month or even a year. Cookies may be used to remember information about a particular user, such as their name, language preference and other settings that can be used to add a personal touch to their browsing experience. Session management, tracking and personalization are all important aspects of modern website operation. It is unfortunate that the press has demonized a term that, when complimented with a tall glass of cold milk, once brought smiles to mothers and children across the globe.
The demonization actually comes from fraudulent use of otherwise useful technology. In earlier years, unscrupulous marketers were able to read cookies that other sites had left for a user in attempts to gain knowledge for which they were not authorized. Hackers would steal cookies and hijack user sessions, impersonating their requests in order to gain access to their private data. Stealing cookies was done through network eavesdropping, DNS cache poisoning and cross-site scripting. Cross-site scripting can be thwarted by using modern browsers with improved security and SSL functionality. Websites also employ CAPTCHA technology to prevent hackers from executing cross-site scripting attacks. DNS cache poisoning, while usually an issue that Internet Service Providers (ISPs) must handle, can be avoided by astute users who make use of advanced DNS services like Google Public DNS or OpenDNS. Network eavesdropping can be prevented by using a VPN service.
When using a VPN service, a user’s data is securely transferred through a private Internet tunnel. The data is encrypted before leaving the user’s computer, which means any hackers listening in on the local network will be unable to intercept cookies and other private data. A VPN service is one of the most effective ways of preventing hackers from invading one’s privacy.
Whether baked or computerized, users should always protect their cookies. While it may be easy to hide real cookies from the cookie monster, protecting one’s cookies online takes a bit more effort. Although losing a few of grandma’s best oatmeal cookies may not be such a big loss in the long run, having one’s sensitive personal and financial data robbed is much more consequential.
This was a guest post by Mike Alvarez who is a security professional writes regularly for a premium, anonymous VPN Service provider, iVPN.net