Internet Cookies, Privacy, and Security
Abstract – Surfing in different websites is the most common activity on the internet. When people use internet pages, they usually face with many cookie alerts. Most of the people are bothered by the cookies alerts. But what are these bothering alerts? Do people read the cookies policies before accepting them? In most of the cases, the answer is just no. Most of the people tend to accept cookies without knowing what they are and why they are appearing in their browsers. This paper firstly represents the concept of internet cookies, their technical function, and usability to continue with an analytical view of the privacy and security aspects of cookies. A demonstration of cookies abuse is given by using the hijacking session as an example. Two different solutions are represented and compared to mitigate cookies abuses.
Key Words – cookies, authentication, session hijacking, HTTP protocol, security attacks.
INTRODUCTION
Most of the internet web pages and mobile applications use cookies for different purposes, in commercial, social or scientific areas. In the internet experience, cookies play a significant role. Cookies have improved the usage of online shopping, personalized content also advertisements are better now because of the use of cookies [LaCroix et al. 2017]. However, it is very crucial to know how they function and what are potential security threats that may come from cookies usage. To give an overview of this topic, the paper is organized as follows: Section II of this paper represents a general overview of cookies functionalities, attributes, and classification. Cookies Privacy and Security will be discussed in section III to continue further with authentication cookies and session hijacking in section IV. In section V two main solutions against hijacking and stolen cookies are discussed and compared. A conclusion is given in section VI.
COOKIES, ATTRIBUTES, AND CLASSIFICATION
Cookies
Web or HTTP Cookies are small pieces of information sent back and forth from a server to a browser [LaCroix et al. 2017]. Cookies were first created by Lou Montulli an employee in Netscape who named them after a computer term “magic cookie”, a data token passed from a party to another [LaCroix et al. 2017], [Wu et al. 2010]. Cookies help a web server to maintain a state. When a server responds to a client request, at the same time the server can save information for that client and return to it at a later time. [LaCroix et al. 2017].
Figure 1 Cookies Working Process [ Li et al 2013]
Cookies have gained a wide range of usage by browsers and web applications due to their simplicity and efficiency. They can be found in almost every web application for maintaining session states, authenticating, personalizing and tracking user behaviors [Yue et al. 2010], [Aladeokin et al. 2017].
Attributes
A web application generates cookies with name-value pair attributes, containing information about the session stored in the browser. Generated cookies can be sent to the browser using the set-cookie HTTP response header field [Ayadi et al. 2011]. Once cookies are accepted by the client and stored in the browser, they will be attached to each request that the client sends to the web application [Dacosta et al., 2012].
The optional attributes within cookies are the domain, path, and max-age. Domain attribute specifies the destination domain of a cookie, path specifies a targeted URL path, and max-age determines the lifetime of a cookie. [Yue et al 2010], [Ayadi et al. 2011].
Classification
Based on the origin and destination, cookies are classified as first-party cookies and third-party cookies [Yue et al 2010]. First-party cookies can be created by the website which the user is currently visiting, while third-party cookies can be generated by a website other than the website that the user is visiting [Javed et al., 2014]. Furthermore, based on their lifetime, cookies are classified in session cookies and persistent cookies [Ptthacharoen and Bunyatnoparat 2011]. Session cookies have zero lifetime they are stored in memory and deleted immediately after the user closes the browser. Persistent cookies have a non-zero lifetime, and they are stored in hard disk until deleted by a user or expired [Yue et al. 2010].
PRIVACY AND SECURITY
Privacy
Many websites use cookies as a tracking mechanism for offering their users personalized products through online advertisements [Sörensen 2013]. In some cases, as the result of user tracking, their personal information has been leaked and user privacy has been breached [Aladeokin et al. 2017]. These privacy violations are more prevalent when third-party cookies are applied by websites and accepted unwittingly by the users. Since third-party cookies represent a potential risk to user privacy and have almost no benefits for users, most of the web browsers such as Mozilla Firefox, Google Chrome, and Microsoft Internet Explorer, offer the option for disabling third-party cookies [Nosheen and Qamar 2015]. However, disabling third-party cookies does not guarantee a hundred security of user data. First-party persistent cookies might be hazardous to the user’s privacy because if not deleted, they can stay for a long time on the user’s disk [Yue et al. 2010].
Security:
Cookies do not guarantee the integrity or confidentiality of the transferred data. However, two attributes of cookies that can be mentioned are Secure and HttpOnly [LaCroix et al. 2017], [Bugliesi et al. 2015]. The first attribute ensures that cookies operate only in secure channels. The second attribute limits cookies to only HTTP request which prevents JavaScript from accessing the cookies also prevents cookies from accessing non-HTTP APIs [LaCroix et al. 2017], [Putthacharoen and Bunyatnoparat 2011]. Regarding security, authentication data stored in cookies, are an essential part to be discussed. Section IV of this paper continues with the topic of authentication cookies and session hijacking as a potential thread for authentication cookies.
AUTHENTICATION COOKIES, SESSION HIJACKING ATTACKS
Authentication Cookies:
HTTP and HTTPS as stateless protocols, use cookies as a solution for tracking the state of information across different requests [Calzavara et al. 2015], [Bugliesi et al. 2015].
When user authentication credentials are successfully validated, the web application generates authentication cookies and send them to the browser [Dacosta et al. 2012]. Based on cookies scope and flags, the browser attaches these cookies to each request that requires authentication. Once established, they can temporarily replace users’ password credentials, so it is vital for authentication cookies to be carefully constructed to prevent potential abuses [Calzavara et al. 2015]. Even though web applications usually use cryptographic methods and algorithms to build authentication cookies, these mechanisms cannot guarantee confidentiality and integrity, so attacks still may happen based on how cookies are used [Dacosta et al. 2012].
The Session Hijacking Attacks:
Since cookies do not change during their lifetime, if attackers steal authentication cookies, they will be able to imitate the user related to these cookies until their expiration [Wedman et al. 2013]. The case when the attacker takes control of the user’s session it is known as session hijacking.
Figure 2: Session Hijacking [Dacosta et al 2012]
As depicted in the figure, for each request in the web application the victim uses an authentication cookie which is sent through an unprotected network, therefore is caught by an attacker that can overwatch the session. To commit the attack, the attacker can use tools such as FireSheep and finally use the stolen cookie to make random requests to the web application until the cookie expires [Dacosta et al. 2012]. Even though session hijacking attacks are known from the past, several factors have increased the risk of these threads, such as high popularity and importance of web application, augmentation of wireless networks, especially open wi-fi networks and the delivery of several automated easy-to-use tools that execute session hijacking. [Dacosta et al. 2012].
SOLUTIONS AND COMPARISON
Many solutions are represented to prevent stealing of cookies throughout the session hijacking. This paper will analyze and compare two solutions for hijacking session threats: Synchronized State Protocol and One-time Cookies (OTC).
Synchronized State Cookie Protocol
Takahashi et al. [2013] represented Synchronized State Cookie Protocol as an efficient method to prevent Cross Scripting Attacks (XSS) which consequently makes possible prevention of session hijacking. This method uses one – time password and challenge-response authentication. Based on the one-time password, server, and user, both share the same password that is renewed every fixed time. This password needs to be synchronized at all the times. Furthermore, challenge-response authentication as the second feature of this method works in this way: the server sends a challenge value to the user as a response to an authentication request. The server checks whether the value sent by user matches with the its calculated value and based on it decides whether to give the user access or not.
Find Out How UKEssays.com Can Help You!
Our academic experts are ready and waiting to assist with any writing project you may have. From simple essay plans, through to full dissertations, you can guarantee we have a service perfectly matched to your needs.
View our services
There are some advantages using this method since even in the case of Cross Site Scripting Attacks (XSS), the attacker cannot abuse with the cookie after the cookie expires. However, as mentioned by Takahashi et al. [2013], this method does not guarantee that attackers cannot succeed with impersonation since they can use the cookie before it expires. Some websites use long expiration times for cookies to avoid corruption of user experience. When cookies stay for a long time in user browser, they can be hijacked by the attacker which can impersonate the user until the cookie expires. Furthermore, as explained by Takahashi et al. [2013], the usage of challenge-response authentication creates latency in client-server communication which can result in bad user experience.
One – time cookies (OTC)
Another alternative for authentication cookies is given by Dacosta et al. [2012] as a mechanism to replace authentication cookies with One-time cookies or OTC, which provides more robust defense against hijacking attacks. In this model, authentication and management sessions are separated. To protect the setup of its credential, OTC relies on HTTPS.
In order to design a robust OTC, the mechanism should have these properties: Session Integrity, statelessness, robustness, performance and scalability, usability, concurrency and browser support [Dacosta et al. 2012]. The protocol represents the creation of a unique token per request, so the same token cannot be reused for different requests.
Figure 3 Flow diagram of web session using OTC [Dacosta et al, 2012]
Based on Dacosta et al. [2012], OTC is not only resistant to hijacking sessions but also has the simplicity and performance benefits as shown in cookies. OTC model was implemented as a WordPress plug-in with less than 200 lines of code that substitute create and verify functions of authentication cookies [Dacosta et al. 2012].
Comparison of models
The model represented by Dacosta et al. [2012] is a good potential alternative for cookies authentication. Different from Takahashi et al., [2013] approach, OTCs are not designed for mitigation of XSS. However, OTCs are carried out only through HTTPS, so XSS attacks cannot succeed. But still, not all the websites use HTTPS on their pages for user authentication tokens. Google released a report in 2016 where it revealed that many well-known websites such as ebay.com and imdb.com do not use SSL/TLS by default [LaCroix et al. 2017].
Figure 4 Comparison between Synchronized State Cooke Protocol and OTC
CONCLUSION
This paper has presented a technical and analytical approach of internet cookies, their functionality, and usability. Since the usage of cookies for managing web states arise privacy and security concerns, it is imperative to understand websites vulnerabilities and potential threads of cookies. Well-known website attacks such as XSS may be followed by session hijacking which results with stealing authentication cookies. Synchronized State Protocol and OTC are presented as solutions for preventing authentication data stored in cookies. Based on analysis and comparison, the first solution is better with mitigating XSS attack; however, it represents problems with latency due to challenge-response authentication. The second solution represents a more robust alternative for authentication cookies and it runs only on HTTPS. However, none of these methods can offer any solution for social engineering attacks or malware attacks.
In conclusion, there are no hundred percent secure alternatives for data privacy on the internet. It is the responsibility of both server and client to contribute in preventing website attacks and maintain cookie sessions and data integrity and confidentiality. Mitigation of cookies abuses can be established by having well developed and maintained websites and web servers. Also, the user should be well informed about the usage of cookies before accepting or declining them. In general, when it comes to data privacy, using HTTPS channels and avoiding public network for making financial transactions or transmitting sensitive data is an essential step toward protecting cookies from hijacking sessions as well as preserving data integrity and confidentiality.
References:
[1] A. Aladeokin, P. Zavarsky, N. Memon, 2017. Analysis and compliance evaluation of cookies-setting websites with privacy protection laws, 12th International Conference on Digital Information Management.
[2] A. Javed, C. Merz, J. Schwenk, 2014. TTPCookie: Flexible Third-Party Cookie Management for Increasing Online Privacy, IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications.
[3] B. Li, S. Lv, Y. Zhang, M. Tian, 2013. The application research of Cookies in network security, International Conference on Sensor Network Security Technology and Privacy Communication System.
[4] Bugliesi, M., Calzavara, S. Focardi, R., Khan, W., 2015. CookiExt: Patching the browser against session hijacking attacks.
[5] Calzavara, S. Tolomei, G. Casini, A. Bugliesi, M. Orlando, S. 2015. A Supervised Learning Approach to Protect Client Authentication on the Web.
[6] Dacosta, I. Chakradeo, S. Ahamad, M. Traynor, P. 2012. One-time cookies: Preventing session hijacking attacks with stateless authentication tokens.
[7] F. Nosheen, U. Qamar, 2015. Flexibility and privacy control by cookie management, Third International Conference on Digital Information, Networking, and Wireless Communications.
[8] H. Takahashi, K. Yasunaga, M. Mambo, K. Kim, H. Y. Youm, 2013. Preventing Abuse of Cookies Stolen by XSS, Eighth Asia Joint Conference on Information Security
[9] H. Wu, W. Chen, Z. Ren, 2010. Securing Cookies with a MAC Address Encrypted Key Ring, Second International Conference on Networks Security, Wireless Communications and Trusted Computing.
[10] I. Ayadi, A. Serhrouchni, G. Pujolle, N. Simoni, 2011. HTTP Session Management: Architecture and Cookies Security Conference on Network and Information Systems Security.
[11] K. LaCroix, Y. L. Loo, Y. B. Choi, 2017. Cookies and Sessions: A Study of What They Are, How They Work and How They Can Be Stolen, International Conference on Software Security and Assurance.
[12] O. Sörensen, 2013. Zombie-cookies: Case studies and mitigation, 8th International Conference for Internet Technology and Secured Transactions.
[12] R. Putthacharoen, P. Bunyatnoparat, 2011. Protecting cookies from Cross Site Script attacks using Dynamic Cookies Rewriting technique, 13th International Conference on Advanced Communication Technology.
[14] Wedman, S., Tetmeyer, A., Saiedian, H., 2013. An Analytical Study of Web Application Session Management Mechanisms and HTTP Session Hijacking Attacks.
[15] Yue, C., Xie, M., Wang, H., 2010. An automatic HTTP cookie management system.
Essay Writing Service Features
Our Experience
No matter how complex your assignment is, we can find the right professional for your specific task. Contact Essay is an essay writing company that hires only the smartest minds to help you with your projects. Our expertise allows us to provide students with high-quality academic writing, editing & proofreading services.Free Features
Free revision policy
$10Free bibliography & reference
$8Free title page
$8Free formatting
$8How Our Essay Writing Service Works
First, you will need to complete an order form. It's not difficult but, in case there is anything you find not to be clear, you may always call us so that we can guide you through it. On the order form, you will need to include some basic information concerning your order: subject, topic, number of pages, etc. We also encourage our clients to upload any relevant information or sources that will help.
Complete the order formOnce we have all the information and instructions that we need, we select the most suitable writer for your assignment. While everything seems to be clear, the writer, who has complete knowledge of the subject, may need clarification from you. It is at that point that you would receive a call or email from us.
Writer’s assignmentAs soon as the writer has finished, it will be delivered both to the website and to your email address so that you will not miss it. If your deadline is close at hand, we will place a call to you to make sure that you receive the paper on time.
Completing the order and download