1 / 14

Exploiting the User

Exploiting the User. Privacy and Security Concerns with HTTP Cookies. Presentation by: Robert Bobek. Introduction. What are HTTP Cookies? We need some understanding of HTTP first! Hypertext Transfer Protocol (HTTP) is the communication protocol used to transfer data on the Internet.

todd-coffey
Download Presentation

Exploiting the User

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Exploiting the User Privacy and Security Concerns with HTTP Cookies Presentation by: Robert Bobek

  2. Introduction • What are HTTP Cookies? • We need some understanding of HTTP first! • Hypertext Transfer Protocol (HTTP) is the communication protocol used to transfer data on the Internet. • HTTP is a request /reply protocol • Stateless Protocol! • Breaks Web Applications! • So, what are HTTP Cookies? • Cookies have become and attractive solution to solve this problem • Textual piece of information

  3. HTTP Cookies – First Party • HTTP Cookies are either First Party or Third Party • Web Applications use First-Party Cookies for many purposes • User session tracking • Personalization of profiles • Auto-complete fields

  4. Security Concerns • Executing basic attacks on First Party Cookies • Browser history fishing • Cookie theft and data extraction • Easily accomplished on • Public terminals • Single user-account OS configurations

  5. Security Concerns • Executing Advanced attacks on First Party Cookies • Cookie Theft (packet sniffing) • Cookie Poisoning • Cross-Site Cooking • Used to hijack sessions

  6. HTTP Cookies – Third Party • Cookies sent by servers that are located outside the domain of the Web Site that the User was visiting. • Companies such as DoubleClick raise privacy concerns! • Use third party cookies • Occurs without users attention Bus. C ad loaded Business A Bus. B ad loaded DoubleClick Business C Bus. A ad loaded Business B Bus. A ad loaded

  7. CookiesCard • “Mobile Cookies Management on a Smart Card” created by Alvin T.S. Chan • Motivation; • General Security and Privacy problems • Removing Machine-Cookie dependency • Cookies held on Smart Card Technology • Secured by PIN Authentication

  8. CookiesCard Architecture Graphic Reference: Alvin T.S Chan. "Mobile Cookies Management on a Smart Card". Communications of the ACM. November 2005/Vol. 48, No. 11. Pages 38-43.

  9. CookiesCard • The CookiesCard is an effective solution but it is still suffering from minor drawbacks • Smart Readers Technology not very popular • Proxy must reside with the browser • No Cookies Management Interface

  10. CookiesCard 1.1 • The CookiesCard can be improved using the following suggestions • Replace Smart Card Technology with USB Flash devices • Affordable • Popular • Ultra-portable • Running Proxy Server from USB Flash device • Localhost left untouched • Control Panel Interface created as a 3rd module • Can be accessed through another listening port

  11. CookiesCard 1.1 Architecture Graphic Reference: Alvin T.S Chan. "Mobile Cookies Management on a Smart Card". Communications of the ACM. November 2005/Vol. 48, No. 11. Pages 38-43. (modified by Rob Bobek) • Cryptainer Mobileprovides on the fly encryption/decryption technology on mobile devices • Does not require installing device drivers on the host machine to decrypt • Uses Blowfish encryption algorithm • Free Download!

  12. Conclusion • CookiesCard 1.1better but not perfect!

  13. References • David M. Kristol. "HTTP Cookies: Standards, Privacy, and Politics". ACM Transactions on Internet Technology. November 2001/Vol. 1, No. 2. Pages 151-198. • Alvin T.S Chan. "Mobile Cookies Management on a Smart Card". Communications of the ACM. November 2005/Vol. 48, No. 11. Pages 38-43. • The Cookie Controversy – Cookies and Internet Privacy. http://www.cookiecentral.com/ccstory/cc3.htm • Wikipedia on HTTP Cookie http://en.wikipedia.org/wiki/HTTP_cookie#Drawbacks_of_cookies • CookieCentral http://www.cookiecentral.com • Cryptainer Mobile can be downloaded at http://www.cypherix.com/cryptainerle/

  14. Questions?

More Related