Exploiting the User Privacy and Security Concerns with HTTP Cookies Presentation by: Robert Bobek
Introduction • What are HTTP Cookies? • We need some understanding of HTTP first! • Hypertext Transfer Protocol (HTTP) is the communication protocol used to transfer data on the Internet. • HTTP is a request /reply protocol • Stateless Protocol! • Breaks Web Applications! • So, what are HTTP Cookies? • Cookies have become and attractive solution to solve this problem • Textual piece of information
HTTP Cookies – First Party • HTTP Cookies are either First Party or Third Party • Web Applications use First-Party Cookies for many purposes • User session tracking • Personalization of profiles • Auto-complete fields
Security Concerns • Executing basic attacks on First Party Cookies • Browser history fishing • Cookie theft and data extraction • Easily accomplished on • Public terminals • Single user-account OS configurations
Security Concerns • Executing Advanced attacks on First Party Cookies • Cookie Theft (packet sniffing) • Cookie Poisoning • Cross-Site Cooking • Used to hijack sessions
HTTP Cookies – Third Party • Cookies sent by servers that are located outside the domain of the Web Site that the User was visiting. • Companies such as DoubleClick raise privacy concerns! • Use third party cookies • Occurs without users attention Bus. C ad loaded Business A Bus. B ad loaded DoubleClick Business C Bus. A ad loaded Business B Bus. A ad loaded
CookiesCard • “Mobile Cookies Management on a Smart Card” created by Alvin T.S. Chan • Motivation; • General Security and Privacy problems • Removing Machine-Cookie dependency • Cookies held on Smart Card Technology • Secured by PIN Authentication
CookiesCard Architecture Graphic Reference: Alvin T.S Chan. "Mobile Cookies Management on a Smart Card". Communications of the ACM. November 2005/Vol. 48, No. 11. Pages 38-43.
CookiesCard • The CookiesCard is an effective solution but it is still suffering from minor drawbacks • Smart Readers Technology not very popular • Proxy must reside with the browser • No Cookies Management Interface
CookiesCard 1.1 • The CookiesCard can be improved using the following suggestions • Replace Smart Card Technology with USB Flash devices • Affordable • Popular • Ultra-portable • Running Proxy Server from USB Flash device • Localhost left untouched • Control Panel Interface created as a 3rd module • Can be accessed through another listening port
CookiesCard 1.1 Architecture Graphic Reference: Alvin T.S Chan. "Mobile Cookies Management on a Smart Card". Communications of the ACM. November 2005/Vol. 48, No. 11. Pages 38-43. (modified by Rob Bobek) • Cryptainer Mobileprovides on the fly encryption/decryption technology on mobile devices • Does not require installing device drivers on the host machine to decrypt • Uses Blowfish encryption algorithm • Free Download!
Conclusion • CookiesCard 1.1better but not perfect!
References • David M. Kristol. "HTTP Cookies: Standards, Privacy, and Politics". ACM Transactions on Internet Technology. November 2001/Vol. 1, No. 2. Pages 151-198. • Alvin T.S Chan. "Mobile Cookies Management on a Smart Card". Communications of the ACM. November 2005/Vol. 48, No. 11. Pages 38-43. • The Cookie Controversy – Cookies and Internet Privacy. http://www.cookiecentral.com/ccstory/cc3.htm • Wikipedia on HTTP Cookie http://en.wikipedia.org/wiki/HTTP_cookie#Drawbacks_of_cookies • CookieCentral http://www.cookiecentral.com • Cryptainer Mobile can be downloaded at http://www.cypherix.com/cryptainerle/