Cookies...yummy or deadly?

[trismegistos]

Quote:

Originally Posted by Rmus

Hello trismegistos,

Interesting stuff! (some new to me)

I was discussing what I wrote for this this thread yesterday with a friend who was interested in how cookies work. She uses Opera 9.64 as I do and has configured cookies as I've suggested. I just ran the GRC cookie test here:

http://www.grc.com/cookies/forensics.htm

and these are my results:

Attachment 210392

Can I assure her that she is protected from the things you talk about?

thanks,

rich

Hi,
I'm not much on a better position to assure her, because of lack of expertise and experience as you are. You can assure her although security experts other than you tend to inflate these kind of attacks but real world scenario just like in the physical realm, the actual chances of bad guys trying to steal your money is still not that high, it's more of a misfortune or badluck. Ofcourse, we may never know how these things will be prevalent as days goes by with the current financial downturns.

As Steve Gibson, usually recommends to most people, just use Noscript with Sandboxie. With Noscript: it has built-in anti XSS and cookie protections, anti-clickjacking protection etc, even if one will enable scripting. Or your configuration set up which passed with flying colors from the GRC site is enough for her.

I'll let the experts like you speak with finality to ease the concerns of people like me... $-)

[arran]

Yea but Sandboxie won't prevent it during your actual Browsing session, it only cleans them out afterwards if you flush the toilet.

[Rmus]

Quote:

Originally Posted by trismegistos

I'll let the experts like you speak with finality to ease the concerns of people like me... $-)

I'm really not an expert on this - I read a lot and apply what I read to my own situation and others I'm in contact with. That's about it.

----
rich

[Rmus]

Quote:

Originally Posted by ssj100

Well mate, sounds like you know much more than I ever will about these sorts of matters.

Well, from what I've observed in other threads, you are very knowledgeable about a lot of computer stuff. If I appear to know more about this topic, it's only because I've read and investigated more.

It sounds like you have a healthy dose of skepticism -- a refreshing and important ingredient in computer security! Start by looking for current in-the-wild exploits. That will reveal what it is you need to protect against. Often much noise is generated about this and that discovery of a vulnerability. Not all vulnerabilities result in active, in-the-wild exploits. Not all exploits pertain to everyone's particular situation. (What if you don't use Hotmail, for example?)

15+ years ago, the only thing I knew about a computer cookie was that it was a text file. So, when an article appeared warning of malware spreading via a cookie, I said, Wait a minute!

Now, that's a rather extreme example of erroneous information, but less obvious examples spread needless fear and misunderstanding. As with other aspects of security, it's necessary to question (as you are here) and delve beneath the surface of articles/reports/blogs that purport to warn of impending catastrophy.

At that time, I was accepting all cookies. I noticed one day that there were several hundred. 99% would never see the light of day again, since I was not likely to ever return to most of the sites. But the clutter bugged me, so from that point on I stored only those cookies necessary for regularly visited sites, or others I chose to store. For sites that I probably wouldn't visit again, Opera provides discarding a cookie when the browser is closed, hence, it is not stored.

Today's browsers permit per site configuration of cookies, making it easy to keep control of things. Nonetheless, for 15+ years, on my security/privacy danger scale of 0 - 10, I had to add a [-1] value to indicate "cookie" on the scale.

Looking in my Cookie Manager in Opera, my DSLR cookie shows:

Do you know what these are?

They are the much-hyped google-analytics cookie. In 2005 Google purchased the Urchin Software Corporation, which was described as:

Quote:

a web site analytics solution used by web site owners and marketers to better understand their users' experiences, optimize content and track marketing performance.

My first encounter with this was one evening when connecting to csmonitor.com news site as I did every evening, I got a firewall alert to connect to an IP on port 443. The alert was because I use a custom address group for Port 443 and this IP was not in the group, hence, the alert.

Looking at the page code, I saw google-analytics:

Code:

<script src="https://ssl.google-analytics.com/urchin.js" type="text/javascript"></script>

I emailed the webmaster and received a reply explaining what this service is. Later, I discovered that in addition to DSLR, ISC (sans.org) also use this service. A representative of the latter posted a message about this after receiving a number of inquiries. Having learned that this service helps web masters to analyze their traffic, it no longer bothered me. After all, web site analysis has been around in various guises for years. The difference here -- this bothers a lot of people -- is that the analysis data is stored in a user account on a Google server, which is collated and returned to the user in charts, etc. The implication is that Google could surreptitiously harvest users' account data for their own use.

Another example: Google Search. If a person is bothered by tracking, don't store the cookie.

I did an experiment once: For six months I accepted all cookies including 3rd-party tracking cookies. Even the much-maligned double-click stuff. I never noticed anything different in my surfing. No popups. No one came knocking at my door with ads. No mail. Well, I got irritated again by all of the clutter so I purged everything and started over with per site configuration.

Cookies is a big topic with lots of sub topics. Users have to decide for themselves the importance of each, and how to deal with it.


----
rich

[Keyboard_Commando]

http://www.cgisecurity.com/xss-faq.html

Some interesting stuff. There ^^

Quote:

"How common are XSS holes?"

Cross site scripting holes are gaining popularity among hackers as easy holes to find in large websites. Websites from FBI.gov, CNN.com, Time.com, Ebay, Yahoo, Apple computer, Microsoft, Zdnet, Wired, and Newsbytes have all had one form or another of XSS bugs.


Every month roughly 10-25 XSS holes are found in commercial products and advisories are published explaining the threat.


"Does encryption protect me?"

Websites that use SSL (https) are in no way more protected than websites that are not encrypted. The web applications work the same way as before, except the attack is taking place in an encrypted connection. People often think that because they see the lock on their browser it means everything is secure. This just isn't the case.

[Rmus]

A few other quotes:

Quote:

Step 1: Targeting

After you have found an XSS hole in a web application on a website, check to see if it issues cookies. If any part of the website uses cookies, then it is possible to steal them from its users.

Step 2: Testing

Next you will need to insert some Javascript (or other client side scripting language) into the URL pointing to the part of the site which is vulnerable.

Hand out your crafted url or use email or other related software to help launch it. Make sure that if you provide the URL to the user(through email, aim, or other means) that you at least HEX encode it. The code is obviously suspicious looking but a bunch of hex characters may fool a few people. Once you have gotten the user to execute the XSS hole, the data is collected and sent to your CGI script.

"What can I do to protect myself as a user?"

The easiest way to protect yourself as a user is to only follow links from the main website you wish to view. If you visit one website and it links to CNN for example, instead of clicking on it visit CNN's main site and use its search engine to find the content.

----
rich

[StevieO]

I've been constantly told, on here and elsewhere, cookies are a privacy issue, not a security matter.

I always disagreed and said that, if it was possible to steal them from users, then all sorts of unwanted consequences could arise. As Rmus has just noted, this has/can and does occurr.

Exactly what the thieves do with the info will vary with, what they get, and how much etc. I prefer to not keep ANY cookies EVER, never have and i doubt if i ever will. Sure i have always type in my user name and passwords everytime i log in somewhere, but that's a very mild inconvenience i'm more thah happy to live with. It only takes a few seconds anyway.

Cookies, no fanx !

[MrBrian]

http://en.wikipedia.org/wiki/HTTP_cookie

[Dregg Heda]

Just to be clear, clearing out the sandbox will get rid of both cookies and flash cookies right?

[Dregg Heda]

Thanks ssj!

[tlu]

Quote:

Originally Posted by MrBrian

http://en.wikipedia.org/wiki/HTTP_cookie

Yes, this article is very good and summarizes everything. I block all cookies in Firefox by default and manage them with Cookie Monster by allowing cookies only on sites where needed (often only as session cookies). And I have also disabled flash cookies, of course.

[Dregg Heda]

Can flash cookies be disabled in FF or do you need to do it via the macromedia flash player page?

[tlu]

Quote:

Originally Posted by Dregg Heda

Can flash cookies be disabled in FF or do you need to do it via the macromedia flash player page?

Either via the flash player site (that's how I did it) or with Better Privacy.

[Fly]

I'm still using IE 7.

Are these third party cookies supposed to be in my regular cookies folder ?

I don't see them there.

[Dregg Heda]

Quote:

Originally Posted by tlu

Either via the flash player site (that's how I did it) or with Better Privacy.

Thanks for that tlu! Ive used Better Privacy in the past when it used to pop-up warning about LSO cookies, never used to know what they were in the past, but boy am I glad I had them nixed anyway!

[MrBrian]

Quote:

Originally Posted by tlu

Either via the flash player site (that's how I did it) or with Better Privacy.

My advice is to not disable third-party Flash cookies, or else you will break some websites. I use BetterPrivacy to delete Flash cookies when Firefox is exited.

[Dregg Heda]

Quote:

Originally Posted by MrBrian

My advice is to not disable third-party Flash cookies, or else you will break some websites. I use BetterPrivacy to delete Flash cookies when Firefox is exited.

What kind of sites require these cookies anyway? Youtube? Sites with videos and stuff?

[MrBrian]

Quote:

Originally Posted by Dregg Heda

What kind of sites require these cookies anyway? Youtube? Sites with videos and stuff?

I found two sites that don't work properly unless Flash third-party cookies are enabled: one is a video site (Justin.tv if I recall) and the other is a music streaming site.