SLAC Computer Security
Search SLAC
SLAC Home | Computing Home | Computing Outages | Help
Computer Security | Windows Security | Passwords | User Education | Policies

Cyber Security Awareness Month

These tips are part of a month long effort to distribute useful computer security information to the SLAC community.

Day 28 - Cookies         
Internet Storm Center has some good suggestions below. However, some of their suggestions will need some additional information. This subject is worthy of a more in depth article. We'll need to do that soon! All the options are there. You just need to understand them and use the extra security your browser CAN provide if you enable it to!

Cookies have an odd role in the security debate.  They get lumped in with malware, trojans, and other exploits.  This gets confusing for non-technical users; it sounds like cookies can capture keystrokes and take over their machines.

The first thing I try to make clear is that cookies are a privacy issue.  The servers at the other end of a web session can remember who you are and what rights you have; this is generally a good thing.  If you don't want this, don't log in to that site or even create an account.

They can also track what IP addresses you use and what pages you visit in what order, whether you sign up for an account or not.  This raises an interesting question; is it a problem if, for example, Barnes and Noble knows what pages you visit?

The theory is that cookies should only be served up from the web site you're visiting.  But what about cookies associated with content served up by sites like Doubleclick?  The privacy issues become much more severe here; Doubleclick and similar sites can track your actions across all the sites they serve.

Since we can't know how this tracking information is used, I encourage coworkers and friends to disable cookies in their web browsers.  For the sites that they trust that do require cookies, most browsers allow exceptions.

Here are some tips submitted by readers:
- Someone sniffing your web sessions may be able to capture the cookies coming back from the web server and take over your login.
- Don't log into your online bank, credit cards, company web sites from Internet Cafes or airports.
- Make sure that the site reads https:// before submitting userid and password.
- Make sure the URL/Domain you are at is the one you meant to go to.  A link that says "https://your-bank.com" is not the same as "https://yourbank.com"
- Don't depend on security tools that remove cookies after the fact; don't store them in the first place.
- Allow only some first-party cookies, using an exceptions list (a whitelist)
- Allow those cookies only for the current session
- Deny *all* third-party cookies
- Delete all cookies on browser exit

Owner: SLAC Computer Security
Page Created: 10/28/2007
Last Updated: 02/19/2008
Feedback: Please send to Computer Security Feedback