Learning about Internet Security

Learning about Internet Security is a new column in the ASIS SFBA Chapter newsletter.  Each month it will deal with a different aspect of Internet Security.

Internet Cookies

An Internet "Cookie" is a text file that is written to your computer. How is it different than any other web page that is downloaded and written to your cache? Unlike web pages, a cookie can be searched for on your computer, read, and even modified by the web site. Because it is a text-only file, you can open it up and inspect the contents. Some of it may be immediately recognizable as data, but then some of it may simply be meaningless characters. A cookie does not have the ability to do anything but store text characters.

Cookie Shelf-life
Cookies may or may not stick around on your computer. An Internet cookie can be dated to self-expire after a fixed date or time period. Your web browser routinely deletes expired cookies. A cookie may have a lifespan as short as your current Internet session or they may have an expiration date that is years into the future. Your web browser will still work if you delete a cookie, although you may experience anomalies when the cookie's parent web site goes to look for it on your next visit. Usually the web site will simply create a new cookie for your computer.

What are Cookies used for? 
If you are visiting a web site that uses an ID and password to enter, a cookie can be written to your hard drive to save your access information. The next time you visit the web site, the web site can search for your access information in the cookie and then use this information to give you access to the web site without forcing you to reenter the information.

Of course, other information can also be stored. Once you have given permission for the web site to use a cookie, it can make use of the file whenever you visit the web site. Your web browser usually will have an option that will allow you to choose whether or not to accept a cookie. Once a cookie has been accepted, you will not be asked to give permission for each time that the web site wants to use that cookie.

Should you ever accept a cookie? 
That depends on the type of cookie. For instance, if you are trying to play an online game, you may be forced to accept a cookie because the application needs to use one or more cookies to keep track your progress or permit you to save a game in progress.

Online purchases may require you to accept a cookie before allowing you to download a product. This sort of product sale verification, permits a seller to reasonably assume that only one copy of the product is being downloaded and presumably onto the same computer from which it was purchased. This sort of sales authorization cookie is also useful if something goes wrong with the download. If you are forced to try again, the cookie will speed you through the authorization process and help to avoid double-charges to your credit card.

I looked at the cookies on my computer and some were filled with just garbage. Are those cookies corrupted? 
No, actually those cookies are encrypted for security. Some web designers may encrypt cookies for a variety of reasons, none the least of which is to prevent computer owners from opening the cookies and reading them. Usually in these cases, the cookie is being used to either store financial information or game data.

In conclusion, until something better is invented, cookies will continue to be a necessary evil in web site technology. Prudence, when electing whether or not to accept a cookie, will rely heavily on your use of common sense, knowledge, and experience. Unless you implicitly trust the cookie's source, or fully understand how the cookie will be used, it is better treat all cookies with caution.

Next Month's Topic: Security through Sub-Webs

By Steve Duell
ASIS SFBA Webmaster