Security of Cookies in a computer lab setting

Download Report

Transcript Security of Cookies in a computer lab setting

Security of Cookies In A Public
Computer Lab Setting
Russell Fech
November 30, 2000
Outline
•
•
•
•
•
•
•
Introduction of Cookies
Problem Statement
Motivation/Importance
Objective
Research Plan
Assumptions
Conclusion
What are cookies?
• “Cookies are a general mechanism which
server side connections can use to both store
and retrieve information on the client side
of the connection.” - Netscape
• Also known as “Magic Cookies”
• Cookies can only be read by the website
that issued them
Types of cookies
• Persistent
– Stored on hard drive for the long time duration
• Non-persistent
– Stored only for the current session of the web
browser
Where are the cookies?
• Cookies exist on both major web browsers
– Netscape stores all cookies in the cookies.txt
file in a Netscape directory
– Internet Explorer stores individual cookies as
text files in a cookies directory
Why use cookies?
• Used to keep track of the client session state
– Allows the “Full Web Experience”
•
•
•
•
•
Rotating banners
Electronic shopping carts
Password saving
Data mining
Other uses
Why use cookies?
• Web browsers do not keep continuous
connections to the web sites
– Cookies send the information to reestablish
connections
• Web sites keep information about users to
customize the “Full Web Experience”
Problem Statement
• With the emergence of cookies, many users
are unknowingly releasing data about
themselves
• Win95/98 does not provide security to
protect users’ cookies
• Cookies are not designed to be used in a
multi-user environment
Problem Statement
• There are methods to eliminate/disallow the
use of cookies, but this blocks the “Full
Web Experience”
Motivation/Importance
• With the controversy concerning the safety
of cookies, it is in the best interest of the
administrator to ensure the security of user
information being transmitted to web sites
Motivation/Importance
• Protect the user from cookie crime
• Protect the subsequent users from getting
unwanted advertisement
• If cookie theft occurs, the administration
may be held accountable, however, if the
cookies are cleared off, there will be no
such threat
Objective
• Evaluate the use of cookies in public lab
settings
• Develop a hands-off approach to protect
users against the cookies threat by
providing a transparent layer of protection
• Provide formidable arguments why users
need protection from cookies
Research Plan
• Review current methods that attempt to
solve the cookie security problems
• Test these methods in a lab setting and
review their performance
• Improve on these methods
Methods and Problems
• Disable cookies completely
– Provides high security because no cookies are
formed
– Takes away from the “Full Web Experience”
• Clear cookies at startup/shutdown
– Safer than no protection, but requires a user to
do something
Methods and Problems
• Intercept the web browser and clean after
exiting
– High security, cleans up cookies when the user
shuts down the web browser
– Mischievous user may “disable” the program in
some fashion
– Program may crash
Assumptions
• Use of Win 95/98
– Win95/98 does not provide any security for
files or folders
– Most other operating systems protect users
because they require users to log into an
account in which their data is saved in a
secured area
Resources and Special Needs
• Public computer lab
– Computers with Win95/98
• Various cookie security methods
–
–
–
–
–
Disabling cookies
Batch file deletion of cookies
User deleting cookies themselves
Cookie Crunching Software
Most are free and easily obtainable over the
internet
Conclusion
• With the threat of mischievous users and the
possible misuse of cookies, it is up to the
administration to protect users from as many
threats as possible.
• Cookie security continues to be under major
dispute. If cookies are cleared from computers in
a lab setting the administration is no longer prone
to receiving any future threat to cookies.
Questions?
Questions?