In a great many cases, cookies are an important part of a good internet experience and in fact a safe surfing experience.
Safe surfing requires you to be “authenticated” when you are browsing pages meant just for you and/or other customers of the particular page. Encrypted cookies are one means of ensuring that is happening transparently without constant intervention from you.
If you look at the content of some of you cookies you will see what appears to be gibble. In some cases, such as if you are logged in as a user or Member of the Secure Surfing Organization, some of those cookies are very long and mysterious. That’s because they are encrypted. The longer the cookie, the higher level of encryption is being used.
This happens by the host server generating encrypted versions of your password and what is called “session data” which really is just keeping track that the same person who logged into this particular “session” of the web site continues to be the same person throughout until the user logs off.
There are legitimate and serious concerns about how cookies are used. Read the Cookie Crock for some examples. This guide will step you through managing cookies safely. This example will assume you are using FireFox, and the steps are somewhat different and more difficult in Internet Explorer.
Consider that there are three kinds of cookies you want to deal with:
1. Cookies that you want to keep permanently available to your browser.
These are cookies that store your preferences for particular kinds of web sites. Appropriate web sites for which you might want to store preferences would include the secure search engine IxQuick. If you have created a set of preferences for your searches, for example to display 100 results per page instead of 10, then you don’t want to have to reset those preferences every time you do a search.
What is important is that IxQuick does not store logs of your searches and does not even record your IP address. So saving your preferences in a cookie will not lead to tracking or profiling your searches and there is nothing for the company to abuse.
Note that the decision to permanently store cookies has little or nothing to do with the level of trust you accord a particular site. For example, you do not want to permanently store cookies from your bank or other online financial transaction sites. Doing so exposes you to other kinds of threats that do not come from the trusted site itself. Storing information even about what financial institutions you visit, let alone login name and password is highly risky in the event that your computer is physically compromised or that a hacker breaks through your defenses and gains control of your computer without your knowledge.
You must then, be very careful about exactly what sites you allow to store permanent cookies.
2. Cookies that you want working during your browser session.
This class might include most of the cookies from web sites you regularly use. A “session” is the period of time from when you first visit a web site to the time you exit your browser.
The reason most people will want to allow their main sites to have session privileges is that many sites simply will not work without that permission. Facebook, for example, cannot keep track of who is logged in or out (nor can The Secure Surfing Organization) without using cookies.
Some sites produce different results to an absence of cookies depending on exactly what services you are using. For example, Google search works fine without cookies but Google Docs, GMail and other Google services require you to accept cookies.
You have to make the decision whether or not the trade off of using Google or other services that intensively track you is worth providing them with the means to conduct that tracking. Even session-only cookies are employed by Google in particular to track you as your IP address is matched with your log in information and recorded to a database that includes everything you do while cookies are enabled or you are actually logged into a Google service.
And we do mean everything. Google records every web site you visit, every book you buy, every word of every email message you right or personal conversation you have using Google chat services. They are now also recording where you physically are located when you use your computer using the new technology of “location awareness.”
In our view, this has just gone too far and we do not recommend anyone actively use Google services. But again that is a choice for each person. Just do accept our advice about allowing only session-level storage (we’ll show how in a minute).
3. Sites from you never want cookies on your computer at all.
If you are not actually registering with a site, most often you can turn off all cookies for that site. The recommended handling is to disallow cookies wherever doing so does not interfere with your ability to enjoy the services and experience you want. Just say no.
So to handle these tasks we must go to our Options page in Firefox. On the menu bar at the top
you will see the Tools menu. Depending on what extensions you have installed and any customizations you have made, you will a list of “tools” choices one of which is Options.
When you select options you will see something identical or very similar to the one shown here.
Note the Privacy item with the opera mask. Clicking on the Privacy mask produces another screen with several privacy management choices. For this guide we’re only interested in the cookies. Note in particular that Accept cookies is checked, but that the control is to “Ask me everytime.”
What this means in practical terms is that the first time any site tries to set a cookie on your machine, you will be prompted to Allow, Allow for Session or Deny.
You will also see a check box to Use My choice for all cookies from this site. Clicking this check box means you will not be asked the question again and your selection will be made permanent. More on that in a moment.
First the meaning of each choice.
If your prompt does not show the Hide Details button, then you should see a Show Details button. This allows you to see the actual content of the cookie. In the example here, mcafee.com wants to set a cookie named ASPSESSIONIDSABBSQDD and the value or content of that cookie will be the HGFK… string.
In this instance we are looking at a session cookie and it sets its own lifespan to end at the end of the session, i.e. when you close your browser.
Note: It is important to realize that the session does not end when you leave that web site. It only ends when you exit your browser completely, i.e. turn it off. Thus even session level cookies have the potential for harm if sensitive information is left in those cookies while you continue to browse.
Therefore, for banks and any site that you enter credit card or other sensitive information, setting cookies to Allow for Session is not enough. We repeat it is NOT enough. Down the page we will explain why and what you must do with such cookies.
If you select Allow, then the cookie will be stored as instructed (some may be session as this one, most are weeks or years in duration with some absurd Expires date). If you select Deny, then that particular cookie will be refused.
If you do not click “Use my choice for all cookies from this site,” then you will immediately be asked to make a choice on the next cookie from that site and the next and the next. Most sites trigger a cookie action at every single contact if you do not have a default behaviour chosen for all cookies from that site.
By “every connect” understand that most web pages involve many more than a single connect. There is a connect to deliver the main body of the page, plus a separate connect for every graphic or image on the page, plus other connects based purely on the whims or choices of the page designer. This means that you will be presented a request to allow the very same cookie that you already have Denied because the request is coming from a literal different URL (eg. http://mcafee.com; http://mcafee.com/lock.jpg; http://mcafee/head1.gif ….).
This is very, very annoying. You will quickly start make choices without much regard to the consequences under such a barrage. Much better to already have in mind what you want to do with the cookies from the site than to put yourself through that nonsense. This is the reason for this How-to starting with considering the different types of cookie needs and preferences you have as a general rule. You will then be more prepared to make a choice that works for you when you are prompted by any site.
In this case, we checked the “Use my choice” box and the Deny button. We will never be bothered by a request for cookies from mcafee.com again and there will never be any mcafee cookies on our computer.
Take heed. If you then wish to purchase something from McAfee, the denial of cookies may cause you additional work.
If we had instead selected Allow for Session and checked the “Use my choice” box, we still would not be bothered with the requests any longer but mcafee.com would store whatever cookies it wanted on our computer and they would remain there until we shut down the browser. For many sites this is a perfectly good choice, and it should probably be your primary response for sites that you use often or from which you plan to make purchases or join for services.
The reason why The Secure Surfing Organization denies cookies from McAfee and similar sites is that many of the security software vendors are getting into the business of tracking users for apparently positive, innocent purposes. Specifically, McAfee and others offer various “safe site” services which purport to keep track of which sites are safe and which are not(“McAfee SiteAdvisor”); and anti-phishing services which check every site you are about to visit against a central database owned by the company.
The Secure Surfing Organization has concerns about this development. Most of these companies are already active in tracking users through devices such as WebTrends monitoring, Google Analytics and other mechanisms about learning what their real and potential customers are doing. If we now give them the power to know every single site we ever try to visit, in our judgement we are simply handing over too much.
Even if we take at face value that all the companies engaged in these “protective” services are fully trustworthy, it really does not change our basic assessment. We have no reason to believe that McAfee, who we have used for example only, would ever do anything undesirable with the information it gains through McAfee SiteAdvisor, Link Inspector or its anti-phishing monitoring. It’s not a matter of trusting McAfee. It’s a matter of simple prudence in a world increasingly hostile to personal choice and personal privacy.
Witness the theft of over half a million names, credit card numbers and other personal information from one provider, Network Solutions.
It is just not responsible behaviour to participate in services that you know will accumulate large volumes of details about you. Especially when there are very good, even outstanding alternatives available. In the case of anti-phishing / link inspection (really the same thing) using OpenDNS provides at least as good protection as McAfee without the commercial entanglements.
Returning to the use of “Allow for Session,” this is a necessary but not sufficient option for your most sensitive services such as banks. It is necessary because you want to ensure you do not allow permanent cookies with sensitive information to accumulate and be available to your browser or other retrieval methods. It is not sufficient because such retrieval could occur during the same session in which you accept the cookies.
So, if you have set your cookie preference for the Bank of Total Security to “Allow for Session” and “Use my choice…” then when you visit the Bank site, everything will transpire as you expect and you will have a convenient and hopefully safe session conducting your business. When you are done with your banking and leave the banking site, if you then continue to browse the internet, the cookies set while you were on the banking site will still be available for retrieval.
A malicious attacker could in principle set up to capture traffic leaving a bank’s site and then use any of the many tools to get at your cookie data. If you leave your computer on with the browser not closed, then anyone who finds a way into your system, either by physical access or over the internet, will have access to the information in those banking cookies.
The solution is not necessarily to restart your browser every time you do financial transactions or visit sensitive sites; although it’s not really that much bother to do so. Rather, you can clean up directly from within FireFox.
If you pop back up to the FireFox Privacy Options image, you will see a button “Show Cookies.”
When you click that button all the cookies currently stored by Firefox will be displayed. You can simply select the cookies from your bank and delete them while leaving everything else intact for your continued browsing pleasure. You should also clear your cache and browsing history, but this tutorial is about cookies. If you explore the Privacy Options dialogue you will easily understand how to do those things.
If you would like to comment on this tutorial, ask questions or just discuss privacy in general, please visit the forum.
