Sunday, December 2, 2012

Do cookies pose a security risk?

By default cookies are only sent to the web server that created them in the first place. So unless some one gains physical access to the users machine and the cookies store personal information in plain text, the security threat is almost non existent.

The US department of energy's computer advisory committee had this to say in 1998 about risks posed by cookies

"PROBLEM: Cookies are short pieces of data used by web servers to help identify web users. The popular concepts and rumors about what a cookie can do has reached almost mystical proportions, frightening users and worrying their managers.

VULNERABILITY ASSESSMENT: The vulnerability of systems to damage or snooping by using web browser cookies is essentially nonexistent. Cookies can only tell a web server if you have been there before and can pass short bits of information (such as a user number) from the web server back to itself the next time you visit. Most cookies last only until you quit your browser and then are destroyed. A second type of cookie known as a persistent cookie has an expiration date and is stored on your disk until that date. A persistent cookie can be used to track a user's browsing habits by identifying him whenever he returns to a site. Information about where you come from and what web pages you visit already exists in a web server's log files and could also be used to track users browsing habits, cookies just make it easier."

No comments:

Post a Comment

Comments will appear once they have been approved by the moderator