1. Presentation by: Robert Bobek Privacy and Security Concerns with HTTP Cookies

2.  What are HTTP Cookies? ◦ We need some understanding of HTTP first!  Hypertext Transfer Protocol (HTTP) is the communication protocol used to transfer data on the Internet. ◦ HTTP is a request /reply protocol ◦ Stateless Protocol!  Breaks Web Applications!  So, what are HTTP Cookies? ◦ Cookies have become and attractive solution to solve this problem ◦ Textual piece of information

3.  HTTP Cookies are either First Party or Third Party  Web Applications use First-Party Cookies for many purposes ◦ User session tracking ◦ Personalization of profiles ◦ Auto-complete fields

4.  Executing basic attacks on First Party Cookies ◦ Browser history fishing ◦ Cookie theft and data extraction  Easily accomplished on ◦ Public terminals ◦ Single user-account OS configurations

5.  Executing Advanced attacks on First Party Cookies ◦ Cookie Theft (packet sniffing) ◦ Cookie Poisoning ◦ Cross-Site Cooking  Used to hijack sessions

6.  Cookies sent by servers that are located outside the domain of the Web Site that the User was visiting.  Companies such as DoubleClick raise privacy concerns! ◦ Use third party cookies  Occurs without users attention DoubleClick Business A Business B Business C Bus. C ad loaded Bus. A ad loaded Bus. B ad loaded Bus. A ad loaded

7.  “Mobile Cookies Management on a Smart Card” created by Alvin T.S. Chan ◦ Motivation;  General Security and Privacy problems  Removing Machine-Cookie dependency  Cookies held on Smart Card Technology ◦ Secured by PIN Authentication

8. Graphic Reference: Alvin T.S Chan. "Mobile Cookies Management on a Smart Card". Communications of the ACM. November 2005/Vol. 48, No. 11. Pages 38-43.

9.  The CookiesCard is an effective solution but it is still suffering from minor drawbacks ◦ Smart Readers Technology not very popular ◦ Proxy must reside with the browser ◦ No Cookies Management Interface

10.  The CookiesCard can be improved using the following suggestions ◦ Replace Smart Card Technology with USB Flash devices  Affordable  Popular  Ultra-portable ◦ Running Proxy Server from USB Flash device  Localhost left untouched ◦ Control Panel Interface created as a 3 rd module  Can be accessed through another listening port

11. Graphic Reference: Alvin T.S Chan. "Mobile Cookies Management on a Smart Card". Communications of the ACM. November 2005/Vol. 48, No. 11. Pages 38-43. (modified by Rob Bobek)  Cryptainer Mobile provides on the fly encryption/decryption technology on mobile devices ◦ Does not require installing device drivers on the host machine to decrypt ◦ Uses Blowfish encryption algorithm ◦ Free Download!

12.  CookiesCard 1.1better but not perfect!

13.  David M. Kristol. "HTTP Cookies: Standards, Privacy, and Politics". ACM Transactions on Internet Technology. November 2001/Vol. 1, No. 2. Pages 151-198.  Alvin T.S Chan. "Mobile Cookies Management on a Smart Card". Communications of the ACM. November 2005/Vol. 48, No. 11. Pages 38-43.  The Cookie Controversy – Cookies and Internet Privacy. http://www.cookiecentral.com/ccstory/cc3.htm  Wikipedia on HTTP Cookie http://en.wikipedia.org/wiki/HTTP_cookie#Drawbacks_of_cookies  CookieCentral http://www.cookiecentral.com  Cryptainer Mobile can be downloaded at http://www.cypherix.com/cryptainerle/