You Can’t Have My Cookies
With the upcoming enforcement of the GDPR, every major Google is sending out emails to update you on their conformance to your “Data Privacy”. The result mostly being a conspicuous popup on every web page asking you to “Acknowledge their use of cookies.” I decline every time, why are trying to make me give you my cookies.
I should clarify, these aren’t the “privacy” “tracking” cookies everyone is concerned about, these are my authorization cookies. What’s the difference? Well, they are the same cookies, actually cookies can be used for anything. Basically it is something that your browser creates for you with the help of the website you visit. Every time you communicate with the website/service, the cookies generated for that site are sent.
How are cookies used for tracking? Simple, cookies generated for site A will be sent to site A’s server when you are on ANY site which sends data to site A. For a more relevant example, let’s take Facebook for obvious reasons. You log into Facebook and it creates a cookie for Facebook. You leave, and later you have a burning question to know who that random guy is in one movie you are watching that you thought you saw before but can’t remember. So you jump on IMDB, hoping to get all the answers. When you go there your browser sends IMDB the IMDB cookie. As it turns out there is a Facebook link in the top right hand corner. When that little icon loads, it also sends the Facebook cookie to Facebook with the source location as IMDB. Now Facebook knows you are visiting IMDB. Worse actually, IMDB sends your Google cookie to Google, your Twitter Cookie to Twitter, etc… And now everyone knows you went to IMDB. These are called third-party cookies, turn them off.
Fixed!? Okay maybe not, because it actually turns out cookies are totally unnecessary for tracking or for anything else, and at this point if any website asks you to approve their use of cookies, you should dump all your stock in that company. The reason being is that cookies are a thing of the past.
A quick trip through the way-back machine will help (and a non-relevant banking example helps best, since everyone cares about their money). You want to transfer some money from your account to another one. To do this you likely need to provide some information:
- Your account
- Amount
- Recipient
- Proof of your identity
You have a log in, or drivers license (if you are at a physical branch), and while you can give that every time you want to authorize a transaction. It is incredible dangerous to pass your credentials directly to the website, your drivers license can be stolen. The better solution is to generate on your site a magic temporary key. This key will use your username/password along with your bank’s information and today’s date to generate a one time use key which can be used for a single transaction. If you care about the technical details check out JWTs. You do this yourself without exposing your credentials, and then only send this magic (or authorization) key.
What should we do with these authorization keys? In the past, it was incredible expensive to generate and you with your weak browser and the site with its powerful mainframe could do this. And why not automatically send that with every request? Browsers made it easy to do this, so they did. Every time you got the bank, even if you are only interested in the free donuts they have on Wednesday morning, you expose your authorization key to them. And why not it can only be used for them anyway. They stored this authorization key in a cookie.
We no longer live in this world and there are no powerful backend mainframes to handle our requests. Actually your visit to any website is an amalgam of ~100 different sites being joined together in this one place. And your browser isn’t weak anymore. So cookies make no sense, and you should be extremely cautious of those using cookies, because… as I mentioned before cookies will be sent whenever you visit any other site that want’s to contact site A. Implemented incorrectly, that like button you see, may be automatically adding likes to your Facebook page without your acknowledgement or making bank transfers from your account, that’s because the real Facebook cookie is being sent even if you aren’t on facebook.com. Looking at the series of web requests, it is likely that Facebook is doing a good job of handling these, but do you trust every website you are visiting to authorize you correctly? If you are so paranoid, delete your cookies after leaving every site before going to the next one.
Cookies are not required, actually browsers provide an improved way to store and send data, which instead only sends what the browser and site agree needs to be sent. This is called a RESTful HTTP request (I’m grossly overstating this for those following along). Any additional data is not required is not transferred, unlike cookies. And if a second site B that you are on wants to post as you on site A a little handshake game ensues called OAuth, because the authorization key (unlike the cookie) will NOT be sent automatically, few!
The bad news is in this new era, cookies are not required for tracking, because sites have devised a very similar mechanism called iFrames. It turns out that Facebook’s like button is actually a whole website. Instead of IMDB being in charge of what information gets sent to Facebook, which is usually only the tracking cookie, you are opening two websites when you go to IMDB. IMDB will load all of Facebook (and each of those other sites), and tell those sites that IMDB caused the load.
What’s good is that IMDB can’t control the usage of your cookie, which means it can’t post without you logging into Facebook to post, but it does not mean you can’t be tracked. The usage of cookies only tells you that the site you are is extremely suspicious and you shore reconsider your usage of it.
