how-to block ads
|
BrettStarr
Premium
join:2003-11-07
Las Vegas, NV
| reply to Bobby_Peru
Re: How 'bad' are spyware cookies??
Advanced Settings | | 
Managed Sites |
said by Bobby_Peru  :... 1) Refuse cookies that are not absolutely needed 2) Force all cookie to Session status (unless Persistent status is absolutely needed 3) Insure the removal of all cookies that are not absolutely needed to be retained when you close a TAB, as well as close your Browser ... I totally agree with this. And it is very easy to do with IE6...if you know how. So here is how (I even attached pics):
IE > Tools > Internet Options...
1) GENERAL tab: Temporary Internet Files(TIF) area,
click Delete Cookies... to clear ALL of your cookies (if you want to start from scratch).
OR click Settings...> View files...> select and delete the cookies you don't absolutely need.
2)click PRIVACY tab:
click Advanced.. make settings as shown in pic. click OK.
click Sites... enter the domain names you always want to allow/keep cookies for (see pic for example). click OK when finished.
3) OK out.
That's it. From now on, nobody will ever be able to put a cookie on your system, EXCEPT those you have in the Managed Sites list.
Try it!...you'll be pleasantly surprised how great this works.
-
NO MORE AD TRACKING, SPYWARE, WHATEVER COOKIES and YOU WILL NEVER HAVE TO DO COOKIE CLEANING AGAIN!
ALSO, YOU DON'T NEED ANY COOKIE BLOCK LISTS EITHER. | |
ttt2525
@cable.rogers | Wow, thank goodness for this post!! I just noticed I had about 100 spyware website entries in my "per site privacy cactions" dialog in IE. Enlightening :=0
(incl. lop.com, various porn/xx sites....) | |
Mele20
Premium
join:2001-06-05
Hilo, HI | reply to BrettStarr
Gee, I just noticed you leave banking cookies on your computer. You should never do that! Always clear those as soon as you have finished with the site. | |
avd706
insert annoying animated gif here
Premium
join:2003-02-06
Union, NJ | time for a tin-foil suit.....
let me know when cosco has a sale on Reynolds wrap... | |
Mele20
Premium
join:2001-06-05
Hilo, HI
| Only a crass, unfeeling person jokes about schizophrenia. Stop the jokes about mental illness please.
As for banking cookies, only an idiot would keep those. Even your bank will tell you to get rid of them. Also, never go to your bank from a favorites link. Always type in the address. These are just ordinary, standard safety measures.
--
The first and foremost function of our jurors is to protect private citizens from a tyrannical and intrusive government...Jurors are the last line of defense for liberty. Thomas Jefferson 1789 | |
BrettStarr
Premium
join:2003-11-07
Las Vegas, NV
1 edit | reply to Mele20
said by Mele20 :Gee, I just noticed you leave banking cookies on your computer. You should never do that! Always clear those as soon as you have finished with the site. I think you misunderstand. The managed list of sites are those you will ALLOW cookies for. It doesn't mean I keep them. You most certainly can delete them at any time, but must always have the entry in the managed sites list to allow site to set the cookie in the first place.
-
edit: Regardless of how you handle cookies, you should at least block THIRD PARTY cookies. Those are the "bad" spyware, tracking cookies 95% of the time (Doubleclick, etc). | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to Mele20
said by Mele20 :As for banking cookies, only an idiot would keep those. Even your bank will tell you to get rid of them. Huh? My bank has never mentioned this to me, but even a rudimentary understanding of how cookies work - at least those by clueful banks - suggests that you're demonstrating that you don't know how they work.
When you login to a secure site, the login page sends your username and password (presumably over SSL), and after validating that you're who you claim to be, a new "session" is created. This session data includes thinks like your username, time you started, IP address, etc. and is stored on the server, and a unique and random session ID is assigned.
The ID itself has no inherent meaning, nothing is "encoded" in it (it's "opaque"), and this is what is sent to you in your cookie. My last Wells Fargo cookie contained B-200409191637071418511140.
When you submit following pages (transfer money, check balance, etc.), the ID passed in your cookie is looked up in the session database, and it checks to see if you're still allowed, who you are, has it been too long since you did anything (to allow "idle sessions" to timeout), coming from the same IP address, etc. the IP test is not that simple, to allow for changes, but there are provisions to see that a cookie is not being shared.
When you click the Logout button, this not only deletes the cookie from your browser, but it invalidates the session in the database, so even if you hung onto or intercepted that cookie, it would not work. Yes, the cookie value would be sent to the server, but it would look it up and find that either (a) the session had been deleted entirely, or (b) the session had been marked explicitly "expired". Expired sessions cannot be revived by anything on the browser side without going through a new login process.
Any site that has a clue about security has designed the site to mitigate the effect of "cookie theft", so even aside of the fact that I run a secure network that prevents people from stealing my cookies, aside from the fact that banking cookies travel over unsniffable connections, there is nothing anybody could do with my banking cookies even if they got them.
If you feel better deleting your cookies, that's fine, but saying "only an idiot doesn't" puts you squarly in tinfoil hat territory and shows that you have only a limited grasp of how cookies are actually used.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft MVP • Tustin, California USA • my web site | |
Mele20
Premium
join:2001-06-05
Hilo, HI
| Sigh. I am fully aware of all that you have thought necessary to "teach" me. My banks still recommend deleting the cookies after the visit. They are NOT deleted on exit. If you want someone to use your computer sometime and see what bank you use from your banking cookies you didn't delete fine. I prefer to guard against that. I always close the browser after visiting one of my banks also for the same reason. I do this even though it is unlikely anyone else would use this computer.
--
The first and foremost function of our jurors is to protect private citizens from a tyrannical and intrusive government...Jurors are the last line of defense for liberty. Thomas Jefferson 1789 | |
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
 ·Shaw
| reply to Steve
Quick example of why tracking a session by IP address doesn't work, proxy servers. A proxy server means a couple of things, first that multiple individual clients could be connecting from the same IP address (ie the proxy server), and second a single client might use more then one proxy server for sequential requests and hence would have a different source IP address (AOL clients for example).
Three questions which might help the discussion and understanding of cookies.
Are cookies secure, meaning that can site1 read site2's cookies?
What kind of information can a cookie contain?
What kind of information should a cookie contain and why?
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel | |
Khaine
join:2003-03-03
Australia
| reply to Mele20
said by Mele20 :Sigh. I am fully aware of all that you have thought necessary to "teach" me. My banks still recommend deleting the cookies after the visit. They are NOT deleted on exit. If you want someone to use your computer sometime and see what bank you use from your banking cookies you didn't delete fine. I prefer to guard against that. I always close the browser after visiting one of my banks also for the same reason. I do this even though it is unlikely anyone else would use this computer. Banking cookies are generally session only, and hence are deleted when the session ends {when you close the web browser}
tracking cookies are at worst a privacy issue, they have little if any security concerns with their use. | |
Mele20
Premium
join:2001-06-05
Hilo, HI
1 edit | I end up with a bunch of banking cookies from just ONE bank after I close the browser. All my banks set permanent cookies. I don't know what bank you are using. I use major national banks. Even my two local banks set permanent cookies but they don't set as many as some of the national banks. They are almost as bad as Dell which sets about 15 cookies each time you visit. FF complains about Dell and the banks setting too many cookies both session and permanent.
Edited to ask since when is PRIVACY not a SECURITY issue??? That is the main security issue!
--
The first and foremost function of our jurors is to protect private citizens from a tyrannical and intrusive government...Jurors are the last line of defense for liberty. Thomas Jefferson 1789 | |
Bobby_Peru
Premium
join:2003-06-16
4 edits | reply to Khaine
said by Khaine :tracking cookies are at worst a privacy issue, they have little if any security concerns with their use. Not to pick on Khaine , but perhaps he has hit on the key to the polarization in past and present attempts here to discuss cookies.
Tracking cookies have been, are, and will continue to absolutely, and most certainly be, a huge "privacy issue". This is self-evident from even a glance at www.abacus-direct.com (as linked and quoted in my post above). Of course there are other Ad-Servers and other deep 'consumer' (NewSpeak for humans/citizens) dBases, along with the Googles, Amazons, Pay-Pals, MSN/Passports, various "site-meters"....
If some self-appointed guardians of membership in the "Security (Professional?) Community" wish to completely exclude the realm of hundreds of millions of user's Privacy from their bailiwick, it is important that those who may be relying on these folks understand this serious self-imposed limitation, so as to know not to place any reliance on them for anything in this area. It would be nice to have them along for this effort, but, oh well...
If they, or others feel no concern in this area, that is one thing, but to dismiss other people's very reasonable and legitimate concerns over such growing intrusions into their lives with derogatory childish epitaphs, which also serve to stifle discussion, is more of a reflection on themselves than they are probably willing and/or able to admit, and should be viewed for exactly what they are - cheap rhetorical discussion killers.
Once they have provided the world with this notice, they could then safely sit out any discussions related to this pesky little Privacy thing.... Dismissing such petty concerns to the non-letter-wearing masses.....
Thanks to those who have helped clear up this misunderstanding. 
Discussion of Blake's three most recent questions would get this back towards his OP for those users who do find this area to be important.
Expanding on his list: when are cookies really absolutely essential on a single site, what info would be required there, and is there really no other mechanism to accomplish this?
-------------------
For the commoners, non-letters-on-sleeve wearing masses - who may be relying on a wider definition of Security than that of a strict Security Professional Community construction -
"WordNet (r) 2.0"
security n
1: the state of being free from danger or injury; "we support the armed services in the name of national security" [ant: insecurity]
2: a formal declaration that documents a fact of relevance to
finance and investment; the holder has a right to receive interest or dividends; "he held several valuable securities" [syn: certificate]
3: a department responsible for the security of the
institution's property and workers; "the head of security was a former policeman" [syn: security department]
4: measures taken as a precaution against theft or espionage , or sabotage etc.; "military security has been stepped up since the recent uprising" [syn: security measures], ...
--
**~~Infected/Hijacked? FAQ~~~Protect/Secure Your Box/Data FAQ~~~Security Forum FAQs~~** | |
Khaine
join:2003-03-03
Australia
| reply to Mele20
said by Mele20 :Edited to ask since when is PRIVACY not a SECURITY issue??? That is the main security issue! Well generally I lump privacy and annomity together, and since security relies heavily on trust I tend to keep it seperate.
I didn't mean to trivialise this issue. It is an important issue, and with governments pushing more and more draconian laws reducing our privacy it is becoming very important to keep our rights. | |
hpguru
Curb Your Dogma
Premium
join:2002-04-12
| reply to Mele20
said by Mele20 :...since when is PRIVACY not a SECURITY issue??? That is the main security issue! Privacy and security are linked only in our interests. The perceived linkage may in fact be a result of the use of multifunction security apps such as firewalls which perform other tasks including cookie and active content management. Fact is, one can have good rock solid security with no particular interest in privacy protection and it will not impact his security. The obverse isn't necessarily true. Privacy only becomes a security issue once security has already been breached. So for example ID theft is a privacy issue which began with a breach in security.
That's not to say privacy isn't a legitimate concern. It is but there is only so much one can do to protect it.
--
FOUR MORE YEARS!! - of fear. | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to Mele20
said by Mele20 :Sigh. I am fully aware of all that you have thought necessary to "teach" me. OK, so you actually do understand that there aren't any technical reasons to worry about banking cookies, but you do anyway? Is this like throwing spilled salt over your shoulder? Do you read your horoscope too?
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft MVP • Tustin, California USA • my web site | |
sivran
Long Live The Suite
Premium
join:2003-09-15
Arlington, TX
clubs:
·RoadRunner Cable
| reply to Mele20
said by Mele20 :
Only a crass, unfeeling person jokes about schizophrenia. Stop the jokes about mental illness please.
Tin-foil hat has nothing to do with schizophrenia, and everything to do with being overly and unnecessarily paranoid. If someone says you wear a tin-foil hat, that person thinks you are too paranoid. That's all there is to it.
quote:
never go to your bank from a favorites link. Always type in the address.
And why not? What is the difference between typing it in, and clicking the bookmark which I've had forever? None, other than the bookmark being faster.
quote:
Are cookies secure, meaning that can site1 read site2's cookies?
As far as I know and in general, yes. Heck, I've tried. There may exist a few exploits which may allow cookies to be read by a hostile webserver, but I don't recall any off the top of my head, and they probably have a) long been patched and b) only work in IE, if they do exist. Some may rely on a previously compromised system. They're just text files, after all. Only the browser really stands in the way.
quote:
What kind of information can a cookie contain?
Anything. Whatever data the webserver wants to put in it, it can.
quote:
What kind of information should a cookie contain and why?
This is a thorny one. Personally I think cookies should only contain information pertinent to the functionality of a site, for example, "color=blue" on a site you can customize. They could also be used to skip scripts which may slow the site down. Reading "Resolution=1024x768" when a user returns could save the webserver the processing cycles it takes to run a script that determines a returning user's resolution.
That cookies are used for advertising purposes is an unfortunate side-effect of the need for advertisers to support and defray the costs of maintaining a web presence. To that end you could say that keeping cookies around, letting the advertisers track you, is in some small way supporting the usefulness of the www. The more information the advertisers have about you, the more money they can potentially make, leading to potentially buying space on more websites, thereby supporting more websites. Perhaps this is an overly optimistic view, but it's better than "evil advertisers tracking you" and certainly less worrisome.
--
TCPA - Treacherous Computing
Kerio 2.1.5 - Best damn firewall
Licenses should be per user, Ditch Norton! Get F-Prot! | |
VirtualLarry
Premium
join:2003-08-01
3 edits | reply to Steve
said by Steve :said by Mele20 :As for banking cookies, only an idiot would keep those. Even your bank will tell you to get rid of them. Huh? My bank has never mentioned this to me, but even a rudimentary understanding of how cookies work - at least those by clueful banks - suggests that you're demonstrating that you don't know how they work. Considering that many online sites use "magic cookies" as an authentication token, then they are essentially equivalent to a username/password authentication. Most people recommend never 'storing' your username/password combos in your browser for important sites (like banking), because of the risk of a potential browser exploit revealing them and allowing them to be stolen. Since "magic cookies" are logically equivalent to usernames and passwords, it would seem prudent to follow the same security precautions regarding them as well.
Considering how some recent privacy-violating browser exploits have worked, such as Download.Ject and most recently the GMail one, which did indeed work by stealing cookie-based authentication, I believe, although I didn't look at the nitty-gritty technical details, then this risk is very real. To pretend that it isn't, is being a bit dis-ingenious and and pretentiously dismissive towards Mele20, isn't it?
said by Steve :When you login to a secure site, the login page sends your username and password (presumably over SSL), and after validating that you're who you claim to be, a new "session" is created. This session data includes thinks like your username, time you started, IP address, etc. and is stored on the server, and a unique and random session ID is assigned. The ID itself has no inherent meaning, nothing is "encoded" in it (it's "opaque"), and this is what is sent to you in your cookie. When you submit following pages (transfer money, check balance, etc.), the ID passed in your cookie is looked up in the session database, and it checks to see if you're still allowed, who you are, has it been too long since you did anything (to allow "idle sessions" to timeout), coming from the same IP address, etc. When you click the Logout button, this not only deletes the cookie from your browser, but it invalidates the session in the database, so even if you hung onto or intercepted that cookie, it would not work. Yes, the cookie value would be sent to the server, but it would look it up and find that either (a) the session had been deleted entirely, or (b) the session had been marked explicitly "expired". Expired sessions cannot be revived by anything on the browser side without going through a new login process. That whole secenario assumes that the site in question was designed with a 'clueful' approach to security. Unless you can guarantee that every site on the internet, in which you conduct "secure" transactions with, is as clueful, then it would seem prudent to follow some personal security practices to protect yourself, rather than trusting every other big company to do it for you. Personal responsibility, you see.
(Interestingly enough, I just got done reading this thread »www.blacksheepnetworks.com/secur···331.html from 2002, discussing major retailers passing customer CC and other sensitive financial data "in the clear" over WiFi. Very disturbing. It tends to discount the idea that companies are always interested in proper security, because they aren't. They're only interested in implementing IT technology as cheaply as possible, to maximize profits of course. Not all banks are interested in paying for properly-secure web-development. Indeed, look at the number that still require IE for access.)
said by Steve :Any site that has a clue about security has designed the site to mitigate the effect of "cookie theft" Funny, I thought that the tech/development guys at Google were the "smartest of the smart", and yet they fell prey to a "cookie exploit". The risks are real, don't downplay or deny them, it does a disservice to security-concious people everywhere.
Btw, I do always try to "logout" from my webmail, but there are occasions when that doesn't happen. Thankfully, webmail sessions time-out after about 10 minutes of inactivity.
There are other sites that do not operate using session cookies, but instead use permanent "magic" cookies for authentication. Verizon is one of them, and they do not "time-out". If you stole those cookies, you could intercept someone's e-mail, create a sub-account, give the username/password for the sub-account to your buddy, and they could run up huge charges on your VZ ISP account.
All because of a stolen authentication cookie.
said by Steve :If you feel better deleting your cookies, that's fine, but saying "only an idiot doesn't" puts you squarly in tinfoil hat territory and shows that you have only a limited grasp of how cookies are actually used. I think that perhaps it would have been better phrased as "only an idiot doesn't know that they are a risk" - because they are. If you, or your bank's site (for example) take steps to mitigate that risk, then they are less of a risk, but they are a risk. Security is all about deciding what is an acceptable level of risk... for yourself.
Also, regarding the issue of session vs. persistant cookies - I think that you fail to consider the behavior of "persistent browsers" like myself. My browser uptime is over eight days now, and I've visited countless sites. "Session" cookies to me, are just as persistant as permanent ones, effectively, because of my browsing behavior. I always manually delete my session cookies after I'm done visiting a site that uses cookies for secure authentication.
PS. In case you were curious Steve, I only stumbled upon that other thread while investigating some Kerio firewall weaknesses, which led me to your post on that list regarding "BACKSTEALTH". I've decided to re-evaluate my own approach to security, having realized that I've become far too complacent and trivializing some risks that perhaps I should not. | |
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to sivran
said by sivran : said by Mele20 :
Only a crass, unfeeling person jokes about schizophrenia. Stop the jokes about mental illness please.
Tin-foil hat has nothing to do with schizophrenia, and everything to do with being overly and unnecessarily paranoid. If someone says you wear a tin-foil hat, that person thinks you are too paranoid. That's all there is to it. quote:
never go to your bank from a favorites link. Always type in the address.
And why not? What is the difference between typing it in, and clicking the bookmark which I've had forever? None, other than the bookmark being faster. Tinfoil hat is a nasty expression used on the internet by nasty people who wish to flame someone but don't want the mod to make them suffer the consequences of such so they use this phrase. Anyone who is "too paranoid" is by medical definition suffering from a physical disease called paranoid schizophrenia. That is what you say I am suffering from but you are not willing to actually say it because that would be clear flaming (aside from the fact that as I far as I am aware you are not a licensed medical professional capable of properly diagnosing when a person is "too paranoid").
As for always typing in the address of the bank, I don't know where you have been the last several years but even SANS and other reputable security sites recommend this because there have been exploits that could foil a user who clicked on a banking bookmark in favorites/bookmarks. Most security sites and banking sites (all of mine) warn to never place a bank's address in favorites. You must use some banks that have terrible security and don't give a hoot about the possible consequences of poor security for the individual user. Additionally, a smart user would not wish anyone who uses their computer to see what banks they use. Even if no one else uses your computer, it takes only a few seconds if you leave the room and someone else is there and your computer is on to check for this sort of information.
You should also NEVER allow your browser to save any passwords. The safest place for your passwords is locked in a safe in your home or better yet in a safety deposit box at your local bank. Or you can get programs that will allow you to encrypt them, etc on your computer but that still is less safe from physical disaster, etc. than placing them in a wall safe, etc.
--
The first and foremost function of our jurors is to protect private citizens from a tyrannical and intrusive government...Jurors are the last line of defense for liberty. Thomas Jefferson 1789 | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| said by Mele20 :You should also NEVER allow your browser to save any passwords. This is the kind of blanket statement that earns "tinfoil hat" epithets.
I have dozens and dozens of passwords saved in my browser, and it's been a wonderful timesaver. But, unlike those who are too freaked out about security to think clearly, I am able to decide which passwords are entirely unimportant (and saved by my browser) and which ones are too dangerous for that (which are not saved).
I sign up for all kinds of sites that requires a registration - the most recent was the LA Times - and there are simply no consequences that I care about if this saved password were somehow compromised. I really, really do not care (aside from the fact that the computer itself has been well secured).
You are providing a disservice to the security community by making everything a big hairy deal: if everything is important, then nothing is. Teaching newbies that it's a vice to have a sense of perspective is not helping anybody.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft MVP • Tustin, California USA • my web site | |
Mele20
Premium
join:2001-06-05
Hilo, HI
| I totally discount anyone who uses that phrase as it indicates they feel they are qualified physicians capable of diagnosing a very serious physical disease. So, go ahead with your ranting. You have suceeded in my finally deciding that all your comments are tainted by your obvious prejudice against those who suffer from diseases that you seem to think are legitimate targets for your derision.
You have proven yourself not worthy of any reasoned comments from me nor my time to read your rants.
--
The first and foremost function of our jurors is to protect private citizens from a tyrannical and intrusive government...Jurors are the last line of defense for liberty. Thomas Jefferson 1789 | |
|
