Cookies

1.       What is a Cookie

Cookies are text files with small pieces of data — like a username and password — that are used to identify your computer as you use a computer network. Specific cookies known as HTTP cookies are used to identify specific users and improve your web browsing experience.

Data stored in a cookie is created by the server upon your connection. This data is labeled with an ID unique to you and your computer.

When the cookie is exchanged between your computer and the network server, the server reads the ID and knows what information to specifically serve to you.

2. What Are Cookies Used For?

Websites use HTTP cookies to streamline your web experiences. Without cookies, you’d have to login again after you leave a site or rebuild your shopping cart if you accidentally close the page. Making cookies an important a part of the internet experience.

3. What Kind of Cookies We Use             ?

We use two kinds of cookies: Session cookies, also known as 'temporary cookies', help websites recognise users and the information provided when they navigate through a website. Session cookies only retain information about a user's activities for as long as they are on the website. Permanent cookies, also known as 'persistent cookies', remain in operation even after the web browser has closed and until they are deleted or programmed. For example, they can remember login details and passwords so web users don't need to re-enter them every time they use a site.

 

4. Do Cookies Collect Personal Information?

Most of the time, when a cookie does store personal information, this information is coded in such a way that it's unreadable to any third party who happens to access your cookie folder. The only computer that can read and decode the information is the server that created the cookie in the first place.

5. Allowing or Removing Cookies:

Cookies can be an optional part of your internet experience. If you so choose, you can limit what cookies end up on your computer or mobile device. If you allow cookies, it will streamline your surfing. For some users, no cookies security risk is more important than a convenient internet experience. Removing normal cookies is easy, but it could make certain web sites harder to navigate. Without cookies, internet users may have to re-enter their data for each visit.

6. Why are Cookies Important?

Cookies are an important component that helps websites to function effectively. Cookies enable you to use basic features on the website and allow sites to personalize user experience, track how users browse the site and collect insights for improving the site, products and services. Disabling cookies can make some websites practically unusable.

Most often, websites use cookies to:

·         Keep you logged in on the site

·         Remember items in your shopping cart or wishlist

·         Keep your payment information secure

·         Personalize the content you see

·         Save your preferred site settings and themes

·         Track how users interact with a website

·         Show users relevant, personalized ads

7. Security and Confidentiality

Cookies are NOT viruses. Cookies use a plain text format. They are not compiled pieces of code so they cannot be executed nor are they self-executing. Accordingly, they cannot make copies of themselves and spread to other networks to execute and replicate again. Since they cannot perform these functions, they fall outside the standard virus definition.

Cookies CAN be used for malicious purposes though. Since they store information about a user's browsing preferences and history, both on a specific site and browsing among several sites, cookies can be used to act as a form of spyware. Many anti-spyware products are well aware of this problem and routinely flag cookies as candidates for deletion after standard virus and/or spyware scans.

Most browsers have built-in privacy settings that provide differing levels of cookie acceptance, expiration time, and disposal after a user has visited a particular site. Backing up your computer can give you the peace of mind that your files are safe.

Other aspects of Cookies security:

Since the data in cookies doesn't change, cookies themselves aren't harmful. They can't infect computers with viruses or other malware. However, some cyberattacks can hijack cookies and enable access to your browsing sessions. The danger lies in their ability to track individuals' browsing histories.

This may happen in several different ways:

·         Capturing cookies over insecure channels: Any cookie related to authentication should always be transmitted securely, but that is not always the case. One example is cookies without a security flag. When a cookie is set with the Secure flag, it instructs the browser that the cookie can only be accessed over secure SSL/TLS channels. If the secure flag is not set, a cookie can be transmitted in cleartext — for instance, if the user visits any HTTP URLs within the cookie’s scope. This would allow an attacker eavesdropping network traffic to easily capture the cookie and use it to gain illegitimate access.

·         Session fixation: This is another attack that allows an attacker to hijack a valid user session. This time, it exploits a limitation in the way the web application manages the session ID. For example, if an application allows a session token in the query parameters, an attacker may send a user an URL with a specific session ID included in its arguments. Now, when the user authenticates by using this URL, the attacker can hijack the session.

·         Cross-site scripting (XSS): Another way to steal cookies is using cross-site scripting to exploit websites that allows users to post unfiltered HTML and JavaScript content. For example, if a user clicks on a malicious link posted by an attacker, it may execute the JavaScript code and cause the victim’s web browser to send the victim’s cookies to a website the attacker controls.

·         Cross-site request forgery (CSRF): This is a type of attack that exploits a website by making it execute unauthorized commands that are transmitted from a user that the web application trusts. In a CSRF attack, the attacker’s objective is to use an innocent victim to unknowingly submit a maliciously crafted web request to a website that the victim has privileged access to. Since the victim is already logged, any request coming from his browser will be deemed as trustworthy and be executed. For an CSRF attack to work, an attacker must first identify a reproducible web request that executes a specific action — for example, changing a password on the target page. Once such a request is identified, a link can be created that generates this malicious request and that link can be embedded on a page within the attacker’s control. Even worse, it may not even be necessary for the victim to click the link. For instance, it may be embedded within an html image tag on an email sent to the victim, which will automatically be loaded when the victim opens their email.

·         Cookie tossing: A cookie tossing attack is based on providing a user with a malicious cookie that has been designed to look like it came from the targeted site’s subdomain. Of course, this becomes especially problematic when a website allows untrusted people to host subdomains under its domain. When the user visits the target site, all cookies are sent, both valid and the ones appearing to be from subdomains.

 

Key Tips For Safe and Responsible Cookie-Based Web Browsing

Due to their flexibility and the fact that many of the largest and most-visited websites use cookies by default, cookies are almost unavoidable. Disabling cookies will lock a user out of many of the most widely-used sites on the Internet like Youtube, Gmail, Yahoo Mail, and others.

Even search settings require cookies for language settings. Here are some tips you can use to ensure worry-free cookie-based browsing:

Customize your browser's cookie settings to reflect your comfort level with cookie security or use our guide to delete cookies.

If you are very comfortable with cookies and you are the only person using your computer, you may want to set long expiration time frames for storing your personal access information and browsing history.

If you share access on your computer, you may want to set your browser to clear private browsing data every time you close your browser.

While not as secure as rejecting cookies outright, this option lets you access cookie-based websites while deleting any sensitive information after your browsing session.

Install and keep antispyware applications updated. Many spyware detection, cleanup applications, and spyware removers include attack site detection. They block your browser from accessing websites designed to exploit browser vulnerabilities or download malicious software.

Make sure your browser is updated. If you haven't already, set your browser to update automatically. This eliminates security vulnerabilities caused by outdated browsers. Many cookie-based exploits are based on exploiting older browsers' security shortcomings.

Cookies are everywhere and can't really be avoided if you wish to enjoy the biggest and best websites out there. With a clear understanding of how they operate and how they help your browsing experience, you can take the necessary security measures to ensure that you browse the Net confidently.

 

Cookie settings in Internet Explorer

Cookie settings in Firefox

Cookie settings in Chrome

Cookie settings in Safari