Chey Cobb web site

 

Index for Chey Cobb
Articles and books by Chey Cobb
Hobbies of Chey Cobb's
Pictures from Chey Cobb
Contact for Chey Cobb

   
 
Chey Cobb
  
   

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 
 

Cookies - Are You Ready?

(First appeared in the Oct 1996 issues of NCSA News)

Chey Cobb, CISSP

In doing research on HTTP cookies, I kept coming across the term, "persistent client state." I envisioned brain-dead oatmeal cookies (my personal favorite), in a hospital bed, attached to multiple tubes monitors. Substitute the work "vegetative" for the word "client" and you'll get my picture. I don't think that's what Netscape and the W3Org have in mind for their cookies, however.

What the $%#^&% am I on about? Magic Cookies. Netscape Cookies. HTTP Cookies. Whatever. They're out there and they are watching every (well, almost...) move you make. The funny thing is that hardly anyone knows about them -- what they are, what they're for, or how to find out if you've got one. The good news is that they are not a virus. The bad news is that we don't know if you can be hurt by them - yet.

So, what is a cookie? The full name (with about a hundred different variations) is Persistent Client State HTTP Cookie. It's a file or a token of sorts that is passed from the web server to the web client (your browser) that is used to identify you. It's sorta like a passport that gets stamped when you enter and exit certain territories. And here you thought you were completely faceless whenever you spent the odd hour or two doing "research" for your company on the web. HahHaHaHaHaHa. 1984 has come and gone, remember?

At present there is only a small handful of browsers that support cookies: Netscape, GNNWorks, MS Internet Explorer, NetCruiser, OmniWeb, and a few others. It's pretty much cross-platform with a few exceptions (for instance, some of the Macintosh versions aren't cookie monsters). No one is trying to keep cookies a secret, but they're not shouting from the rooftops, either. Many shopping sites are using cookies to create your "shopping cart" to store your selections, your UserID and password, your mailing address, and your credit card information. This information can be passed back to the server the next time you visit the site. Not all cookies stay with you, though. The script used to pass the cookie can have an expiration date which is usually the same day you visited.

You can look at your cookie file - and will probably be surprised to see what's in it. On Windows machines it's in the "netscape" folder and is called "cookies.txt". On a Mac the folder hierarchy is System Folder|Preferences|Netscape f. Look for the file called "MagicCookie". Of course there's one for Unix, too.

There's nothing to stop you from looking at your cookies. In fact, Netscape even has a page on the web to tell you how to kill the 90-day evaluation countdown. Very nice of them, I thought. Most of us register our copies of our software right away (right!!!), so there's probably not much interest in this. Just in case you want to see what Netscape has written about this, here's the URL: http://wp.netscape.com/assist/support/client/tn/cross-platform/10026.html

So, what's the fuss, you say? For me it's a combination of ethics, privacy, and security. I tend to think: "Just because we can do something doesn't necessarily mean we should." Netscape has kept quiet about their cookies because they know there are security problems. Their specs page on the subject even states, "use with caution". If we should be cautious, why release it?

The purpose of cookies is to acquire information, or to identify users visiting a site. Granted, the present method of acquiring information leaves a lot to be desired. But, since the Web is being used - and will continue to be used - as a marketing tool, demographics play a big part in the design and content of the site. Site administrators need an effective method of getting information. Granted, too, that we often five market research people more information about ourselves than we tell our mothers, but we do that by choice and we can remain anonymous. Would you be upset with your local video shop if they started making telemarketing calls to you? Do you know they use CallerID to log your calls when you reserve a video for the night? What will you feel like when you start getting trash mail messages saying, "We noticed that you haven't visited our site recently..?"

What if you found out that you acquired a cookie that logged every site and every page you visited which could then be passed back to the site that gave it to you? The site's administrators could be setting up a database for a very effective direct mail campaign. Who says that a cookie can't be written to grab user information such as credit card numbers and addresses? You don't know who is getting that information and what they will be using it for. You don't know when a site is passing you a cookie unless they tell you so. I hope that will change.

The real reason I'm concerned about his is that the present atmosphere on the Web tends to be, "Cool! Let's do it!" whenever something new comes along. There seems to be little or no discussion as to whether or not it should be done. As the Web and the Internet attract more and more non-technical users, perhaps we ought to stick a huge warning label on tools and browsers that say, "Warning, the IETF and W3 have determined that browsing can be hazardous to your credit report!" There is a need for individuals to control what information is given to whom, because the fact of the matter is that we don't know who is on the other end of the pipe. If you feel very strongly about this, contact the W3 Org to volunteer. Hopefully, the state of the 'Net for the average user will improve before Big Government feels they have to do something about it.

Cheerz, Spiderwoman

  


©2003 Chey Cobb. All rights reserved.
chey@patriot.net
FAQs Contact Us