Cookies

Computer cookies are used to personalize your online experience. Despite their benign name and useful purpose, however, cookies tend to cause security concerns among some Internet users, which is mainly due to the way they function. Many people have the impression that cookies can spread malware, which isn’t the case. Still, there are some security risks that can be avoided with proper management.
Computer cookies, also known as Internet cookies, web cookies, HTTP cookies, or browser cookies are small files that contain pieces of data that are being exchanged between a web server and a user’s computer in order to identify particular events or transactions. The term cookie was coined by web-browser programmer Lou Montulli, who derived it from “magic cookie”, which was a name used by Unix programmers for packets of data a program receives and sends back unaltered.

Browser cookies have become an integral part of the Internet, as they are oftentimes responsible for conveniences that we take for granted in our modern-day. Take eCommerce websites, for example. Cookies are responsible for remembering all the items that you add to your shopping cart. Without them, your shopping cart would go empty each time that you click a different link on the website.
Cookies are also used to recall individual login information and preferences from previous visits to the same website. If you chose the option in which a website remembers your login credentials for subsequent visits, it’s done with cookies.

What a cookie looks like. Source: privacy.net

Types of Cookies

Despite having many uses, cookies generally fall into two categories – session cookies and persistent cookies. Session cookies are only used when a user is actively navigating a website and stored in random access memory. They are never written on the hard drive and get automatically deleted once the session is over. For example, session cookies are the thing that helps with the “back” button function of your browser, among other things, including third-party anonymizer plugins.

Persistent cookies, on the other hand, are saved on the hard drive and remain on the computer indefinitely, although many have an expiration date after which they are automatically deleted. They serve two primary functions:

• Tracking: This type of cookie records multiple visits to the same website. They are used by some online merchants to keep track of visits from individual users, including products and pages that they view. This helps them create suggestions for items that might interest particular users, based on a profile that is created from their browsing history on the website.
• Authentication: This type of persistent cookie is used to track whether a user is logged in, as well as the account that they are currently using. Authentication cookies are also used to streamline login information, so you don’t have to remember the login details for every website that you visit.

What Security Concerns Do Cookies Cause?

As we previously mentioned, cookies can’t be used to spread malware and viruses. This is due to the fact that the data in the cookie does not change when it travels back and forth from the server to your computer.

Note: Threat actors cannot use cookies in malicious ways. Cookies can be used as spyware, which is why your anti-malware programs might start flashing warnings about using cookies from certain websites. The instance in which a threat actor intercepts a conversation and is able to listen in on it is also called a man-in-the-middle attack.

Hackers can also use cookies to hijack online sessions. In order to do that, however, the hacker needs to know the victim’s session ID. This can be done by persuading the user to click a malicious link that contains a prepared session ID, or simply stealing a session cookie through a man-in-the-middle attack. After the user is authenticated on the server, the attacker can hijack the session by using the same session ID, fooling the server into treating his connection as the valid session of the original user.

The main security concern for most people nowadays, however, comes from third-party tracking cookies. This type of cookies isn’t generated by the web pages that you are surfing, but by different elements on those pages that are not even hosted on the same website. Such elements include different types of ads, social media widgets (comment sections, Share and Like buttons), and web analytics tools.

You don’t even have to click on an ad or a share button for it to generate a cookie on your hard drive, that will track your activities across different websites on the Internet. Visiting a website with ten ads, for example, can generate ten cookies.
These cookies allow analytics companies and advertisers to track the browsing history of an individual on any website that contains their ads or analytics tools. This data is mainly used for retargeting.
Retargeting is the process in which advertisers track an individual’s browsing history to try and push ads about products that they have previously shown interest in. For example, if you’ve ever looked for a new bike and then, all of a sudden, you start getting bike-related ads all over your social media, you’ve been retargeted.

While this may sound convenient and harmless, third-party tracking cookies can start amassing considerate amounts of information about how you browse the web. Your browsing history is just the tip of the iceberg. Tracking cookies can collect different kinds of data, such as device location and information, purchases that you’ve made, search queries on websites, when and where you saw previous ads, what links you click on, how many times you’ve seen a particular ad.
This data is mostly collected without the user’s knowledge or consent. And while websites in the EU and UK are required by GDPR law to notify users if they use tracking cookies, pages in most other countries have no such obligations, and all of that data is quietly being hoarded in the background.

There is also a third-party cookie known as a zombie cookie, which can be permanently installed on your computer even if you’ve opted out of cookies. Zombie cookies are called that way because they reappear even after being deleted and can be very hard to get rid of.

How to Stop Third-Party Tracking Cookies?

The first step that you can take for preventing third-party tracking cookies from monitoring your online behavior is to delete the ones that you already have. You can clear your cookies with a few clicks in your browser settings, depending on the platform and browser that you are using.

It is important to note that the browser won’t distinguish between persistent cookies that are used for things like remembering your passwords and cookies that are used to track your browsing activity.
Another option that browsers offer in their settings nowadays is “Do Not Track”. This feature allows you to send a request to the website you are currently accessing to disable tracking cookies. There is, however, no way to make websites follow through with the “Do Not Track” request, as it doesn’t add any technical limitations and is not enforced by any authority.

Nowadays, you can also rely on all kinds of privacy-orientated browser plugins that can help you manage the information that different companies collect about your browsing. Clearing your browser’s cookies is an activity that should be performed regularly, and can easily become a part of routine health and performance scans. This should be enough to prevent cookies from growing so big that they can be considered dangerous or invasive.