Embed Size (px)
Citation preview
Exploiting the UserExploiting the User
Presentation by: Robert Bobek
Privacy and Security Concerns with HTTP CookiesPrivacy and Security Concerns with HTTP Cookies
What are HTTP Cookies?◦ We need some understanding of HTTP first!
Hypertext Transfer Protocol (HTTP) is the communication protocol used to transfer data on the Internet. ◦ HTTP is a request /reply protocol◦ Stateless Protocol!
Breaks Web Applications!
So, what are HTTP Cookies?◦ Cookies have become and attractive solution to solve this
problem◦ Textual piece of information
IntroductionIntroduction
HTTP Cookies – First Party HTTP Cookies are either First Party or Third
Party
Web Applications use First-Party Cookies for many purposes◦ User session tracking◦ Personalization of profiles◦ Auto-complete fields
Security Concerns Executing basic attacks on First Party
Cookies◦ Browser history fishing◦ Cookie theft and data extraction
Easily accomplished on◦ Public terminals◦ Single user-account OS configurations
Security Concerns Executing Advanced attacks on First Party
Cookies◦ Cookie Theft (packet sniffing)◦ Cookie Poisoning◦ Cross-Site Cooking
Used to hijack sessions
HTTP Cookies – Third Party Cookies sent by servers that are located outside the domain of the
Web Site that the User was visiting. Companies such as DoubleClick raise privacy concerns!
◦ Use third party cookies Occurs without users attention
DoubleClick
Business A
Business B
Business C
Bus. C ad loaded
Bus. A ad loaded
Bus. B ad loaded
Bus. A ad loaded
CookiesCard “Mobile Cookies Management on a Smart
Card” created by Alvin T.S. Chan◦ Motivation;
General Security and Privacy problems Removing Machine-Cookie dependency
Cookies held on Smart Card Technology◦ Secured by PIN Authentication
CookiesCard Architecture
Graphic Reference: Alvin T.S Chan. "Mobile Cookies Management on a Smart Card". Communications of the ACM.
November 2005/Vol. 48, No. 11. Pages 38-43.
CookiesCard The CookiesCard is an effective solution but
it is still suffering from minor drawbacks◦ Smart Readers Technology not very popular◦ Proxy must reside with the browser◦ No Cookies Management Interface
CookiesCard 1.1 The CookiesCard can be improved using the
following suggestions◦ Replace Smart Card Technology with USB Flash
devices Affordable Popular Ultra-portable
◦ Running Proxy Server from USB Flash device Localhost left untouched
◦ Control Panel Interface created as a 3rd module Can be accessed through another listening port
CookiesCard 1.1 Architecture
Graphic Reference: Alvin T.S Chan. "Mobile Cookies Management on a Smart Card". Communications of the ACM.
November 2005/Vol. 48, No. 11. Pages 38-43. (modified by Rob Bobek)
Cryptainer Mobile provides on the fly encryption/decryption technology on mobile devices◦ Does not require installing device drivers on the host machine to decrypt◦ Uses Blowfish encryption algorithm◦ Free Download!
Conclusion CookiesCard 1.1better but not perfect!
References David M. Kristol. "HTTP Cookies: Standards, Privacy, and Politics".
ACM Transactions on Internet Technology. November 2001/Vol. 1, No. 2. Pages 151-198.
Alvin T.S Chan. "Mobile Cookies Management on a Smart Card". Communications of the ACM. November 2005/Vol. 48, No. 11. Pages 38-43.
The Cookie Controversy – Cookies and Internet Privacy. http://www.cookiecentral.com/ccstory/cc3.htm
Wikipedia on HTTP Cookiehttp://en.wikipedia.org/wiki/
HTTP_cookie#Drawbacks_of_cookies CookieCentral
http://www.cookiecentral.com Cryptainer Mobile can be downloaded at
http://www.cypherix.com/cryptainerle/
Questions?
