Web Browsers, Scripts and Cookies – Where’s the Security?

With all this noise over Internet Explorer 10’s Do Not Track option being set to on by default, can someone give their head a shake and start coding web browsers with security and privacy in mind.

Cookies in a web browser were not designed for the exploitation that is going on today. Like many older techno-geeks, I used Mosaic and Netscape Navigator back in the early 90’s (yes, I’ve been around the block a few times!). I even downloaded and played around with the source code for Netscape Navigator when it was released under open source. Cookies were a quick/lazy way to store some trivial information about the user’s interaction with a web site.

Of course, bad programmers, have used cookies to store all sorts of private information that they should not have been doing (i.e. passwords, credit cards, birth dates, etc..)

Just because Marc Andreesen (creator of Mosaic and Netscape Navigator) did not think to sandbox a web domain but instead allowed all web sites access to the same cookie file, does not make it right, for those web sites that are extracting/tracking/stealing information without your knowledge. Yes, I said “stealing”. Unless a web site puts a popup window and with the question of “can I extract cookie information not generated by this domain” then I consider any information extracted as stolen. What I mean is; if I surf to acme.com (just an example) and the web site (via script) reads and uploads the cookies that were generated by some other domain (i.e. amazon.com) then acme.com has stolen personal information.

Most users do not have a clue that their information is being extracted/tracked/stolen and since the rise of Facebook, people are posting just about everything online (most people don’t care but posting private/sensitive information will always come back to haunt you).

Here is a real world example. You need to go shopping. Each store that you go to, you have to tell them where you have been (even stores where you are window shopping). It would go something like this:

  • You leave home and go to Sears – Sears says where have you been? You say I came from home.
  • You go to Footlocker – Footlocker says where have you been? You say I came from home then went to Sears.
  • You go to People’s – People’s says where have you been? You say I came from home then went to Sears and Footlocker.
  • You go to GameStop – GameStop says where have you been? You say I came from home then went to Sears, Footlocker and People’s.
  • You go to McDonald’s – McDonald’s says where have you been? You say I came from home then went to Sears, Footlocker, People’s and GameStop.
  • You go to Old Navy – Old Navy says where have you been? You say I came from home then went to Sears, Footlocker, People’s, GameStop and McDonald’s.
  • etc.

Would you give out that information freely? I don’t think so!!! But that is not all that is going on because most of these tracking web sites are taking everything i.e. UserID, name, address, birth date, credit cards, passwords, etc. Whatever was stored by any web site (and yes, bad programmers do dumb things like store credit cards, birth date, etc. in the cookie file).

What is really going on is more like when you go through airport security and you put your bags and phones, coins, etc. in the tray on the rollers except in this case you must put everything from your pockets including all papers, receipts, etc.. Rather than the security person scanning your stuff, in this case, the tracking web sites read everything you have and take a copy of it for their personal use.

Is any of this acceptable? No. But somehow, tracking web sites think they are justified in stealing your information.

What REALLY disappoints me the most, is Mozilla’s (Firefox) weird stance on privacy as it relates to Do Not Track (DNT).
http://blog.mozilla.org/privacy/2012/05/31/do-not-track-its-the-users-voice-that-matters/

our approach to DNT should not be viewed as a broad policy statement that will apply to other privacy and security considerations — our choice of opt-in for DNT is specific to the way the DNT feature works.

Well that’s a twisted statement. Security is security and privacy is privacy. You have one approach not one approach with an exception!! Follow the money!! It would appear that “some” lobby group has given Mozilla a stack of cash and that is why their principles are twisted. Sad, sad day.

Doesn’t any web browser company have the balls to have a web browser that sandboxes the cookies, profile information, etc? I know Google will not change Chrome because they are notorious for extracting/stealing user data. It is funny that Google has the company motto of “Don’t be evil”, but they steal data from people’s WiFi, steal cookie information, etc. and some how that is not harming people!!

Apple (Safari), Opera Software (Opera), Mozilla (Firefox) or Microsoft (IE) can’t one of you update your browser such that the cookies and personal data is sandboxed in the browser? i.e. only available to the domain (web site) that created it. Once one web browser company takes that first step, I’m 99% sure that most of the other web browser companies will follow suite. So please, someone take that first step!!! Yes, there will be a lot of heat from advertisers, web tracking companies, if you want, you can blame me. I’m fine with it, if I get the “secured” web browser that I want. 🙂

Regards,
Roger Lacroix
Capitalware Inc.

This entry was posted in Programming, Security.

Comments are closed.