This site uses standard WordPress cookies and no more. I don’t track, hack, infect or otherwise do anything to break your browser or system. These activities (except tracking) are impossible with cookies anyway, but the media seems to have gotten hold of this idea and now disinformation is rife.
The truth about cookies
Cookies are not dangerous. Cookies do not let hackers into your computer. They can, however be used by hackers to get into online accounts (more about this later).
Essentially, cookies are like keys or tickets. When you go into a busy supermarket and there’s a ticket machine at the deli counter, you pull the next ticket from the machine and the unique number identifies you and your position in the queue. When the server shouts out your number, it’s your turn to be served. That’s all a cookie is, an identifier. Most of the time, cookies are complex jumbled up sequences of letters and numbers. This is just a way of making sure that the cookie is unique amongst the millions of users on that website. Sometimes, cookies will be simple and just contain your preferred way of looking at the website. (You know when you go on to a website and they show all the products in a grid and you change it to a list. When you go back to the site two weeks later and the products are still in a list, this is because of a cookie.)
It’s the same when you log in to a site and go back two weeks later and you can still access your account without logging in… it’s because of a cookie (one of those really complex ones). It acts like a digital key that identifies you from the millions of other users.
How they work
In a simplified analogical nutshell, imagine an automated library. You walk in…
LIBRARY: Do you have a library card?
LIBRARY: Here, we’ll just give you a new one.
You take the card and go in. The card contains nothing but a really long number.
Now imagine that this library is manned by robots that run around carrying books. After all, books can be heavy and we wouldn’t want you straining yourself.
You go to the shelves and peruse the publications. A book catches your eye. You take it off the shell have a quick flick through and decide to take it. A robot appears instantly (they do that here).
ROBOT: Card please.
You give the card to the robot. It scans it and hands it back.
ROBOT: Ok, let me take that book for you.
You give the robot the book and it trundles off.
You repeat this procedure a few times until you have all the books you want and return to the foyer.
LIBRARY: Card please.
You show your card.
LIBRARY: Please enter the securo-booth for identification.
You enter this little room and shut the door so that no one can see of hear you.
LIBRARY: Name please.
You give your name and the library looks through its records. It finds your record and opens the exit door of the booth. Waiting for you are the books you selected, all packaged up and ready for you to take. You pick up the books and head to the exit.
LIBRARY: Your library card will self destruct in one month, please return your books by the due date. Good bye.
— TWO WEEKS LATER —
You return to the library with the books your borrowed, and wish to take another.
LIBRARY: Do you have a library card?
You show the card
LIBRARY: Welcome. Please deposit your returned books in the tray to the left.
You do so and wander off to the shelves to find some more reading material. After choosing your book and handing it to the robot, as before, you return to the foyer.
LIBRARY: Card please.
You show the card.
LIBRARY: Please proceed to the collection point. You library card has been refreshed for another month, please return your books by the due date. Good bye.
You pick up your books and walk out.
As you can see from the above scenario, there is no personal information held on the cookie / library card (unless the website programmer is an idiot, it happens, but we can’t help that). Only the library can identify you with it. When you first walk in to the library, not even the library knows who you are. It’s only after entering the securo-booth that the library knows that it’s you. However after that point, there is no need for you to identify yourself. The library will know who you are until the library card disintegrates in a puff of white smoke. Until then, you can freely exchange books without further identification, and so long as you keep visiting at least once a month, your library card will never expire.
There are two potential dangers with cookies. The most obvious is that of cloning cookies…
If, after visiting the library, you pop into the pub for a swift half before going home. A light fingered book thief lifts your wallet, removes your library card and pushes it through his portable clone-o-matic copying machine. After doing so, he slips the card back into the wallet and deftly returns it to your pocket.
He could then take the cloned card to the library and take out books without returning them. You would be unaware of this activity until you receive an annoyed sounding letter from the library about unreturned books.
There are three main ways to steal cookies.
- The most obvious way is to steal the physical computer / laptop / phone, but it makes it rather obvious. The only protection against this is device security (passwords, media encryption, etc).
- Hack the device from the internet. This is actually a lot harder than the movies try to make out. It often takes a very long time. There are generally two types of hackers: those who specifically target a single device in order to get information; and those who attack thousands of machines looking for vulnerabilities. (More on hackers here).
- The third, less obvious method is to listen on insecure networks. This is the cookie thief’s most popular method. Sit in a café, hotel, bar, airport, etc. and use their device to listen to unencrypted WiFi. Sometime they will even set up their own WiFi hotspot that masquerades as the genuine service. It is, however, not that straight forward. The target must also visit a website and account that can be exploited (such as Amazon, eBay or a bank). Third part cookies are also a risk here, but more about them in a moment.
Third party cookies
Third party cookies are, and always were a really dumb idea. What this means is that a script provided by website A, running on website B has access to your website A cookies. For example, let us say that you have a social media account and you visit a website that has an innocent looking button to that company’s social media page. This enables the social media company to identify you even when you’re not on their site. This is what the fuss about tracking is all about, but it does rely on the tracking company being given “permission”* by other websites to do this. With enough embedded “Like”, “Share”, “Follow” buttons spread across thousands of websites worldwide, those tracking companies will get a pretty good idea of your browsing patterns and interests. (* I put the word permission in quotes here, because permission is not directly granted. This comes via the small print agreement when a developer installs a plugin or script on a website.)
There is both good and bad news about this particular irritation when it comes to cookies. Third party cookies can be switched off in most browsers. Additionally, Google Chrome intend to remove the facility for third part cookies by 2024. Other browsers will probably follow suit. The bad news, however, is that Google have already created a work-around that enables them to continue tracking users.
Cookies are NOT dangerous bits of malware designed to hack you and steal your data. Cookies are like keys. As long as you’re careful, there is no danger. If you drop your car keys in a car park, you can expect to lose your car. It’s the same with cookies.
- Make sure that portable devices that are used to access exploitable resources, have some form of security to stop people getting into them.
- Don’t use insecure “public” WiFi to access accounts on websites that can be exploited.
- Turn off third party cookies on your browser