Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Generic User Avatar

Cookies


  • Please log in to reply
8 replies to this topic

#1 Magic Sam

Magic Sam

  •  Avatar image
  • Members
  • 463 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brigadoon (Co Durham, UK)
  • Local time:05:08 AM

Posted 25 February 2024 - 05:07 PM

It frequently happens that I visit a website where either to continue or to leave I have to agree to the site setting cookies. Often they make it extremely tedious to opt out and sometimes this is not an option. Is there some software that makes it possible - on demand - to say no to some or all - including "Legitimate Interest" - at the click of a mouse button?

But there are also unknown unknowns- the ones we don't know we don't know


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Gumshoe


  •  Avatar image
  • Global Moderator
  • 61,818 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:08 AM

Posted 25 February 2024 - 05:16 PM

Not that I am aware of. Accepting or not accepting cookies typically involves human interaction with the click of a mouse button. BTW...

 

Cookies are NOT a "threat" in the typical sense we think of malware infection. As text files, cookies are inherently harmless and cannot be executed to cause any damage. Cookies do not cause any pop ups or install malware and they cannot erase or read information from a computer.

 

Cookies are text string messages given to a web browser by a web server. Whenever you visit a website or navigate different pages with your browser, the website generates a unique session ID number which your browser stores in a text (cookie) file that is sent back to the server each time the browser requests a page from that server. 
 
A cookie is essentially a piece of information that is added to a hard disk when a user visits a website...it is used to track and record their preferences as they use that website. The cookie can be retrieved later by websites and web servers to authenticate the user's identity, speed transactions, monitor user behavior, streamline user experiences, track personal information, auto-fill personal information on web forms and more.
 

A Cookie is a small text based file given to you by a visited website that helps identify you to that site. Cookies are used to maintain state information as you navigate different pages on a Web site or return to the Web site at a later time...Cookies cannot be used to run code (run programs) or to deliver viruses to your computer. The purpose of a cookie is to tell the Web server that you have returned to a specific Web page.

Do cookies pose a security risk?

Cookies are short pieces of data used by web servers to help identify web users. The popular  concepts and rumors about what a cookie can do has reached almost mystical proportions, frightening users and worrying their managers.

The primary purpose of cookies is to identify users and prepare customized web pages for them. There are two different types of cookies.

  • Persistent cookies are used to store information between visits to a site and collect identifying information about the user such as surfing behavior or preferences for a specific web site. Essentially, these cookies help websites remember you and your settings when you visit them again. Persistent cookies have expiration dates set by the Web server when it passes the cookie and are stored on a user's hard drive until they expire or are deleted.
    .
  • Session cookies (transient or Non-persistent cookies) are used to temporarily hold information in the form of a session identification stored in memory as you browse web pages. These types of cookies are cached only while a user is visiting the Web server issuing the session cookie and are deleted from the cache when the user closes the session. Session cookies are not saved to the hard drive since they only last one session, do not collect any information and have no set expiration date.
Session cookies (transient or Non-persistent cookies) are used to temporarily hold information in the form of a session identification stored in memory as you browse web pages. These types of cookies are cached only while a user is visiting the Web server issuing the session cookie and are deleted from the cache when the user closes the session. Session cookies are not saved to the hard drive since they only last one session, do not collect any information and have no set expiration date.
 

Cookies can be categorized as:

  • Trusted cookies are from sites you trust, use often, and want to be able to identify and personalize content for you.  
  • Nuisance cookies are from those sites you do not recognize or often use but somehow it's put a cookie on your machine.  
  • Bad cookies (i.e. persistent cookies, long term and third party tracking cookies) are those that can be linked to an ad company or something that tracks your movements across the web.
The type of persistent cookie that is a cause for some concern are "tracking cookies" because they can be considered a privacy risk. These types of cookies are used to track your Web browsing habits...your movement from site to site. Ad companies use them to record your activity on all sites where they have placed ads. They can keep count of how many times you visited a web page, store your username and password so you don't have to log in and retain your custom settings. When you visit one of these sites, a cookie is placed on your computer. Each time you visit another site that hosts one of their ads, that same cookie is read, and soon they have assembled a list of which of their sites you have visited and which of their ads that you have clicked on. 

Because cookies are always sent back to the site that originated them, an advertiser's cookie will be sent back to them from every web site you visit that is also using that same advertiser. This allows the advertiser to track the sites you visit, and send targeted advertising based on the types of sites that you visit.

Fact: Cookies are Used by Advertisers to Track Sites You Visit
 

Tracking is generally used by advertising networks to build up detailed profiles for pinpoint ad-targeting..

The Many Ways Websites Track You Online
 
Cookies are used all over the Internet and advertisement companies often plant them whenever your browser loads one of their banner ads by saving (downloading) the cookie to your computer. Further, it is not uncommon for web pages to draw content from many different sources so it is not unusual for a single web page you visit to obtain content and cookies from many others even if you do not visit the actual site.
 
Flash cookies (or Local Shared Objects) are cookie-like data stored on a computer and used by all versions of Adobe Flash Player and similar applications. They can store much more information than traditional browser cookies and they are typically stored within each user’s Application Data directory with a ".SOL" extension. Unlike traditional cookies, Flash cookies cannot be managed through browser controls so they are more difficult to find and remove. However, they can be viewed, managed and deleted using the Website Storage Settings panel at Macromedia's Support Site. From this panel, you can change storage settings for a website, delete a specific website or delete all sites which erases any information that may have been stored on the computer. To prevent any Flash Cookies from being stored on your computer, go to the Global Storage Settings panel and uncheck the option “Allow third-party Flash content to store data on your computer".
Supercookies are not actual cookies but they are similar to tracking cookies in that they are used for tracking technologies (tracking online behavior) that do not rely on HTTP cookies. Supercookies are are harder to detect and remove because the browser was never designed to store them...meaning supercookies are not stored in normal browser cookie storage locations. Instead supercookies can be hidden in the browser cache {temporary data storage) saved locally on your computer so it does not need to be re-downloaded every time you visit the same sites.
 
Zombie cookies (type of Super Cookie) are any HTTP cookies recreated after deletion from backups stored anywhere outside the web browser's dedicated cookie storage. Zombie cookies remain intact as it hides outside of the browser's regular cookie storage and are very difficult to delete since they are persistently recreated.
 
Evercookies are JavaScript-based applications which creates zombie cookies in a web browser and are intentionally difficult to delete. Evercookiest can be used to identify a user even after they have removed standard and Flash cookies. This is accomplished by creating a new cookie and storing the data in as many storage locations (currently eight) as it can find on the local browser. Storage mechanisms range from Standard HTTP and Flash cookies to HTML5's new storage methods. When evercookies find that other types of cookies have been removed, it recreates them so they can be reused over and over.
 
 
 
IMPORTANT!!! With all that said above, research has disclosed that cookies can be used to allow remote attackers to bypass a secure protocol (HTTPS) and reveal private session information. Again, it's not the cookie itself that is bad but how the cookie is misused by an attacker
 
Cookie Poisoning is a general term for various attacks used to manipulate (forge, alter, forge, restore, hijack) valid HTTP/session cookies. Cookie Poisoning is a technique used by attackers in a continuous manner to manipulate cookies which can lead to the compromise of a victim and website's sensitive data due to the poor security infrastructure of the website. Cookie Poisoning allows the attacker to gain unauthorized access to a victim's account and steal or misuse their information.
 
A Cookie Injection Attack can be mounted by man-in-the-middle (MITM) attackers who set cookies throughout their invasive session allowing them to facilitate the disclosure of any private data being transmitted in the session. Cookie poisoning based on Man-in-the-middle cookie poisoning include.

SSL stripping – the attacker tricks the web application into dropping an HTTPS connection and using the insecure HTTP protocol instead, making packet sniffing possible.

SSL hijacking – the attacker generates a fake SSL certificate for the web application and the victim connects to a cloned or proxy application controlled by the attacker without any certificate warnings.
DNS cache poisoning – the attacker tricks the victim’s DNS cache into storing manipulated domain information and the victim’s browser is directed to a cloned or proxy application controlled by the attacker.

 

Cross-Site Scripting (XSS) is a way to access and manipulate cookie data. After an attacker finds a trusted website that is vulnerable to XSS injection, they insert (inject) a malicious JavaScript into that website. The malicious script can access any cookies, session tokens or other sensitive information retained by the browser and used with that website...giving the attacker access to the session cookies of everyone who views that page. Types of XSS attacks include.

Reflected XSS occurs when the malicious script comes from the current HTTP request. The application receives data in an HTTP request and includes that data within the immediate response in an unsafe way.

Stored XSS occurs when the malicious script comes from the website's database. The application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way.
DOM-based XSS occurs when the vulnerability exists in client-side code rather than server-side code. The application contains some client-side JavaScript that processes data from an untrusted source in an unsafe way.

 

Session Hijacking (Cookie Hijacking) is more of a concern in recent years because of how many sites we login to each day. When you log into a website, your browser recognizes you are logged in because the server sets a temporary session cookie which allows you to stay authenticated to a website. 

Session hijacking occurs when a hacker steals a victim’s unique session ID number and mimic's that person’s cookie over the same network when the victim is logged in on the system. 

Session Spoofing is similar but occurs when the attacker actually logs in to the victim’s account with the stolen credentials when the victim is not logged in.
Session fixation occurs when the attacker supplies a pre-set session identifier (typically in a phishing email) and tricks the victim into clicking a malicious link which logs into a vulnerable site using this identifier. If the site allows the logon, the attacker can hijack the user session using the known identifier. By stealing the session the attacker can steal the victim' session while they are logged into a financial institution, store or other secure website, they are able to take any actions that you would be able to take while logged in.
Session prediction exploits weaknesses in the way session IDs are generated for a particular site. If the process is not sufficiently random and the attacker figures out the algorithm, they can generate valid session IDs. If session identifiers are short, attackers could even use brute force attacks to guess valid identifiers for authentication.

 

Cookies associated with authentication to web services can be used by attackers in “pass the cookie” attacks, attempting to masquerade as the legitimate user to whom the cookie was originally issued and gain access to web services without a login challenge.

To mitigate Session/Cookie hijacking avoid logging onto free public Wi-Fi connections (especially those without password protection) and be sure to use automatic log-off when sessions are not in use. To mitigate against Cookie Injection Attacks include full HSTS protection, a public suffix list of top-level and shared domains, defensive cookie practises such as frequently invalidating them, and anomaly detection to ensure the state-management settings are valid.
As long as you surf the Internet, you are going to get cookies and some of your security programs will flag them for removal. Anti-malware scanners have more important things to look for, so I would recommend disabling the option to search for cookies which will also decrease the amount of time it takes to perform a scan. You can minimize the number of cookies which are stored on your computer by using third-party Disk Cleanup Tools (not optimizers), a Cookie Manager and routinely removing cookies from your browser.
 
Cookie Removal Resources in these articles...

.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif


#3 Magic Sam

Magic Sam
  • Topic Starter

  •  Avatar image
  • Members
  • 463 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brigadoon (Co Durham, UK)
  • Local time:05:08 AM

Posted 25 February 2024 - 05:51 PM

I think my motivation was / is primarily a matter of privacy - where the site is asking my agreement to being the target of ads, in addition to goodness knows what other kinds of nasties that could be in the queue. What I have often wondered is, if I make a point of "clearing cookies" at the end of each browsing session, the end result is the same as if they hadn't been set in the first place? I suspect the answer may not be cut & dried black & white.

But there are also unknown unknowns- the ones we don't know we don't know


#4 quietman7

quietman7

    Bleepin' Gumshoe


  •  Avatar image
  • Global Moderator
  • 61,818 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:08 AM

Posted 26 February 2024 - 03:50 PM

I clean them out too from time to time but removal depends on what kind of cookies you are dealing with. As I explained above.

 
- Persistent cookies have expiration dates set by the Web server when it passes the cookie and are stored on a user's hard drive until they expire or are deleted. 
- Session cookies are deleted from the cache when the user closes the session...they are not saved to the hard drive since they only last one session, do not collect any information and have no set expiration date.
- Flash cookies cannot be managed through browser controls so they are more difficult to find and remove.
Supercookies are are harder to detect and remove because the browser was never designed to store them...meaning supercookies are not stored in normal browser cookie storage locations.
- Zombie cookies remain intact as it hides outside of the browser's regular cookie storage and are intentional very difficult to delete since they are persistently recreated.
- Evercookies are JavaScript-based applications which create zombie cookies in a web browser and are also intentionally difficult to delete...When evercookies find that other types of cookies have been removed, it recreates them so they can be reused over and over

.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif


#5 Magic Sam

Magic Sam
  • Topic Starter

  •  Avatar image
  • Members
  • 463 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brigadoon (Co Durham, UK)
  • Local time:05:08 AM

Posted 26 February 2024 - 07:32 PM

Goes to show that when you begin to scratch away at the surface, there is no end of nasties that come crawling out of the woodwork.

 

I kid (?) myself that declining all prominent website cookies and using Chrome's cookie etc cleaner, and from time to time CCleaner's tool, that thereby I have rid myself of them. Seems not. Obvious follow up question: Is there / are there cookie cleaners that are a match for what you have outlined above?

 

I have never used a VPN. Is this a worthwhile defence?

 

I get the impression that normal AV protection is not designed to cope with cookies.


But there are also unknown unknowns- the ones we don't know we don't know


#6 quietman7

quietman7

    Bleepin' Gumshoe


  •  Avatar image
  • Global Moderator
  • 61,818 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:08 AM

Posted 26 February 2024 - 09:51 PM

Most antivirus intentionally do not search for and remove cookies for three main reasons. First, because cookies pose no significant threat in the typical sense we think of threats with malware. Second, many cookies are used for legitimate purposes on various websites for making your interaction more efficient. Third, the antivirus has more important things to do such as detecting and removing actual malware, although some scanning engines may detect/remove adware tracking cookies.
 
The appropriate place to manage cookies is through your Web browser or by scanning with third-party software specifically designed to remove cookies (CCleaner, Privacy Eraser, SecureClean, Cookie Cleaner). Some browsers even have extensions available for managing and removing cookies.


.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif


#7 Nukecad

Nukecad

  •  Avatar image
  • Members
  • 946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK Lake District
  • Local time:05:08 AM

Posted 27 February 2024 - 06:28 AM

Is there some software that makes it possible - on demand - to say no to some or all

 

 

No- but there is software that will automatically accept them for you so that you don't have to click on things yourself.

 

I see that you are in the UK, so are covered by the Data Protection laws in Europe and the UK.
That makes it a legal requirement for websites that use cookies to show you a cookie warning when you visit them, and they have to get and record your permission to let them do that. ie. an 'Accept' button.

 

Although they have to show you the warning and you have to click to indicate that you 'Accept cookies', they don't have to offer you a 'Reject cookies' option. - You can reject simply by not continuing to the website.
Some websites do have a 'Only essential cookies' option to let you continue with only some of their cookies, but that isn't a legal requirement.

 

So although the 'Cookie Warning' law was brought in with good intentions the repercussions weren't though through properly, and  it can be a PITA to keep having to accept the warnings.

It is being talked about changing the laws so that websites don't have to keep bugging you in this way.

In the meantime in Europe/UK we have browser add-ons that will accept the cookie warning for you, at the minimum allowed cookie level, often before you even see it.
 

I use the 'I don't care about cookies' browser extension and I'm never (well hardly ever) pestered by the cookie warnings.
It can also be added as a filter list in adblockers, but that is not as effective as using the extension.
Other similar browser extensions are available.
https://www.i-dont-care-about-cookies.eu/

 

I do clear all cookies daily, (often multiple times daily), my browser is set to clear cookies and history on closing, and then I have my own batch file to clear all the browser caches, a double cleaning because browsers don't always clear everything.
An app such as CCleaner will also clear them out on demand, you can usually set exceptions in cleaning apps so that they will not remove any that you do want to keep. (Say if a login is stored as a cookie then you may want to keep it).
If you get the Paid version of CCleaner it can be set to clear a browsers cookies and caches when that browser is closed.

 

Another way of avoiding such cookie warnings would be to use a VPN that says you are outside of Europe/UK so not covered by the same Data Protection laws. To me it's simpler for most people to use a browser extension.

 


Edited by Nukecad, 27 February 2024 - 07:19 AM.

*** Out of Beer Error ->->-> Recovering Memory ***


#8 Magic Sam

Magic Sam
  • Topic Starter

  •  Avatar image
  • Members
  • 463 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brigadoon (Co Durham, UK)
  • Local time:05:08 AM

Posted 27 February 2024 - 07:09 AM

Thanks for the long and extensive explanation.
I can understand that for the sake of an easy life accepting cookies by default makes sense. Regrettably my attitude is programmed differently and I will decline cookies wherever possible. Having read Quietman7's comments above I am not inclined to give cookies the benefit of the doubt. I think Chrome has a facility to remove cookies at the end of a session with just a couple of mouse cliks, but up to now I have not known how effective this is.

But there are also unknown unknowns- the ones we don't know we don't know


#9 Nukecad

Nukecad

  •  Avatar image
  • Members
  • 946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK Lake District
  • Local time:05:08 AM

Posted 27 February 2024 - 08:24 AM

Each to their own opinion of course.

 

But like Quietman7 I'm not particularly bothered by any 'threat' from cookies - as long as I clear them off my machines regularly.

 

Yes they can show what you have been doing doring a browsing session, but when you close the browser and clear them they are gone - and then when you start your next browsing session it's like you are new to the web as far as cookies are concerned.


*** Out of Beer Error ->->-> Recovering Memory ***





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users