Republished with permission from
WatchGuard Technologies, Inc.
Fireware vs. the Cookie Monster (Part 1)
Using HTTP-Proxy to block ad-serving cookies at your gateway
A cookie is a file that a Web application writes to a user's PC when the user visits a Web site. Generally speaking, a cookie may store any information the Web application decides is useful to identify the customer, his preferences, and his interests.
Used as originally intended, cookies are relatively benign. But over time, Web applications began using cookies in ways never intended. Some used cookies to save personally identifying information (PII) and user credentials. While this provided a convenient user experience, such cookies stored information that users should have kept private. Predictably, poor cookie implementations were exploited by fraudsters, identity thieves, and other troublemakers.
Is it spyware?
Ad-serving cookies remain hotly debated as the Internet community attempts to manage the spyware pandemic. Are such cookies merely adware? Software and toolbar applications are considered technically (and in many jurisdictions, legally) spyware if they:
If they violate any of the criteria listed above, they "walk like spyware and quack like spyware." Users should apply desktop measures such as cookie manager software to block them.
If an ad-serving cookie does not violate the criteria listed above, most legislators say it is not spyware. However, those cookies pose threats that lawmakers have not adequately considered, partly because ad-serving, (a.k.a., behavior tracking) is a lucrative business sector with sufficient capital to influence policymakers.
Many companies that offer ad- and behavior tracking services and products have a vested interest in distancing themselves from spyware. They campaign aggressively with antispyware companies to have their products removed from spyware blacklists. Case in point: last week, a legal settlement forced Symantec to stop their anti-spyware from recommending the deletion of adware from Hotbar.
In addition to complying with TRUSTe and acceptable tracking practices spelled out by antispyware vendors (e.g., LavaSoft and Microsoft assessment criteria), companies like Zedo, DoubleClick and 247RealMedia provide opt-out mechanisms. When a customer opts out, the company writes a special cookie on the user's computer which deactivates ad-serving.
If users can opt out, the problem is solved, right? Wrong. Opt-out has several shortcomings. Opt-out assumes the user is aware that a cookie has been written to his computer, that opt-out is available from the ad-serving company that uses the cookie, and that the user will take the initiative to visit the company's Web site and opt out. Most users accumulate hundreds of cookies in a relatively short time and cannot investigate and exercise this option for so many cookies. Moreover, currently employed opt-out techniques require that the opt-out cookie remain on the user's computer. If the user deletes the opt-out cookie and again visits an affiliate of an ad-serving company, the affiliate plants a new ad-serving cookie and the user must repeat the opt-out process. Lastly, opt-out is in the hands of the individual user. This might be acceptable in the consumer world, but is probably not sufficient for businesses.
How cookies threaten business networks
When considered in the context of an entire network, this kind of information gathering is disturbingly invasive. If you've set your Firebox to perform dynamic NAT, all HTTP traffic appears to originate at the external IP address of your Firebox. If the Web application tracks the external IP address in its cookie, the behavior tracked is not that of an individual consumer, but an aggregation of requests generated by many users operating behind the firewall. Combine this data with "keywords entered into search engines" and the recipient of this combined data could learn more about activities at your company than you care to disclose.
Combine the data again with "general location information about IP addresses" and the recipients might be able to pinpoint specific business units based on IP routing information they can associate with the external IP address you use. For example, a recipient of this information can identify the company through DNS and WHOIS lookups and then learn what business units operate at that location from the company's Web site. Examining the tracked Web behavior in this context, the recipient might gain insight into marketing and product research, competitive analysis, proposed mergers, or other projects your company engages in.
Even if the Web application tracks internal IP addresses in its cookie, this information could be correlated against other Web log records. Tracking internal IP addresses might also reveal some of your internal network topology.
Cookie control and defense in depth
Let's face it: cookie management and opt-out performed by individual users is a disorganized, ad hoc activity. Even if you specify policy and recommend that users install cookie control software, that leaves it to your users to decide what cookies to keep. They probably lack sufficient information and experience to choose wisely. Most users have enough trouble identifying and blocking cookies that pose personal privacy threats, and should not be entrusted nor burdened with mitigating threats to the entire organization.
More importantly, you can enforce a locally relevant and more stringent policy than antispyware vendors, who may be constrained by legislation. Finally, by incorporating cookie management policies with WebBlocker and other policy enforcement mechanisms at the HTTP proxy, you might find that the task isn't quite as formidable as you first thought. Stay tuned for Part Two of this article, to see how Fireware can slay the cookie monster. ##
Microsoft Windows XP: Understanding Cookies
The Cookie Concept, by Cookie Central
Cookie Monsters and Online Goblins, by Symantec
Copyrightę 2006, WatchGuard Technologies, Inc. All rights reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and other countries.