Republished with permission from WatchGuard Technologies, Inc.


Fireware vs. the Cookie Monster (Part 1)

Using HTTP-Proxy to block ad-serving cookies at your gateway

By David M. Piscitello, President, Core Competence

A cookie is a file that a Web application writes to a user's PC when the user visits a Web site. Generally speaking, a cookie may store any information the Web application decides is useful to identify the customer, his preferences, and his interests.

Used as originally intended, cookies are relatively benign. But over time, Web applications began using cookies in ways never intended. Some used cookies to save personally identifying information (PII) and user credentials. While this provided a convenient user experience, such cookies stored information that users should have kept private. Predictably, poor cookie implementations were exploited by fraudsters, identity thieves, and other troublemakers.

The practice of recording information that is best kept private in cookies is, unfortunately, the tip of the iceberg. Today, Web applications use cookies to gather information about a user's Web and searching behaviors and buying preferences. The information recorded in these ad-serving cookies is processed by the Web site and third parties to deliver customized advertising. In many cases, the information is misused. For example, a user who previously purchased undergarments on a past visit sees ads for porn sites on her next visit.

Is it spyware?

Ad-serving cookies remain hotly debated as the Internet community attempts to manage the spyware pandemic. Are such cookies merely adware? Software and toolbar applications are considered technically (and in many jurisdictions, legally) spyware if they:

  • Install without the user's permission or consent
  • Collect personally identifying information
  • Are not easily and permanently removed without damage.

If they violate any of the criteria listed above, they "walk like spyware and quack like spyware." Users should apply desktop measures such as cookie manager software to block them.

If an ad-serving cookie does not violate the criteria listed above, most legislators say it is not spyware. However, those cookies pose threats that lawmakers have not adequately considered, partly because ad-serving, (a.k.a., behavior tracking) is a lucrative business sector with sufficient capital to influence policymakers.

Many companies that offer ad- and behavior tracking services and products have a vested interest in distancing themselves from spyware. They campaign aggressively with antispyware companies to have their products removed from spyware blacklists. Case in point: last week, a legal settlement forced Symantec to stop their anti-spyware from recommending the deletion of adware from Hotbar.

In addition to complying with TRUSTe and acceptable tracking practices spelled out by antispyware vendors (e.g., LavaSoft and Microsoft assessment criteria), companies like Zedo, DoubleClick and 247RealMedia provide opt-out mechanisms. When a customer opts out, the company writes a special cookie on the user's computer which deactivates ad-serving.

If users can opt out, the problem is solved, right? Wrong. Opt-out has several shortcomings. Opt-out assumes the user is aware that a cookie has been written to his computer, that opt-out is available from the ad-serving company that uses the cookie, and that the user will take the initiative to visit the company's Web site and opt out. Most users accumulate hundreds of cookies in a relatively short time and cannot investigate and exercise this option for so many cookies. Moreover, currently employed opt-out techniques require that the opt-out cookie remain on the user's computer. If the user deletes the opt-out cookie and again visits an affiliate of an ad-serving company, the affiliate plants a new ad-serving cookie and the user must repeat the opt-out process. Lastly, opt-out is in the hands of the individual user. This might be acceptable in the consumer world, but is probably not sufficient for businesses.

How cookies threaten business networks

Legislation and opt-out services improve the ad-serving cookie situation, but several nagging problems persist, especially for you, the network administrator. Companies that provide behavior tracking and targeted advertising services do not, as a rule, disclose the identities of their clients to consumers. Neither the behavior tracking company nor its clients disclose specifically how they use the data they collect, nor do they divulge what conclusions they draw from the data they analyze. Even if no PII is collected, you should worry, because information about your networks is being collected, analyzed and delivered to parties you do not know, without disclosure and consent. To illustrate why this is serious, consider the following statement in's privacy policy:

"...we may collect the user's IP address, Internet browser type and version as well as the type and version of their computer's operating system and, in some cases, keywords entered into search engines. We also may cross-reference IP addresses with databases maintained by one or more of our vendors to generate general location information about IP addresses."

When considered in the context of an entire network, this kind of information gathering is disturbingly invasive. If you've set your Firebox to perform dynamic NAT, all HTTP traffic appears to originate at the external IP address of your Firebox. If the Web application tracks the external IP address in its cookie, the behavior tracked is not that of an individual consumer, but an aggregation of requests generated by many users operating behind the firewall. Combine this data with "keywords entered into search engines" and the recipient of this combined data could learn more about activities at your company than you care to disclose.

Combine the data again with "general location information about IP addresses" and the recipients might be able to pinpoint specific business units based on IP routing information they can associate with the external IP address you use. For example, a recipient of this information can identify the company through DNS and WHOIS lookups and then learn what business units operate at that location from the company's Web site. Examining the tracked Web behavior in this context, the recipient might gain insight into marketing and product research, competitive analysis, proposed mergers, or other projects your company engages in.

Even if the Web application tracks internal IP addresses in its cookie, this information could be correlated against other Web log records. Tracking internal IP addresses might also reveal some of your internal network topology.

Cookie control and defense in depth

Let's face it: cookie management and opt-out performed by individual users is a disorganized, ad hoc activity. Even if you specify policy and recommend that users install cookie control software, that leaves it to your users to decide what cookies to keep. They probably lack sufficient information and experience to choose wisely. Most users have enough trouble identifying and blocking cookies that pose personal privacy threats, and should not be entrusted nor burdened with mitigating threats to the entire organization.

You can address the problem of containing ad-serving cookies at multiple levels, e.g., by complementing desktop cookie control with gateway measures. Gateway cookie control is exactly the kind of content filtering that the Fireware Pro HTTP proxy performs well. In my next column, I'll provide examples of how. By enforcing cookie policy at a Firebox, you can centrally administer policy and block cookies based on your own risk assessment. This is clearly better than relying on individual users, and provides users with a buffer of protection beyond their own cookie management efforts.

More importantly, you can enforce a locally relevant and more stringent policy than antispyware vendors, who may be constrained by legislation. Finally, by incorporating cookie management policies with WebBlocker and other policy enforcement mechanisms at the HTTP proxy, you might find that the task isn't quite as formidable as you first thought. Stay tuned for Part Two of this article, to see how Fireware can slay the cookie monster. ##


Microsoft Windows XP: Understanding Cookies

The Cookie Concept, by Cookie Central

Cookie Monsters and Online Goblins, by Symantec

Accurate Web Site Visitor Measurement Crippled by Cookie Blocking and Deletion

Third-party cookies are dead

DoubleClick ad-serving cookie opt-out

Zedo opt-out

      Copyrightę 2006, WatchGuard Technologies, Inc. All rights reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and other countries.