What Are Cookies and How Are They Dangerous?
Mmmmm, cookies. Sounds delicious right? Well, in the computer world, cookies were meant to be pleasant and useful but have been twisted to sometimes hurt more than they help. The web can't work properly without cookies, but our relationship with them is becoming complicated.
Every internet user should know what cookies are and why they might be dangerous. In this article, we'll explain what cookies are, why you should care, and the potential dangers they pose.
Cookies Explained
The core nature of a cookie is pretty boring. It's just a text file. What's more important is the actual information contained in that text. Cookies are left on your computer by the websites you visit. They hand the cookie file over to your browser, which then stores it on the hard drive.
When you visit that site again in the future, the server reads the cookies on your computer. The idea is to use this information to make your browsing experience better. For example, it's how the site knows who you are and what your site preferences are.
Before the web, cookies were used mainly on networks, in the form of so-called "magic" cookies.
HTTP & Magic Cookies
Magic cookies are an old networking concept. A predecessor of the modern cookie as we know it. These small files were used to make actions such as logging in to the server or accessing resources go more smoothly.
When we talk about cookies today, what we're referring to is an HTTP cookie. The magic cookie was the inspiration for the HTTP cookie, but they server rather different purposes.
As the name suggests, HTTP cookies are used by HTTP protocol websites. While the server is perfectly capable of saving your information on its own hard drive, it doesn't have a way of identifying you until you log in. This is perhaps not the biggest inconvenience, but if you had to log in every single time you visit a site like Amazon, it would get old fast. Especially given how much we use the web today.
Specific Use Cases for Cookies
So if you let a website put a cookie on your computer, what's the benefit to you? We've mentioned sites use it to remember you, but that breaks down into three specific types of information.
First of all, there's session management. When you ask a site to remember you or not ask for a login next time you visit, it's being done via a cookie. It's also why you can close a site and go right back to it without logging in again. Instead, sessions will expire if you've been idle for too long. This is probably the most useful way in which cookies are used.
Next, cookies are used for personalization. However, we're not talking about your preferences here. Instead, cookies are used to store personal information about you. That information is used to change the way that you experience a site. For example, a shopping site might show you specific special offers or products based on the information stored in your cookies.
A related use of cookies is to track you - where you go on the site and what you look at. It's also how a commerce site manages to remember what products are in your cart, even if you haven't even logged in yet!
HTTP Cookie Subtypes
There's some variety when it comes to modern HTTP cookies. Specifically, there are two types of HTTP cookies. Session cookies are temporary. They only last for as long as your session with a specific website lasts. Think of them as a sort of short-term memory for the website that prevents you from having to constantly resubmit information every time you navigate to a new page.
Persistent cookies, on the other hand, are on your computer forever. OK, at least until they are deleted. Persistent cookies can have expiry dates, at which point they are deleted. However, there's nothing stopping a site from putting a cookie with an indefinite lifespan on your computer.
The Dangers of Cookies
While cookies were created to make web browsing better for all of us, malicious actors have figured out how to use them in ways that aren't great for your privacy or security.
First of all, cookies are not executable. They really are just text files. So you don't have to worry about a cookie by itself being malware. The problem is that the information stored inside a cookie can be used in various attacks even if it seems innocent. After all, their nature as plain text files means anyone can read the contents.
Browser history tracking is one major weakness of cookies. So-called third-party cookies that aren't created by the site you're visiting intentionally make it possible to track you over multiple sites. This is one of the reasons you see advertising on new sites you've visited for products that you've browsed on a completely unrelated site.
This information can be used to build a pretty comprehensive picture of who you are. It can destroy your anonymity and warp your web experience.
Modern Cookie Policies
Cookies have become such a privacy issue that some government bodies are taking notice. The most prominent example of this is the EU's GDPR framework. This is why you are now seeing a popup on any website that's going to be viewed by EU citizens.
There are specific policies in place where websites must tell you upfront that they use cookies. They have to tell you what information these cookies contain and what they will be used for. You then have the option to accept the policy or decline it if you disagree. You then can either use a cut-down version of the service or not use it at all.
It can feel like a chore to read each and every cookie policy. After all, they all need to be GDPR compliant and are probably just the same boilerplate on most sites. Still, it's worth actually reading what you are agreeing to. At least from time to time. At the bare minimum, read the GDPR for cookies or the equivalent for the territory that you reside in.
Managing Cookies
There are various ways to manage cookies in your system and what information you give up to websites you visit.
The most radical measure you can take is to switch off cookie functionality in your web browser completely. This is likely to significantly alter your web browsing experience, but you have to weigh that up against the level of privacy you require.
It's also possible to be selective with how you interact with cookies. For GDPR compliant sites, you can simply reject their cookie use. On some sites, this might mean that you can't use it at all. On others, it will be a stripped-down experience, but functional, as mentioned above.
Taming the Cookie Monster
The bottom line on cookies is that we can't live without them. Perhaps at some point in the future, a new alternative to them will be developed. However, as it stands, a large chunk of what makes the web useful and pleasant to use can only happen because of cookies.
The best strategy for the average user is to only allow cookies for sites that you trust. If you want to navigate sites where you prefer not to be tracked, it's better to use incognito mode. If incognito is too light on security for you, using something like Brave browser or the Tor browser could be an even better solution.
As for mainstream sites, check if you agree with their cookie policy. If not, then you can try looking for a site that has a better policy. If you can't, try knuckling through without them. If that's not possible, well, the last choice is to look for that service or information offline.