A continuation in the popular series. This time I bring you...

Cookie Blockers

Cookiewall (for IE, free) (http://www.analogx.com/contents/download/network/cookie.htm)
Cookie Monster 1.4 (http://www.ampsoft.net/utilities/CookieMonster.php)
Cookie Jar (http://www.jasons-toolbox.com/programs.asp?Program=Cookie%20Jar) (last update was in 2002)
Cookies Manager v1.1 (http://home.nordnet.fr/~pmdevigne/programmes_e.html#CookiesManager)

Of course IE 6 and many alternate browsers have built in cookie controls...

Using the Cookie Manager (http://www.mozilla.org/projects/security/pki/psm/help_21/using_priv_help.html)
How to Manage Cookies in Internet Explorer 6 (http://support.microsoft.com/default.aspx?scid=kb;EN-US;q283185)

A couple of other products, while not cookie control are useful in managing other downloaded files...like ActiveX controls and BHOs

Active XCavator (http://cognitronix.com/)
BHODemon (http://www.definitivesolutions.com/bhodemon.htm) (on hiatus--old version)

Updated 5/17/2006 There are probably several more items to add to this list, if anyone can think of something PM me and I'll look into adding it.

mjc, once again you've taken on the "Cookie Monster" and we all will be batter for it! :rolleyes: ;)

Don't forget that Netscape 7 has cookie controls too, even if it has other problems.... (Not as bad as IE anyway)

I couldn't find any specific NS7 instructions...but the Moz instruction may work.

You control the cookie settings in Preferences. They are pretty straightforward and can be quite stringent. I will actually have to loosen them up to use PCGuide....

2.4 Are Cookies Dangerous to My Computer?
NO. A cookie is a simple piece of text. It is not a program, or a plug-in. It cannot be used as a virus, and it cannot access your hard drive.

2.6 Are Cookies a Threat to My Privacy?
The sad truth is that revealing any kind of personal information opens the door for that information to be spread.

^^ The Unofficial Cookie FAQ (http://www.cookiecentral.com/faq/) ^^

Basically what 2.6 is saying that there are numerous other ways that your information are being recorded. Credit cards being the main one.

Personally, I couldn't care less if doubleclick.net or whomever tracked my browsing habits.

If anything cookies from per say, doubleclick.net just tells them where to put more advertising banners at a particular site because they get more viewers. Or what banners are needed at their site. Or even still, tell other companies what viewers like you and me are more likely to look at.

Maybe I am being narrow minded, but I really don't see the threat with cookies. If they (cookies) were sending "personal information" then I would be more concerned.

Some cookies will try to gather personal information and use it for identity theft purposes. That is reason enough to me to be suspicious of them and to control them as much as possible.

That said: if you are comfortable with them, you are certainly free to leave the door as open as you would like for them to be planted on your computer.

As for 2.4... People who use cookies are always telling us about how safe they are, but the truth is that this is less true than it used to be and it will probably become even less true as time passes and hackers get trickier....

Not this I disbelieve you, but can you point to a web site that states that?

This is the best I could find at a drop of a hat regarding cookies.
http://www.techtv.com/callforhelp/stepone/jump/0,24331,2130616,00.html

demog
dpc=5%2F30%2F2003+1%3A37%3A08+PM&dp=0
bis.180solutions.com/

*
guid
54389058-ee32-468d-87c9-302f8b31ba83
bis.180solutions.com/

*
WEBTRENDS_ID
65.174.58.1-1029124096.29566699::313CE90AF7320A3CBEFA1908D349C AA9
bis.180solutions.com/


That is the content of one "tracking" cookie....notice, there are 2 unique ids?

Also, this particluar cookie, can be read at many websites, because it is a bis.180solutions cookie. Any site that has an ad from that server can read this cookie.

Now the fun starts...
Cross site profiling comes into play, that is the ability for a comapany like Doubleclick to build a unique profile based on the unique ID from its cookie, gathered from multiple sites. This profile can contain a vast amount of info about you including more than just what you look at. The data can then be linked (through other means) to actual personal info.

Cookies that are specific to the site you are visiting (first party cookies) for the most part are still ok, but even some sites are now putting more data than needed and not all are hashing it, some store it in plain text (which is very dangerous if it happens to be a shopping site and that plain text happens to be your credit card number.....but cookie theft isn't really a cookie problem).

Third party cookies are the privacy problem, and yes they are getting better at building profiles based on the cookie IDs. And the fact that many popup ads are driven by this cookie system, it means that doubleclick(and others) is not putting the ads on a site, it is feeding them directly to YOU, customized based on the profile they have built for you.

Okay:

One. (http://www.theregister.co.uk/content/55/24653.html)

Two. (http://www.cert.org/tech_tips/malicious_code_FAQ.html)

Three. (http://www.ecommercetimes.com/perl/story/16147.html)

Four. (http://www.evolt.org/article/Malicious_JavaScript_shuts_down_Hotmail/1/1906/)

and Five. (http://www.creativepro.com/story/news/15520.html)

I didn't read these articles in detail, but each came up with a Google search for "malicious cookies" and seemed to represent ways that cookies can be misused currently... who knows what some nasty hacker will come up with tomorrow... I also could have used other negative search terms and probably come up with several more references.

Doh!...I had forgotten about that flaw in IE that let jscript be used in cookies.

Which of course means that cookies weren't exactly text files that don't execute.....a script file is just a text file, but it is an executable text file.

mjc,

I would totally agree it would be very dangerous if it happens to be a shopping site and that plain text happens to be your credit card number. But they don't do that.

What shopping sites generally do is have a session cookie that stores items that you are going to buy. When you are ready to pay for the items, they should take you to a secure site to enter your billing/shipping address and payment info. That info is not needed in a cookie.

If any web site did that, the privacy groups would have a field day. And you would bet that they wouldn't get anymore customers. :)

Third party cookies are the privacy problem and I agree to a certain point. All the points you stated are correct with the exception.... that doubleclick (and others) are not going to custom tailor banners and/or popup just for ME for every web site I go to.

There are millions of web surfers and each one will not have a banner/popup customized based on the profile they have built for them.

Banners and popups are going to happen regardless of cookies. What 3rd party cookies does though is tell doubleclick (and others) what banners/popups to use or should use in general.

But I can understand that some people want total and utterly privacy.
They can turn off cookies, ActiveX, Java/Javascripts and whatever else they deem as a security risk. All that is left is http://www.website.com/readme.txt.

Basically, paranoia has to have limits. I am not saying that you or anyone else here is paranoid by any means. I just want a friendly discussion with cookies. ( With chocolate of course. :) )
But what I am saying or should be asking, is there such a thing as too much privacy? Cookies do not reveal personal information. They only track what web sites you visit. This goes back to 3rd party cookies.

I can understand when cookies are stored in the user's computer without their consent or knowledge. I think that is where people start to worry. Cookies first, what is next? But then, it is easy to block 3rd party cookies.

Until that time, as Alfred would say, "Me not worried".
Or am I just being an Alfred?

For those that don't know Alfred, click here (http://www.dccomics.com/mad/).


By the way, I was curious to know how many cookies are stored on my computer. 195 to be exact. Have I lost privacy? I don't think I have.

Edit:
Budfred, I will read each one to be better informed. Thanks.
Mcj, I will check into that as well.

Actually, the way doubleclick et al are progressing I would not be very surprised if tailor made popups are not already happening (for their best profiles). Opera does tailor made banners and there ae sites that tailor the ads based on the profile (geocities would almost always give me computer related ads before I succeded in totally blocking all their ad servers).

And yes, I have seen some shopping sites keep the cookie data as plaintext, I don't know if CC data is included...never gave them that much info. Yeah, kind of makes a joke of having a secure server for transactions.

I have said elsewhere, that my preferred method of dealing with ActiveX is to use SpywareBlaster and set the kill bits for known "bad guys" (and of course use a browser other than IE).

Originally posted by Budfred Okay

1. Posted: 01/04/2002
Microsoft flaw. (But when isn't it?) But point taken.
Funny in a way too. HTML in a cookie. :D

2. Posted: February 2, 2000
That only had malicious Web scripts.

3. Posted: February 4, 2002
That only briefly talked about a "cookie" manager.

4. Posted: 05/11/2000
Another security hole enabling a malicious spammer to intercept Hotmail authentication cookies.

5. Posted: January 29, 2002
Netscape flaw leaves cookies unsecure.

Kinda old dates. Got anything within 3 to 6 months?


Edit:
Mjc, I think you were referring to when cookies could contain HTML. That has been fixed as far as I know.
And spelling. :)

The point that I am making is that these security holes happen and they are likely to be taken advantage of by malicious people out there. I don't want to risk finding out tomorrow that some hacker screwed up my system today through a previously unidentified hole in Netscape and they used a cookie to do it. It doesn't matter how old the references are, the point is that it can happen and, if it can, it will....

If you want to leave yourself open, fine, but please don't urge others to do so. Maybe you know how to cope and you don't mind people tracking your movements online, but a lot of people don't even know that this happens, so they don't protect themselves. I hope that the people reading this thread who might not know will take action to protect themselves or at least make a conscious decision not to.

And yes I am paranoid. I have worked with people who have dealt with identity theft and I don't want to go through that. I am willing to put up with ads as the price for using various services, but I don't want them trying to guess what I like and targeting ads at me. I especially don't want someone installing malicious code on my system through a cookie that take me hours or days to correct. As has been said: just because you're paranoid doesn't mean they aren't out to get you....:eek:
Edit: If you want to read more articles, you can find them with a Google search and keywords like "malicious"....

IE's flaw of the week....yeah MS "fixed" but what is the percentage of people who have applied the patch?

I have found that, especially true with ActiveX, that the scumware companies will push any weakness found. There is one right now that is using a "feature" of XP to protect itself from being removed...some of them have been caught making the popup boxes gifs and the entire box is one big clickable link to the installer. Granted, cookies are a little more tightly controlled but still one flaw that allowed html in cookies is one too many, because after all a cookie is supposed be only an inert text file.

Budfred,

Point taken. But the point I'm trying to get across is that total cookie control is pretty much at the bottom of my list.
I am more concerned is with email viruses and people downloading stupid programs thinking that they are getting a freebie program without actually buying it. And it ends up being a virus or trojan.
Things of that nature.

I have read horror stories about identity theft and that can cause a lot of trouble. But though a cookie? Just name one legitimate web site that stores personal information on a cookie. Just one and I will check it out.

Myself, I only go to legitimate web sites. The ones that are secure. If other people want to go to malicious, unsecured web sites, more power to them.

The Internet can be as useful or as dangerous as one sees it.
A little common sense goes a long ways. (And updates usually help as well. :))


Mjc,

Percentage? I would hope at least 95% by now given that those dates were back of early 2002. But of course there are those that don't update figuring that since they bought the final version, everything is secure. Or that they are on a very slow connection and rather not update. So that percentage could be lower.

As far as ActiveX is concerned, I am very wary of accepting them. Even from legitimate web sites. Microsoft certified included. :)


For the both of you,

I am not saying there are no security issues in general. But there are priorities when it comes to security.
I do block 3rd party cookies, but not for fear of being tracked. I block them because I have that option in my default browser. I am not concerned with session or persistent cookies though.

But nevertheless, a healthy discussion, or debate have you, shines more light on the subject and gives more options for people.

I once subscribed to a web site with a password and some personal information. That web site then sent me an unsecured email confirming the information I had given them, including the password. I immediately told them to delete me from their records and have stayed away from them sense. It was a legitimate commercial site that even had a privacy policy... that they didn't follow.

My point is that I don't want to take the risk of some malicious or just stupid programmer broadcasting my personal data on the web for malicious people to take advantage of. I don't know what was in that particular web site's cookie, but I wouldn't be surprised to find that they included personal details there. I don't feel the need to take the time to track down a case of someone being subjected to identity theft through a cookie, I acknowledge that it may never have happened. The point is that it could happen, especially with a malicious programmer, but even with just a stupid one. I prefer to avoid that as much as possible.

Cookie management is not the first priority on my list either, I don't think anyone here is suggesting that it should be. I am suggesting that after setting up a firewall, keeping AV software up to date, checking for spyware regularly, checking out any weird behavior of the computer when online and managing popups it is worthwhile to also manage cookies to protect yourself.

In every other aspect of life we take steps to protect ourselves (if we are at all motivated to stay intact and healthy), so it doesn't make sense to me that we wouldn't do the same thing online. We wouldn't want to go to another country without having some idea of the dangers that might lurk there and some preparation to limit these dangers. Yet many people go online, opening themselves to the entire world, and take little or no precautions. Internet crime is, I believe, the fastest growing area of crime in the world... just as I would not walk down a dark alley at night without considerable protection, I will not wander the web without protection.

The idea that you can somehow avoid the dark alleys of the web is ludicrous.... We just had a case on the news locally of someone writing to Mariah Carey on behalf of her blind granddaughter. She got back a very nasty note claiming to be from Ms. Carey, but it turned out that she had spelled the email address wrong and went to a copycat address that was trying to be hurtful. I remember trying to get to eBay several years ago now and typing in "ebid" because I couldn't remember the correct name. I was taken to a porn site that wouldn't let go until I shut down my connection and rebooted. I have even clicked on links from this forum and been taken to sites that try to hijack my browser when I close the main window and subject me to porn. Now I know to shut down and run a spyware scan, but how many people don't? In each case, you find yourself standing in a dark alley at midnight and don't even know how you got there.

More than once here, we have had people who post a problem, insist that it couldn't be due to malware and then it turns out that their system is riddled with garbage. Again, run as open as you would like and don't bother to wear a seat belt in you car if you would like, but please don't urge novices to do the same....

Facts about cookies.
[list=1]
The maximum content of a cookie is 4Kb.
A cookie can only be read by the site that placed it there.
A cookie cannot store any personal data such as your name, e-mail address or phone number UNLESS YOU EXPLICITLY PROVIDE THAT INFORMATION on a form at the site creating the cookie.
Cookies cannot access personal data or files from your hard drive.
Some cookies can make a click-by-click record of your surfing habits. Those are usually third party cookies. DoubleClick is notorious for this.
[/list=1]
Mcj, you are correct about banner/popups being custom made. Here is what DoubleClick states on their web site:
[list=1]
No personal information is used by DoubleClick to deliver Internet ads.

DoubleClick does not use your name, address, email address, or phone number to deliver Internet ads. DoubleClick does use information about your browser and Web surfing to determine which ads to show your browser.
[/list=1]

Other than that, cookies are more of privacy issue rather than computer havoc files that act like viruses.
A cookie is a simple text entry in a very simple text file on your hard drive. It is not a binary, it is not executable, it is not a program, it is not a windows short cut file/link. It is simpler than sending an email message.

And for your information, I do wear a seat belt when driving. Not because it is state law, but because I know it saves lives.

Furthermore, I have the right to show people the other side of the spectrum. Everything is not one sided.
The popular concepts and rumors about what a cookie can do have reached almost mystical proportions, frightening users to the point of paranoia.

Need I say more?

The facts that you note are true most of the time in most circumstances, but they are not always true as the links I posted earlier demonstrate. Legitimate sites follow the rules and the "facts" are most likely to be true. Illegimate sites do not and "facts" become "ifs"....

I'm glad you wear a seat belt, makes it safer for me too....

For me, it's more a matter of staying "clean." I posted recently about getting a cookie from a website I didn't even go to..and it turns out that you can get cookie from ads on other websites. Okay, well, sometimes when searching for help for someone here, I stumble into "eeww" places, and I don't want their cookies on my machine..like walking around with dirty toilet paper stuck to your shoe. Eeww. I like the little Cookie Manager because it doesn't have to run in the background.

Years ago, a friend of ours received a puter from a friend of hers. He didn't "clean" it up before giving it to her, and it was full of porno site cookies. Eewww! "Different strokes," but for me, I don't want that stuff on my puter.

Originally posted by Budfred
I once subscribed to a web site with a password and some personal information. That web site then sent me an unsecured email confirming the information I had given them, including the password. I immediately told them to delete me from their records and have stayed away from them sense. It was a legitimate commercial site that even had a privacy policy... that they didn't follow.
Was it a big commercial enterprise or just someone who has set up his little shop on the internet ?
One might suppose that private individuals are less legality-savvy than professionals.

That was quite a while ago, but if I remember correctly it was a large company that was investing a substantial amount in developing a web outlet for their goods. They should have known better, especially since their privacy policy said they did...

thanks for ur message thank u so much

halovivek,

If you want to raise your post count in a trivial way, please use the testing forum or reply only to new posts.

Thank you.

I've noticed a great difference between Internet Explorer and FireFox regarding Cookies.

For example, I can reject every single cookie in site A with I.E, including logging on etc, and it will still work. Compare this with FireFox where I can accept three requests for cookies, reject the 4th one, and it won't work unless I accept ALL the cookies.

Another example, let's call it Site B; in I.E. I accept two cookies and no more are 'thrown' at me for the remainder of the session - no matter how many pages I view.
In FireFox, I'm asked to accept 3 cookies. Before I've gone any further, it wants to 'Modify' a cookie, than it wants to Modify it again. Then, at every link I click on, it either wants to plant another cookie or else modify it. This doesn't occur with I.E. so why with FireFox.

With I.E. I use the excellent 'Cookie Pal'. When it pops up a request for a cookie, by default it's set to 'Reject', so a tap on the Enter key is all that's necessary to reject it. You can, say, accept the first two, then reject all the remainder. Unfortunately (as yet) it doesn't work with FireFox.

Contrast this with FireFox's "Cookie Handling"; even though you set it to "Only accept cookies from the originating site", it will throw up 3 or 4 'other' cookies, which I never receive when using I.E.
Sure, FireFox throws up an alert box when a cookie is received - but it is set by default to ACCEPT (the opposite of Cookie Pal's 'Reject'). You either have to keep using the mouse to click on Reject all the time, or it takes five keystrokes on EACH cookie to switch from Accept to Reject. Literally a pain in the Mouse!
If a site tries to set a cookie five times at each and every page, that's 25 keystrokes to reject them all. By keystrokes, that's 4 Tabs plus 1 Enter.

I sometimes use I.E. just to get away from it.

Mike2002,
Have you tried the Firefox privacy extension: "CookieSafe 0.9.2" ?
It allows more control over cookies than the default.

That and if you use theAdblock extension, adding all the advertising sites like doubleclick, etc you will stop most, if not all, the extra warnings.

Now, why don't you take a look in your IE cookie folder and see how many of those ad sites you actually have in there...it might surprise you.