Damn Cookies, Damn Security.

Publicated on : 1197047662
Since the day that cookies became part of our browsers, there where people who had serious objections against it. And after all these years I have to say they were right. It is serious business; cookies. The reason why I object to cookies is because they can be set without any permission. No webserver asks me if it's alright to modify my browser and inject a cookie. If you look at it this way, you notice that we are all being hacked all day without our permission.

The problems caused by cookies are simple:

- CSRF (unauthorized access through them)
- XSS (hijacking cookies)
- Phishing (cookie re-usual)
- Privacy issues (marketeers)
- Reconnaissance (gain intel on users)
- Persistent tracking storage.

Why do we still use them? well, the cookie layer is basically put on top of the stateless HTTP protocol. The server was never meant to know each individual user. And why should a webserver know or identify you? why? it is because of it's usability aspect, and well yes because we can. And it is human nature that everything we possibly can do, we do someday. So we are still using an outdated system that has flawed protocols with insecure layers on top.

Then I talk to a lot of people saying: Well, we use SSL with signed certificates so cookies are not an issue if they got stolen. Problem is, your certificate is as valid as your signature on a piece of paper when a XSS or SQL hole is found. Because no one can tell if it's legit. If you cannot trust anyone in security, why do people still trust certificates or the people who issue them? I can propagate cookies through a SSL layer, and I will be able to be the man in the middle. Security doesn't work like this, certificates don't say a damn thing. Banks then tell us: look at the lock icon in your browsers urlbar, it says we are legit. Yeah right, I can put one there also but it does not make me legit.

It is a security issue and a privacy issue that almost no one talks about anymore. Everybody seems to focus on Javascript, while without cookies there isn't that much power left for Javascript to unleash it's fury. It's time I drop cookies, and you should too. I should have no right modifying your PC, because that is what happens.

Okay then you have people who use NoScript, NoFlash, NoCookies. But there is a problem with that, it results that 80% of the web becomes unusable. So they invented "trusted" lists of websites in the form of white lists. Sorry, but that doesn't make sense at all. So you trust the site you white listed? why are you so sure that site owner isn't some crazy hacker with the ambition to own your PC? You can't tell. Furthermore, what if your favorite white listed website got hacked the next day and propagating malware when you open it under the luxury of a cup of coffee?

For me, working in the security business is like being a schizophrenic, from all sides we see threats but at the