Internet Safety and Protecting Your Cookies

web cookies

The Modern Dilemma

A friend asked me, “What can I do to keep safe on the Internet?”

These days, most Internet access is through browsers. But not all of it. I do not use web mail. Electronic mail should be done with a dedicated tool like Thunderbird, configured for viewing messages in plain text form, and with local storage (on my computer) of the address book and the Trash and Sent folders.

But other than ssh for remote command-line access and and scp for file copying, almost all of the rest of Internet user access is through browsers.

Keep Your Hands Off My Cookies

We mention web cookies in Learning Tree’s System and Network Security Introduction course, and we get into a few of their details in the CompTIA Security+ test prep course.

A web server gives your browser a cookie, a small piece of data which the browser sends back with every subsequent request to that same site. Servers use cookies to track page view history, like Amazon suggesting “Based on what you have recently viewed, maybe you would like this.”

Servers also maintain sessions, as when you click “Add to my shopping cart.” That’s an anonymous session. When you sign into your Amazon account, the new cookie gives access to your account including your credit card information.

The same-origin rule means you can be signed in to Amazon in one browser tab to set up a purchase, while you are signed into your bank in another tab to make sure the purchase is not a bad idea. Your browser should send the bank cookies to the bank site only, and the Amazon cookies to Amazon only.

But…

A cross-site scripting (or XSS) attack could confuse your browser. It might think that a component of a hostile page really comes from a trustworthy site, sending a cookie that provides access to your bank account to the Russian mob.

Cookies Go Stale, And That’s A Good Thing

A cookie can include an expiration date-and-time, at which time the browser will delete it. Or, better yet, since not everyone keeps their clock synchronized with NTP, a session cookie specifies no expiration time and is deleted when the browser exits. Or, when the browser restarts after a crash and finds a stale session cookie already stored.

This is why a more cautious site invites you to click a “Log Out” button to invalidate your authentication cookie, and then tells you to close and restart your browser.

Cookies Can Make A Mess

The hassle is that I must stop all processes of that browser in order to have the session cookies deleted. Every tab of every window until that browser’s processes are all terminated.

But I was in the middle of something…

Compartmentalize With Multiple Browsers

I solve this problem by running two different browsers simultaneously.

I start Firefox, which opens a number of tabs to monitor what’s going on in the world. BBC News, National Weather Service radar from the nearest site and the next site to the southwest plus regional radar composites, aurora alerts, and more.

Then I start Chrome, where I get things done — test web pages I’m writing and uploading in a terminal window, search Google, search Wikipedia, sign in to blog.learningtree.com to upload these blogs, and more.

FireFox and Chrome

If I need to sign-in to a critical account, meaning my finances or personal information — Amazon, a bank, PayPal, health-care records — I open a new tab in Firefox and do it there.

When I’m done, I click “Log Out”, close that tab, and close the browser. Then, because it’s Firefox and who knows what it might still be doing, I go to the terminal window and:

$ pkill firefox
$ pgrep firefox

As Ripley said in Aliens, “I say we take off and nuke the entire site from orbit. It’s the only way to be sure.”

I might have two or three things underway in Chrome when I need to do a quick secure check of something critical. Firefox is just monitoring things, so I do the check there and then kill off Firefox. When I restart Firefox it will go back to its standard set of tabs. Meanwhile my Chrome-based projects continue.

Use This In The Way That’s Best For You

It’s not that I think Firefox is more secure. Actually, I think Chrome has a slight security advantage. But Firefox is secure enough, and I much prefer Chrome for my interactive work.

The key thing is that I don’t leave sensitive cookies lying around, and I don’t interrupt my work.

Try compartmentalizing your Internet access with multiple browsers.

Type to search blog.learningtree.com

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.