Google bod wants cookies to crumble and be remade into something more secure A key member of the Google Chrome security team has proposed the death of cookies to be replaced with secure HTTP tokens. This week Mike West posted his "not-fully-baked" idea on GitHub and asked for comments. "This isn't a proposal that's well thought out, and stamped solidly with the Google Seal of Approval," he warns. "It's …
Author has obviously zero understanding of how cookies work:
"Or, in other words, tracking code would be controlled by a browser through a secure HTTP header (a unique 256-bit value) passed along when someone visits a given website, rather than held on the server."
Cookies are already passed in HTTP headers, and cookies are already not stored on the server-side. That's essentially the definition of cookies (ie. information not stored on the server side passed back and forth in HTTP headers), so, this new "secure tokens" thing definitely can't work like this.
After reading the Github piece, it seems that this misunderstanding comes from the El Reg author. It's sortof understandable, as Mike West's essay is intended for people who know this stuff and doesn't make it crystal clear exactly what he's talking about when referring to servers storing cookies.
how are cookies not stored on the server side ? Any cookie associated with a site would be transmitted to the site and the site can store that data if it wishes(but it probably already has that data in other forms, e.g. session info, items in your shopping cart). Back when I worked for an ad targeting company many years ago we collected probably 40TB of log data per day, most of that was cookie stuff from the tracking pixels.
It's pretty trivial to configure most web servers to log the contents of the cookies.
Of course I could be misunderstanding what you are saying as well.
Cookies may be stored on the server side but that's not what they're about. What's important is that the server told your browser to remember something and when your browser next connects to that server the thing is sent.
So a session identifying cookie is useless if the server doesn't store it, it's just a key into a server side data store. A "default to the UK view" cookie is pointless if stored on the server, it's specifically about offloading that information to the client.
The concept is simple. Server says to client "remember this", client sends "this" every time it talks to server.
So a session identifying cookie is useless if the server doesn't store it, it's just a key into a server side data store.
If only. Perhaps you haven't seen the vast numbers of web applications that serialize server-side objects and send the serial representation as the cookie value? Then the server doesn't have to store anything, and you get fun "Marshalling1 Pickles" vulnerabilities in the bargain.
Since this class of vulnerabilities was popularized, some applications have moved away from using serialized objects as cookie values, and others have introduced mitigations like HMACs, signatures, or encryption into the cookies. But there are still plenty of offenders.
1 sic, from the title of the famous AppSecCali 2015 presentation.
What happens on the server entirely depends on the application
Well, no. That depends on the server, and other components of the application's execution environment, such as frameworks, language runtimes, and application engines. And there could be middleboxes that record cookies, etc. There are many possible server-side components with access to cookie values.
Author has obviously zero understanding of how cookies work:
Indeed cookies exist to add state to a stateless protocol. I remember reading an early book on website statistics that explained how cookies could be used for tracking.
With http/2's increasing adoption, http is no longer entirely stateless and moving state into http means that the specification can decide which state is available to which processes. You can do this already with cookies but nothing forcers websites to do it.
"would create a new default where user tracking has security and privacy built in"
Unless the "new default" includes a means by which you can prevent these identifiers from being created for you, this is impossible. You can't have security & privacy and still have user tracking unless that tracking is opt-in.
EDIT: I commented before I read the Github piece, and he's including the ability for users to delete these things. Let's hope, though, that this functionality is opt-in and not opt-out.
"and several people have pointed out that large companies like Facebook, which rely on cookies to give them endless access to user data, are unlikely to be excited about the idea of restrictions on what they can currently do."
Given that the guy's Boss is just as bad in tracking stuff as FB and the like, I doubt that Google/Alphabet will be too happy with this concept of "limitation" as well.....
I doubt that Google/Alphabet will be too happy with this concept
What do you want to bet that he has come up with an idea that allows the tracking that he hasn't published. An idea that mere mortals will find hard to implement but the likes of Alphabet and FB with their mega resources will be able to implement so they can keep tracking...
Surely (dons tinfoil hat) Google will make sure that THEIR cookie replacements can't be deleted....
After all they don't want to lose such a valuable source of data now do they?
Then, will the EU need to pass another law about the new cookies?
I'd better step carefully as there are minefield warning signs all around me.... too late boom
When Netscape first introduced cookies I sent them a letter informing them I'd file charges of theft against them because the cookies were taking up space on my harddrive without my permission. Interestingly enough, I didn't get cookies for several weeks. I'd love to see cookies banned and some more secure ID method created. One that would disappear once one left the site. Now I have to use the modern three finger salute (CTRL-SHIFT-DEL) multiple times a session.
But how many people realise that? And how many people simply leave the browser on all the time?
I'd love a 'clear all cookies set by this page' which operates as soon as the tab is closed to be in a browser by default. An exception list, of course, for those few that are required to e.g. maintain a login.
I'd love a 'clear all cookies set by this page' which operates as soon as the tab is closed to be in a browser by default. An exception list, of course, for those few that are required to e.g. maintain a login.
I use the Cookie AutoDelete add-on for Firefox. Sure would be nice to see that functionality by default in all browsers.
@Kev; Uh huh. How did your attempts to have Netscape prosecuted for "theft" go, then?
"Interestingly enough, I didn't get cookies for several weeks."
You're saying that Netscape were the only people sending cookies at that point? Or did everyone back then pay attention to the quasi-legal letter you sent to Netscape?
I winder how they knew you were the person that didn't want cookies, assuming you were behind a dynamic IP? Perhaps they stored some sort of persistent piece of information on your computer to remind them of that. *cough*
So Google, which owns the favorite browser of most of the internet, will be able to correlate these "not a cookies" but it's competitors will be either frozen out or disadvantaged? Don't worry, it won't be ruled a monopoly in the US as Micro$oft still has Edge and Bing, and a 8-9% market share .
No. The idea is that the "new cookies" will only be readable by the exact connection that created them. Google won't be able to read the ones created by others, and others won't be able to read the ones created by Google.
This is actually a bit of a problem, as it also means that the data stored by "machine1.example.com" can't be read by "machine2.example.com" or even "example.com".
"Your Name Is All Over the Internet. It Doesn’t Need to Be. As more activity is linked to our real names, the stakes seem excessively high. Eric Schmidt lamented, “One of the errors that the Internet made a long time ago is that there was not an accurate and non-revocable identity-management service.” (Google Plus was originally intended to provide just that!)"
https://www.bloomberg.com/news/articles/2018-08-15/real-names-online-raise-the-stakes-far-too-high
Yep. True story: Facebook suspended my account for not conforming to their "real name" policy. I didn't fully care whether they perma-banned me, so I sent a scan of my photo ID crudely altered with MS Paint to reflect my pseudonym, under the assumption that the ID would be vetted by OCR rather than a human. If I was wrong, it would have cost me nothing of value. My scan passed muster, however, and my account was reinstated with my pseudonym intact.
"If your real name is all over the internet, that's because you put it there."
Not necessarily. Real names are seldom unique. 192.com finds a whole slew of other mes although many can be distinguished by a middle name. Linkedin finds more.
Just because someone's real name is all over the internet it doesn't mean you put it there.
I understand what you're saying -- my real name is very, very common and so there are numerous people on the internet who are not me, but who have my name.
I don't think that counts as "my name is on the internet", though. Having a bunch of other people using the same name as me just gives me plausible deniability.
I'm not 100% sold on this solution (which sounds like just extending the idea of bearer tokens to replace cookies), but I definitely support dropping cookies. Cookies can store too much arbitrary information about a user, and 3rd party cookies are a security nightmare. Replacing them with a more-restricted system that doesn't allow 3rd party access is a good idea.
Strangely I HAVE disabled ALL 3rd party cookies. The browser has a setting. It should be the default, but isn't.
I have never ever experienced any lack of functionality on a website from doing this. The proposal is about the 1st party cookies needed for log in like these comments, multpage forms and shopping. Because of a flaw in the original design of the website concept. One of a number, according to Ted Nelson. See Project Xanadu :)
I have also disabled all 3rd party cookies (feelsgoodman.jpg) and 99.9% of the time it causes no issues, but it has caused a few. If an application has deep integration with a 3rd party app via an iframe then it tends to come unstuck. It hasn't happened often enough for me to re-enable 3rd party cookies though.
"What's the betting that these tokens will be an absolute nightmare to block compared to cookies?"
Blocking is done at the browser. The choice of browser is yours. Even if Chrome were to refuse to block them or give access to add-ons which did other browsers would be unlikely to follow; even if most of them did blocking would become a USP for the one that didn't.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
