Saturday, December 31, 2005

The NSA and Cookies

Some people are getting seriously overly-paranoid about the recent revelation that the NSA was setting permanent (well, very long life) web cookies and that federal guidelines state they should only use "session-only" cookies (ones that go away if you shut down your browser or reboot your computer). There never was any danger.

If you've read any of my other posts, you'll know I despise the Bush administration and have nothing but contempt for the illegal wiretapping Bush has been doing for the past four years. But don't get your knickers in a twist over the NSA cookies because they are not a danger. I know this because I geek for a living.

The http protocol (the thing that requests and receives web pages) is "stateless." It doesn't have any memory of what you've done before. It cannot even be sure that the computer requesting one page from a web server is the same as the computer requesting a different page on the same server. They may have the same IP address, but if you're on dial-up you could have been kicked off after getting one page, somebody else connects and gets your old IP address and requests the other page. It's unlikely, but it's possible.

This statelessness makes it impossible to implement things like shopping carts. That's why Netscape came up with the idea of cookies. Now, like all of Netscape's design decisions made before it became open source software, the design decision was made without consultation with any of the Internet or WWW standards bodies, the concept was flawed and the implementation was even more flawed, but it kind of worked.

If you feel like being bored senseless by geeky things, here is Netscape's original cookie specification. Here is the Internet Engineering Task Force's attemp to fix Netscape's flawed proposal before it got cast in stone. Naturally, both Netscape and Microsoft[turdmark] decided not to do it the right way because they'd already shipped the broken way to a handful of beta testers. The IETF eventually came up with a way of doing it right while accommodating browsers that chose to do it the flawed Netscape way.

If you did read the geeky stuff, you'll have seen that there are mechanisms in place so that only the site that issued the cookie to your browser will get to see its contents. Even with cookies that expire far in the future the best the NSA can do is tell if you've been there before when you visit the NSA website (and, depending upon stored content, perhaps some of what you looked at last time). They can't use those cookies to find out that you've been visiting or or or

Of course, cookies can be abused by advertisers like DoubleClick (or "doublecunts" as they're known in the geek trade). Just about any website you go to has adverts from one of a handful of advertising placement companies. Each of those adverts is accompanied by a cookie from that company. So if you visit different websites with adverts from the same company, they can track where you have been. If you go to site A and see an advert from it leaves a cookie. If you then go to site B that has an advert from it can inspect the cookie it left from the previous advert and keep track of you. Eventually you buy something on-line from a company that has an agreement with to hand over your personal details, and then they have you. A flood of junk mail and junk e-mail.

But unless the NSA is secretly running an advertisement placement company (not impossible) they can't do that to you. And even if the NSA were doing that, it would be unrelated to, and unaffected by, cookies from

Of course, in the early days of cookies both Netscape and Microsoft made fundamental, "computer programming 001" type mistakes that meant that a specially-crafted cookie could do bad things to your computer. Those problems got fixed, eventually, and it's been years since a cookie could cause actual damage.

Some people have also been overly-paranoid about why the NSA were using cookies in the first place since the site apparently doesn't need them. So are they right?

<clickety-clickety> - the webserver claims it's running Microsoft Internet Information Server version 6.0. Webservers sometimes lie about what they are in order to try to prevent people attacking them, but nobody with any sense would make a webserver lie and claim to be IIS/6.0 since every script-kiddy in the land would try to attack it (because Microsoft products are a pile of shit as far as security goes). Microsoft webservers turn on cookies by default. In fact it's damned difficult to turn them completely off. So an upgrade or security patch to IIS could have re-enabled them. No sign of them on the main page or a few randomly-chosen pages.

Ah-ha! The job application form sent a cookie, which is entirely reasonable if it's a multi-stage form. A cookie labelled "WebLogicSession". <google google> WebLogic is from BEA and "delivers application infrastructure technology in a single, unified, easy-to-use platform for application development, deployment, and management." Translation: it's a tool that allows complete morons to create websites with interactive content (like job application forms). There are a lot of similar products, and almost all of them use cookies unnecessarily, not just on the pages where they're needed.

So it looks like the NSA claim that they upgraded some third-party software which decided to use cookies everywhere and set for long expiry times is at least plausible. And even if it's a complete fabrication there was never any danger in the first place.


Post a Comment

<< Home