back to article Google bod wants cookies to crumble and be remade into something more secure

A key member of the Google Chrome security team has proposed the death of cookies to be replaced with secure HTTP tokens. This week Mike West posted his "not-fully-baked" idea on GitHub and asked for comments. "This isn't a proposal that's well thought out, and stamped solidly with the Google Seal of Approval," he warns. "It's …

  1. FF22

    Zero understanding of cookies

    Author has obviously zero understanding of how cookies work:

    "Or, in other words, tracking code would be controlled by a browser through a secure HTTP header (a unique 256-bit value) passed along when someone visits a given website, rather than held on the server."

    Cookies are already passed in HTTP headers, and cookies are already not stored on the server-side. That's essentially the definition of cookies (ie. information not stored on the server side passed back and forth in HTTP headers), so, this new "secure tokens" thing definitely can't work like this.

    1. JohnFen

      Re: Zero understanding of cookies

      After reading the Github piece, it seems that this misunderstanding comes from the El Reg author. It's sortof understandable, as Mike West's essay is intended for people who know this stuff and doesn't make it crystal clear exactly what he's talking about when referring to servers storing cookies.

    2. Nate Amsden

      Re: Zero understanding of cookies

      how are cookies not stored on the server side ? Any cookie associated with a site would be transmitted to the site and the site can store that data if it wishes(but it probably already has that data in other forms, e.g. session info, items in your shopping cart). Back when I worked for an ad targeting company many years ago we collected probably 40TB of log data per day, most of that was cookie stuff from the tracking pixels.

      It's pretty trivial to configure most web servers to log the contents of the cookies.

      Of course I could be misunderstanding what you are saying as well.

      1. sabroni Silver badge

        Re: Zero understanding of cookies

        Cookies may be stored on the server side but that's not what they're about. What's important is that the server told your browser to remember something and when your browser next connects to that server the thing is sent.

        So a session identifying cookie is useless if the server doesn't store it, it's just a key into a server side data store. A "default to the UK view" cookie is pointless if stored on the server, it's specifically about offloading that information to the client.

        The concept is simple. Server says to client "remember this", client sends "this" every time it talks to server.

        1. Michael Wojcik Silver badge

          Re: Zero understanding of cookies

          So a session identifying cookie is useless if the server doesn't store it, it's just a key into a server side data store.

          If only. Perhaps you haven't seen the vast numbers of web applications that serialize server-side objects and send the serial representation as the cookie value? Then the server doesn't have to store anything, and you get fun "Marshalling1 Pickles" vulnerabilities in the bargain.

          Since this class of vulnerabilities was popularized, some applications have moved away from using serialized objects as cookie values, and others have introduced mitigations like HMACs, signatures, or encryption into the cookies. But there are still plenty of offenders.

          1 sic, from the title of the famous AppSecCali 2015 presentation.

          1. sabroni Silver badge
            Facepalm

            Re: Perhaps you haven't seen the vast numbers of web applications that serialize....

            .... server-side objects and send the serial representation as the cookie value?

            Or perhaps I wrote "Session identifying cookie" because I was talking about cookies that identify a session on the server.

      2. Christian Harten

        Re: Zero understanding of cookies

        What happens on the server entirely depends on the application, whereas it's more likely that a cookie is stored on the client, even though the client can of course refuse to store the cookie or simply not send it back.

        1. Michael Wojcik Silver badge

          Re: Zero understanding of cookies

          What happens on the server entirely depends on the application

          Well, no. That depends on the server, and other components of the application's execution environment, such as frameworks, language runtimes, and application engines. And there could be middleboxes that record cookies, etc. There are many possible server-side components with access to cookie values.

    3. Charlie Clark Silver badge

      Re: Zero understanding of cookies

      Author has obviously zero understanding of how cookies work:

      Indeed cookies exist to add state to a stateless protocol. I remember reading an early book on website statistics that explained how cookies could be used for tracking.

      With http/2's increasing adoption, http is no longer entirely stateless and moving state into http means that the specification can decide which state is available to which processes. You can do this already with cookies but nothing forcers websites to do it.

  2. JohnFen

    Makes no sense

    "would create a new default where user tracking has security and privacy built in"

    Unless the "new default" includes a means by which you can prevent these identifiers from being created for you, this is impossible. You can't have security & privacy and still have user tracking unless that tracking is opt-in.

    EDIT: I commented before I read the Github piece, and he's including the ability for users to delete these things. Let's hope, though, that this functionality is opt-in and not opt-out.

    1. Michael Wojcik Silver badge

      Re: Makes no sense

      Given the vast array of other potential tracking mechanisms, I'm not sure how much this matters in practice, except for honest sites that want to use it as a standard way for users to discard their prior relationship with the site.

  3. Grikath

    Riiiight....

    "and several people have pointed out that large companies like Facebook, which rely on cookies to give them endless access to user data, are unlikely to be excited about the idea of restrictions on what they can currently do."

    Given that the guy's Boss is just as bad in tracking stuff as FB and the like, I doubt that Google/Alphabet will be too happy with this concept of "limitation" as well.....

    1. Oengus

      Re: Riiiight....

      I doubt that Google/Alphabet will be too happy with this concept

      What do you want to bet that he has come up with an idea that allows the tracking that he hasn't published. An idea that mere mortals will find hard to implement but the likes of Alphabet and FB with their mega resources will be able to implement so they can keep tracking...

      1. Steve Davies 3 Silver badge
        Mushroom

        Re: Riiiight....

        Surely (dons tinfoil hat) Google will make sure that THEIR cookie replacements can't be deleted....

        After all they don't want to lose such a valuable source of data now do they?

        Then, will the EU need to pass another law about the new cookies?

        I'd better step carefully as there are minefield warning signs all around me.... too late boom

        1. Doctor Syntax Silver badge

          Re: Riiiight....

          "Surely Google will make sure that THEIR cookie replacements can't be deleted."

          How? It's the browser that stores them. Even if Google decided that their browser wouldn't delete them the rest of the browsers wouldn't be bound by that.

    2. JohnFen

      Re: Riiiight....

      In his twitter feed, he already acknowledges that other parts of Google are not very keen on this idea.

  4. Kev99 Silver badge

    When Netscape first introduced cookies I sent them a letter informing them I'd file charges of theft against them because the cookies were taking up space on my harddrive without my permission. Interestingly enough, I didn't get cookies for several weeks. I'd love to see cookies banned and some more secure ID method created. One that would disappear once one left the site. Now I have to use the modern three finger salute (CTRL-SHIFT-DEL) multiple times a session.

    1. Sampler

      Most browsers allow you to clear cookies on close, so, maybe not when you navigate away from the site, but certainly when you've finished your browsing session, which minimises, if increases your own hassle..

      1. Neil Barnes Silver badge

        But how many people realise that? And how many people simply leave the browser on all the time?

        I'd love a 'clear all cookies set by this page' which operates as soon as the tab is closed to be in a browser by default. An exception list, of course, for those few that are required to e.g. maintain a login.

        1. Hans Acker
          Gimp

          I'd love a 'clear all cookies set by this page' which operates as soon as the tab is closed to be in a browser by default. An exception list, of course, for those few that are required to e.g. maintain a login.

          I use the Cookie AutoDelete add-on for Firefox. Sure would be nice to see that functionality by default in all browsers.

    2. Anonymous Coward
      Anonymous Coward

      @Kev; Uh huh. How did your attempts to have Netscape prosecuted for "theft" go, then?

      "Interestingly enough, I didn't get cookies for several weeks."

      You're saying that Netscape were the only people sending cookies at that point? Or did everyone back then pay attention to the quasi-legal letter you sent to Netscape?

      I winder how they knew you were the person that didn't want cookies, assuming you were behind a dynamic IP? Perhaps they stored some sort of persistent piece of information on your computer to remind them of that. *cough*

  5. Coen Dijkgraaf

    Stamp on Java?

    A slight error in that article, the subheading says Stamp on Java, but the body refers to JavaScript.

    I'd say the subheading is wrong.

    1. Kevin McMurtrie Silver badge

      Re: Stamp on Java?

      It's like I'm reading a Wired article by accident.

      1. Anonymous Coward
        Anonymous Coward

        Re: Stamp on Java?

        @Kevin McMurtrie; If it was a Wired article, it'd be at least six times longer than that and despite having bogged you down with information would give you the impression you hadn't actually learned that much by the end of it.

  6. Anonymous Coward
    Anonymous Coward

    EU Antitrust people will love this

    So Google, which owns the favorite browser of most of the internet, will be able to correlate these "not a cookies" but it's competitors will be either frozen out or disadvantaged? Don't worry, it won't be ruled a monopoly in the US as Micro$oft still has Edge and Bing, and a 8-9% market share .

    1. JohnFen

      Re: EU Antitrust people will love this

      No. The idea is that the "new cookies" will only be readable by the exact connection that created them. Google won't be able to read the ones created by others, and others won't be able to read the ones created by Google.

      This is actually a bit of a problem, as it also means that the data stored by "machine1.example.com" can't be read by "machine2.example.com" or even "example.com".

    2. RyokuMas
      Trollface

      Re: EU Antitrust people will love this

      Good point, but I'm afraid I can't upvote someone who still spells "Microsoft" with a dollar sign...

      1. Rich 11

        Equality

        Google$, Fa$cebook, Twi$tter... Happy now?

        1. Anonymous Coward
          Anonymous Coward

          Re: Equality

          > Fa$cebook

          You ignorant cretin! The correct derogatory term is "Faecebook".

  7. Anonymous Coward
    Anonymous Coward

    Beware those bearing Gifts esp Banksters & Techsters

    "Your Name Is All Over the Internet. It Doesn’t Need to Be. As more activity is linked to our real names, the stakes seem excessively high. Eric Schmidt lamented, “One of the errors that the Internet made a long time ago is that there was not an accurate and non-revocable identity-management service.” (Google Plus was originally intended to provide just that!)"

    https://www.bloomberg.com/news/articles/2018-08-15/real-names-online-raise-the-stakes-far-too-high

    1. JohnFen

      Re: Beware those bearing Gifts esp Banksters & Techsters

      If your real name is all over the internet, that's because you put it there. Mine isn't, and a couple of my pseudonyms are plausibly real names, so sites that have a "real name" policy can't tell it's a pseudonym.

      1. Throatwarbler Mangrove Silver badge
        Thumb Up

        Re: Beware those bearing Gifts esp Banksters & Techsters

        Yep. True story: Facebook suspended my account for not conforming to their "real name" policy. I didn't fully care whether they perma-banned me, so I sent a scan of my photo ID crudely altered with MS Paint to reflect my pseudonym, under the assumption that the ID would be vetted by OCR rather than a human. If I was wrong, it would have cost me nothing of value. My scan passed muster, however, and my account was reinstated with my pseudonym intact.

      2. Doctor Syntax Silver badge

        Re: Beware those bearing Gifts esp Banksters & Techsters

        "If your real name is all over the internet, that's because you put it there."

        Not necessarily. Real names are seldom unique. 192.com finds a whole slew of other mes although many can be distinguished by a middle name. Linkedin finds more.

        Just because someone's real name is all over the internet it doesn't mean you put it there.

        1. JohnFen

          Re: Beware those bearing Gifts esp Banksters & Techsters

          I understand what you're saying -- my real name is very, very common and so there are numerous people on the internet who are not me, but who have my name.

          I don't think that counts as "my name is on the internet", though. Having a bunch of other people using the same name as me just gives me plausible deniability.

    2. Anonymous Coward
      Anonymous Coward

      'Google Plus was originally intended to...'

      Forget real name for a sec! The OP post is about Google wanting to champion ID verification & control i.e. 'Own it'. Google wanting to fix cookies is another attempt at that!

  8. J27

    I'm not 100% sold on this solution (which sounds like just extending the idea of bearer tokens to replace cookies), but I definitely support dropping cookies. Cookies can store too much arbitrary information about a user, and 3rd party cookies are a security nightmare. Replacing them with a more-restricted system that doesn't allow 3rd party access is a good idea.

    1. Mage Silver badge
      Joke

      Re: doesn't allow 3rd party access is a good idea.

      Strangely I HAVE disabled ALL 3rd party cookies. The browser has a setting. It should be the default, but isn't.

      I have never ever experienced any lack of functionality on a website from doing this. The proposal is about the 1st party cookies needed for log in like these comments, multpage forms and shopping. Because of a flaw in the original design of the website concept. One of a number, according to Ted Nelson. See Project Xanadu :)

      1. Craigie

        Re: doesn't allow 3rd party access is a good idea.

        I have also disabled all 3rd party cookies (feelsgoodman.jpg) and 99.9% of the time it causes no issues, but it has caused a few. If an application has deep integration with a 3rd party app via an iframe then it tends to come unstuck. It hasn't happened often enough for me to re-enable 3rd party cookies though.

  9. Pseu Donyme

    On a related note

    The defaults on all browsers to ought to be: session cookies only, no 3rd party cookies.

  10. RyokuMas
    Stop

    What's the betting...

    "... the Google Chrome security team has proposed the death of cookies to be replaced with secure HTTP tokens.

    What's the betting that these tokens will be an absolute nightmare to block compared to cookies?

    1. Doctor Syntax Silver badge

      Re: What's the betting...

      "What's the betting that these tokens will be an absolute nightmare to block compared to cookies?"

      Blocking is done at the browser. The choice of browser is yours. Even if Chrome were to refuse to block them or give access to add-ons which did other browsers would be unlikely to follow; even if most of them did blocking would become a USP for the one that didn't.

  11. Anonymous Coward
    Anonymous Coward

    Store cookies on a blockchain

    and charge companies to read them ?

    1. Michael Wojcik Silver badge

      Re: Store cookies on a blockchain

      Needs more AI.

  12. iron Silver badge

    Poachers that want to be Gamekeepers

    Given Mr West's employer and their love of Orwellian stalking I find it hard to trust this proposal. Cookies have their problems but at least we know what they are and how to control them.

  13. poohbear

    I've got $10 that says Microsoft's implementation will be incompatible with everyone else's.

    1. katrinab Silver badge

      OK, I'll put $10 that they won't, as Microsoft is no longer the market leader in web browsing.

      Unless, of course, Google, who are the market leader, implement something that Microsoft for one reason or another are unable to replicate.

  14. FlamingDeath Silver badge

    TL;DR

    So I’m just gonna say, HSTS preload

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like