Google Considers Deprecating Nonsecurely Delivered Cookies to Improve User Security
After seeing Facebook lose user trust, face investigations from privacy watchdogs, and invite government regulation, Google – the other data monster – is now planning to improve user privacy. But, not in a way you’d expect. The company is trying to put a short lifespan on cookies delivered via HTTP connections in another push to force web developers and advertisers to opt for HTTPS.
Sending cookies via HTTP is a security risk since these can be intercepted or even modified by an attacker. HTTPS, on the other hand, “provides significant confidentiality protections” against pervasive monitoring attacks.
Since advertisers are all about hoarding data, by limiting a cookie’s lifespan, Google engineers believe they will be pushed to go for HTTPS or risk losing that precious data that is used to track users across the web.
“Rather than sending sufficiently-old cookies over non-secure connections, we should instead delete them from the user’s cookie jar,” Google engineer Mike West has proposed (via BP). “That is, when connecting to ‘http://example.com/,’ we build a ‘Cookie’ header: if any cookie we’d put into that header is sufficiently old, we exclude it from the header, and delete it entirely.”
Cookies sent over plaintext HTTP are visible to anyone on the network. This visibility exposes substantial amounts of data to network attackers (passive or active). We know, for example, that long-lived and stable cookies have enabled pervasive monitoring in the past, and we know that HTTPS provides significant confidentiality protections against this kind of attack.
Ideally, browsers would mitigate these monitoring opportunities by making it more difficult to persistently track users via cookies sent over non-secure connections.
Remember, this approach doesn’t actually stop tracking users on the Internet but is only trying to make the process more secure by preventing attackers to have an easy access to this data.
This is a pretty mild proposal. It envisions a long-term ratcheting down of cookie lifetime. It's different in kind than the proposal Mozilla floated ~2 years ago to turn all cookies set from HTTP into session cookies. Also, it's been 2 years. Time to try again. 🙂
— Mike West (@mikewest) April 6, 2018
West said that Mozilla also tried this approach with its Firefox browser, however, it couldn’t make it to the stable release. Amid the increasing discussions on privacy and security (thanks to Facebook’s data misuse scandal), it will be interesting to see how other tech companies work on offering solutions that are a little more pro-user. While we probably won’t see any drastic changes, even smaller improvements might help users have at least some security and privacy on the internet.