Google Considers Deprecating Nonsecurely Delivered Cookies to Improve User Security

Author Photo
Apr 13, 2018
10Shares
Submit

After seeing Facebook lose user trust, face investigations from privacy watchdogs, and invite government regulation, Google – the other data monster – is now planning to improve user privacy.  But, not in a way you’d expect. The company is trying to put a short lifespan on cookies delivered via HTTP connections in another push to force web developers and advertisers to opt for HTTPS.

Sending cookies via HTTP is a security risk since these can be intercepted or even modified by an attacker. HTTPS, on the other hand, “provides significant confidentiality protections” against pervasive monitoring attacks.

chrome-extension-hackRelated You Can No Longer Install Chrome Extensions from Websites as Google Is Killing the Option of “Inline Installation”

Since advertisers are all about hoarding data, by limiting a cookie’s lifespan, Google engineers believe they will be pushed to go for HTTPS or risk losing that precious data that is used to track users across the web.

“Rather than sending sufficiently-old cookies over non-secure connections, we should instead delete them from the user’s cookie jar,” Google engineer Mike West has proposed (via BP). “That is, when connecting to ‘http://example.com/,’ we build a ‘Cookie’ header: if any cookie we’d put into that header is sufficiently old, we exclude it from the header, and delete it entirely.”

Cookies sent over plaintext HTTP are visible to anyone on the network. This visibility exposes substantial amounts of data to network attackers (passive or active). We know, for example, that long-lived and stable cookies have enabled pervasive monitoring in the past, and we know that HTTPS provides significant confidentiality protections against this kind of attack.

Ideally, browsers would mitigate these monitoring opportunities by making it more difficult to persistently track users via cookies sent over non-secure connections.

Remember, this approach doesn’t actually stop tracking users on the Internet but is only trying to make the process more secure by preventing attackers to have an easy access to this data.

google-logo-3Related Google Is Revealing a New Look for Its Sign-In Screens

West said that Mozilla also tried this approach with its Firefox browser, however, it couldn’t make it to the stable release. Amid the increasing discussions on privacy and security (thanks to Facebook’s data misuse scandal), it will be interesting to see how other tech companies work on offering solutions that are a little more pro-user. While we probably won’t see any drastic changes, even smaller improvements might help users have at least some security and privacy on the internet.

Submit