tracking cookies
DESCRIPTION
Tracking Cookies. ECE 4112 Final Project Phillip Shatzman and Jeff Magee December 4, 2007. Overview. Background Tracking Cookies in Action Code analysis Cookie Defense Spybot – Search & Destroy What students will learn / do. Background. Track web activity Marketing Online Retailer - PowerPoint PPT PresentationTRANSCRIPT
Tracking Cookies
ECE 4112 Final Project
Phillip Shatzman and Jeff Magee
December 4, 2007
Overview
• Background
• Tracking Cookies in Action
• Code analysis
• Cookie Defense
• Spybot – Search & Destroy
• What students will learn / do
Background
• Track web activity– Marketing
• Online Retailer
• Privacy violations– Compiled in databases
• Multiple cookies per website– e.g. Link4Ads
• Third-party cookies– Pop-up banners
Tracking Cookies in Action
• Created 3 “domains”
• Each uses the same ad service
• Result: Each domain can target specific services based on users browsing habits
Live Webpage Demo
Index Webpage Code<html><frameset rows="20%,15%,65%"><frame src="welcome.html"><frame src="c:\ece4112\ads\determineadcasino.html"><frame src="info.html"></frameset></html>
• Advertisement frame is different for each, but in the same domain (“ad”)– determineadflorida, determineadretire
determinead Webpage Code<script language="Javascript">
function checkCookie(){ //Initialization of variables to be used var lf = "\n"; //character for next line var CookieString = document.cookie; var CookieSet = CookieString.split(';'); var SetSize = CookieSet.length; var CookiePieces; var ReturnValue=""; //set default empty return if no
cookie found var x = 0; for (x = 0; ((x < SetSize) && (ReturnValue == "")); x++){ CookiePieces = CookieSet[x].split('=');
determinead Code (cont.)
if (CookiePieces[0].substring(0,1) == ' ' ){
CookiePieces[0] =
CookiePieces[0].substring(1, CookiePieces[0].length);
}//end if
if (CookiePieces[0] == "ad1"){
ReturnValue = CookiePieces[1];
}//end if
}//end for
return ReturnValue;
}//end checkCookie()
determinead Code (cont.)
function SetCookie(cookieName,cookieValue,nDays){
var today = new Date();
var expire = new Date();
if (nDays==null || nDays==0) nDays ==1;
expire.setTime(today.getTime() + 3600000*24*nDays);
document.cookie = cookieName+"="+escape(cookieValue)+";expires="+expire.toGMTString();
}
determinead Code (cont.)
if (CookiePieces[0].substring(0,1) == ' ' ){
CookiePieces[0] =
CookiePieces[0].substring(1, CookiePieces[0].length);
}//end if
if (CookiePieces[0] == "ad1"){
ReturnValue = CookiePieces[1];
}//end if
}//end for
return ReturnValue;
}//end checkCookie()
determinead Code (cont.)var returnval = checkCookie(); if (returnval == ""){ // no cookie found SetCookie("ad1","florida",100); returnval="florida";}
if (returnval == "casino"){SetCookie("ad1","floridacasino",100);window.location.href="floridacasino.html";}
else if (returnval == "retire"){SetCookie("ad1","floridaretire",100);window.location.href="floridaretire.html";}
else if (returnval == "casinoretire"){SetCookie("ad1","floridacasinoretire",100);window.location.href="floridacasinoretire.html";}
else window.location.href=returnval+".html"</script>
Cookie Defense
• Several Methods– Delete Cookies on Close– “Learning”– Block all Cookies
• Can do this in most any browser
Cookie Defense – Delete on Close
• Delete cookies when exiting
• Can still be tracked while browsing
• On open, no website will know you– Pro: Past activity unknown to tracking
websites since cookies are gone– Con: Legitimate websites with logins often
use cookies to remember users
Cookie Defense – “Learning”
• Two options: Block bad or Allow good
• Block Bad– Accept Cookies– See a bad cookie, delete and block source
• Accept Good– Block All Cookies– When finding a legitimate website, allow
• Pro: Very effective after a long time
• Con: Takes a while and is a pain
Cookie Defense – Block All
• No cookies allowed on PC.– Pro: Most effective– Con: Many legitimate websites require
cookies.
• Alternative: Block all and allow individual– AKA, “Accept Good Learning”– More of a pain than “Block Bad Learning”
Cookie Defense – Internet Explorer Settings
• IE has similar settings to Firefox except it also has built-in, customizable security levels
Spybot – Search and Destroy
• Searches the computer for tracking cookies.– Uses a frequently updated list of known tracking
cookies
• Freeware
• Can be used for many security issues on computers, such as Spyware
Spybot – Tracking Cookie Scan
Spybot – After Scan Actions
• Immunize (see previous slides screenshot)
• Add the domains found in Spybot to the blocked cookies list using the “learning” mode defense discussed earlier
Students Will…• Gain a understanding of tracking cookies
• See them in action by visiting mock pages
• Analyze the code to see how it worked
• Secure their browser against bad cookies
• Use anti-spyware software to protect browser
Questions?