Feds May Soon Be Allowed To Use Cookies

fast66 writes "The White House may lift its policy barring federal Web sites from tracking users' online behavior. In place since 2000, the cookie policy issued by the Office of Management and Budget was intended to protect citizen privacy but has sparked criticism — even from White House officials — for hampering citizen outreach. On Friday, Bev Godwin, the director of online resources and interagency development at the White House's new media office, blogged on the White House Web site, 'We want to use cookies for good, not evil' — and invited the public to comment on cookies through various online channels, including the Office of Science and Technology Policy blog."

No problem

[religious+freak]

If you don't like cookies, block them. For those that don't even understand what a cookie is, make it clear what the government is doing and prove it through open source. Makes for a better web experience.

What's the problem with that?

Re:No problem

[Actually,+I+do+RTFA]

If you don't like cookies, block them... What's the problem with that?

I block cookies, javascript and all plugins (with the exception of my whitelist). The problem is that more and more sites annoyingly (and uselessly) require these to work. I'm fine not having a draggable map, but ever since GoogleMaps, every map site has become reliant on Javascript. Half the random sites bitch if I have cookies off. Etc.

Much like the "works best in [Browser X]" these annoying additions are being used in the place of, not as a suppliment to, standard webfare.

Re:No problem

[religious+freak]

If you choose to live in a cave, you can't bitch about not having electricity.

(not trolling just being blunt)

Re:No problem

[daeley]

He's not complaining about not having electricity. He's complaining about being forbidden from whacking sabertooths on the head unless he's using a newfangled club that shouts "I AM A CLUB!" while you wave it in the air and it shoots out orange and yellow flames.

If he were asking for the Google Maps website to send him directions via telegraph, then he would be complaining about electricity.

This post brought to you by the Mixed Metaphor Society: Keeping the Home Fires on Track since 1962.

Re:No problem

[Falcon4]

Um, I dunno why your tin foil hat is so large, but seriously, you're living in the 90's. There is - and never was - anything wrong at all with Javascript or cookies. Flash can be annoying, but the benefits far outweigh the "risk". Java is the only thing I don't particularly trust, since it's pretty much an open gateway to malware today.

Javascript, though? Seriously? Javascript is "standard webfare" in the modern world. Cookies are, as well. Every single modern web browser supports them, and enable developers to do some pretty cool things, like draggable maps, real-time page updates (AJAX), etc.

Put simply, you've got more to worry about in your web history than you'd ever have to worry about in cookies. With cookies, what are you protecting yourself from? A company trying to improve their product? What about Javascript? Protect yourself against... dynamic webpages? You're doing yourself more harm than good with these old principles. Should've left them at the door with Firefox 1.0... welcome to the Internet of the 21st century.

Re:No problem

[CaptSaltyJack]

From the perspective of a web designer/developer who uses Javascript to enhance and optimize the user experience: people like you drive me up a frickin' wall. There's no need to disable all that stuff, unless you have a paranoid personality disorder.

Look, it just takes some common sense. Don't surf to sites that may be malicious. 99% of the time, it's completely obvious what those sites are. Also, it helps to not use IE, which is more susceptible to attacks than Firefox and other browsers.

Someone please give me a valid reason why anyone should be blocking cookies (1st party, NOT 3rd party) and disabling Javascript, other than paranoia and/or a bad case of nerd grump.

Re:No problem

[Em+Emalb]

unless he's using a newfangled club that shouts "I AM A CLUB!" while you wave it in the air and it shoots out orange and yellow flames.

I wonder if Think Geek sells those? WANT.

Re:No problem

[geekoid]

Your post hit that bull's-eye, and the dominoes fell like a house of cards.Checkmate!

Re:No problem

[geekoid]

Stop spreading those lies. Cookies can be hijacks and can be leveraged for an attack.

I know, I was paid to do that when I did security.

Ever see the expression on a financial CEO's face when you hand them a list of customer information, account balances and passwords you get after 30 minutes of being on the job?

Priceless.

Re:No problem

[C-Dilla]

Oh I don't know, he's free to pick up a good old fashioned stick and do whatever he wants with it. He just can't complain if his leg gets bitten off by the sabertooth while his buddies are munching on tasty sabertooth kebabs thanks to their newfangled flame-shooting clubs.

Re:No problem

[CastrTroy]

Simple. Just do what I do. Let cookies be saved, but only until you close your browser. I do this except for my whitelist where I let it store cookies permanently. This is really easy to set up in Firefox. I also have flash block installed, which is the only plugin I have installed. As far as Javascript goes, I let that run, but there's only so much it can do with cookies disabled, along with a good popup blocker. Never really had much of a problem with Javascript.

Re:No problem

I posted a response to a comment on the parent griping about flash and javascript--they are a security risk. I'll ignore cookies--that gets a bit...difficult to explain.

But because you don't seem to get it--let's make the javascript answer so simple even a programmer can understand it...

1) go to www.slashdot.org
2) hit view source
3) search for "ad.doubleclick.net"
4) you should see a call to document.write at a dynamic URL slashdot doesn't control
5) understand that a LOT of these go out through resellers--who go through other resellers--and so on...and all you have to do is buy a single script that gets into an ad rotation at a site like CNN or /. to be loading content off of another site--that can edit my DOM and run the driveby exploit du-jour.

Even if the script was safe when they checked it--it might not be safe five hours later when my browser pulls it down from a different IP address or netblock. The javascript isn't the risk--the third party javascript writing to my DOM to open an iframe with a driveby exploit is.

(and FWIW, there are actual javascript vulnerabilities--but I figured I'd stick to the obvious in this post)

As long as people continue to use things this way--they're a security risk.

Re:No problem

[Skapare]

The site I'm building now won't bitch if you have cookies off. But if you try to login, you'll find that subsequent requests will be handled as if you have not logged in. If the web ever gets a better login scheme standardized, implemented, and widely deployed, then maybe cookies won't be needed as a half-arsed way to achieve login sessions. Also, if you disabled Javascript, the site will not lay out nicely. But that will fall under the same "degrade gracefully" principle as if you disabled CSS.

Re:No problem

[bluej100]

I'm a Javascript developer, and I use NoScript, because I'm frequently Googling for information and checking sites I haven't visited before. Almost any time a Firefox vulnerability is announced, NoScript already prevents the exploit. Besides, I don't want third-party tracking and flashy ads when I'm just browsing for information. I'm happy to add genuine web apps to my whitelist, but blog comment forms, for example, should never require Javascript to function.

Re:No problem

[stephanruby]

What's the problem with that?

There is no problem with that, and may be that's the point.

Let's be really pedantic about cookies, let's waste all our time discussing them, all the while the government (with the help of the private sector) is silently trying to archive, index, and search through all our private emails, private phone conversations, web browsing logs (and search terms), phone graph relationships, travel plans, medical drug and mental health information, dna relationships, and/or anti-war political affiliations.

And let's not worry about the fact that all the low level city cops (at least in San Francisco) routinely do background checks and get private medical information for any random woman they're interested in dating (without any oversight, without any official reason, and without any logging that they've even accessed that information in the first place).

Let's talk about cookies instead and let's keep on explaining what cookies mean (because here on slashdot, I'm sure that no one knows what cookies are) -- ignoring all the other ways our privacy is being violated over and over again -- without even us knowing.

Re:No problem

[Excelcior]

Cookies should be replaced by a standard for web page preferences, where the web page specifies which options there are and what the possible values are. Then the users can set the preferences they care about in their browser and leave others (like tracking IDs) unset. Logins should never be implemented with cookies.

Not to sound trollish, but seriously, are you a web coder? Strict online security in connection with login-protected content is simply not possible without a cookie*. Cookies are so standard that ASP even places cookies without telling the coder it's doing so (the 'application' variables).
Cookies are a necessary part of the Internet. The only problems with them is that they 1) aren't encoded by default, 2) can be set to expire whenever the coder wants, which can fill directories quickly if you do much browsing, and 3) can be made accessible to websites other than those who issued them.

If web browsers would just encode all cookies by default, then decode them whenever sending them back to a server, that would keep spyware from reading their contents from your computer. Then, if the browsers would store a 'touched date', and automatically delete all cookies over X age (configurable by the user?), many useless cookies would go away automatically. Finally, if cookies were only able to be read/written to by their issuing server, there would be no possibility for exploit (except to track your movements through pages which contain some content served by the issuing server, such as the much beloved doubleclick.net cookies -- which could easily be done-away-with by adding the rule that cookies cannot be accessed by any page displayed within an iframe/object/etc.)
Everyone always seems to believe that cookies are small programs or some such nonsense. Cookies are nothing but tiny databases stored on the user's computer. How much damage can that do?

* If you think you can have strict security by only tracking a user's IP address and/or passing a variable from one page to the next, you are sorely mistaken.

p.s. I know, I know.... ASP is m$ft. Get over it. :-P ;-)

Re:No problem

[PopeRatzo]

There you go again, displaying facts and ruining what might have been perfectly good flamebaiting based on suspicion, FUD and paranoia.

If you want to surf anonymously, it's not that hard.

Re:No problem

[AnyoneEB]

I mostly agree with you. I would very much like a browser with the privacy settings you described. There is already the "Accept third-party cookies" option (I think all modern browser have a similar option), but I am not sure exactly what that does.

On the other hand, cookies are not needed for logins. In fact, they are a rather insecure way to do logins as anyone who can see your cookies can take over your session. For example, if you are on an open Wi-Fi hotspot and view any website that uses cookie logins and allows viewing logged-in pages without encryption, then anyone on the same hotspot can see your cookies and hijack your session. There was an automated attack specifically for GMail a little while ago (which Google added a "require HTTPS" option to secure against), but the same principle works for any site that does not require HTTPS (so it [hopefully] won't affect your bank).

Instead, logins should be done using HTTP digest authentication. As HTTP auth actually authenticates each request separately (as HTTP is stateless so it has to), it does not get tied to an IP, but still works without cookies. Additionally, it never sends the user's password in the clear, so even if the user is tricked into logging into a phisher's server, the phisher gets no useful information.

Unfortunately, although all modern desktop browsers support digest auth (some more obscure mobile browsers might not), the UI is horrible. I have yet to see a browser even indicate clearly that the HTTP auth was not basic (read: send password in the clear which should come with as many click-through steps as Firefox's current setup for self-signed certificates). Also, users have been trained for years to expect login boxes to appear as part of a web page, not as part of the web browser.

Using cookies for authentication is bad idea. They are currently the preferred solution for UI and historical, not technical, reasons. The browser vendors should be working on a sane authentication UI, so we can stop using them for that purpose.

Re:No problem

[severoon]

You should do what I do...leave everything turned on, but to poison all the DBs in the world, spend at least 90% of your time browsing stuff that doesn't interest you. This absolutely foils their plan to get to know you through tracking. There's just no way they can get around it at all for 'em.

I even take it to the next step beyond—90% of the money I spent on the web is for stuff I have absolutely no use for and definitely don't want. It's a brilliant, positively ironclad way to screw them over and make sure they get theirs!

Oop...I just used up my 10% time on /. writing this post. Gotta go surf pee-pr0n...disgusting stuff. laterz!

Well...

[Rewind]

The Cookie monster will most certainly be displeased...

For the computer savvy, this isn't even an issue.

[the_humeister]

I delete all my cookies automatically every time I close Firefox. I run Firefox via a script such that all the Flash cookies (yes Flash cookies) are also deleted.

Dupe?

[rsmith-mac]

We already had an article about this Saturday. I don't see anything new in TFA that would not make this a dupe.

What?

[arizwebfoot]

We want to use cookies for good, not evil' â" and invited the public to comment on cookies

Isn't that like a double oxymoron?

White House good.
Public comment evil.

Re:For the computer savvy, this isn't even an issu

[bheer]

> such that all the Flash cookies (yes Flash cookies) are also deleted.

Good point. Too few people even know about Flash cookies. There's also a Firefox extension called BetterPrivacy that'll do this, for those that can't be bothered with scripts.

I know that some shadier ad networks also use Java local storage to store tracking info, if your browser has a Java plugin. Solution: disable storing temporary files on your computer using the Java control panel icon.

Honestly, I do all of this, but I wonder how many others would even bother. It's almost like Scott "You have no privacy. Get over it." McNealy was right.

We're donediddily done for

[hugi]

yup, now our privacy is completely gone. I heard ECHELON is mostly based on cookies.

Whew, that was a close one

[Hojima]

Thanks for telling me this. You see, I am an inept and computer illiterate terrorist. We all are, since none of us are smart enough to get an education. Hell, I barely managed to read this web page, and all my dumb terrorist buddies simply couldn't. We go to www.I-AM-A-TERRORIST.com all the time, and if I didn't get the heads-up, we would all be in jail now. You guys were smart to allocate resources to this sure-fire way to catch us. Oh well, time to get back to using the internet for evil, not good.

Up to date

[BorgCopyeditor]

The next exciting and up-to-date town-hall meeting discussing government's use of technology will be...Webpage Layout: Tables or CSS?

don't care anymore

[Nick]

If anyone felt like tracking where I've been, eavesdropping, etc, they would be very bored.

I love it

[blue+l0g1c]

Tens of years ago, someone decided to name something a "magic cookie" and now we have FBI agents talking about "cookies" with solemn and serious faces.

Last Measure

[tepples]

Someone please give me a valid reason why anyone should be blocking cookies (1st party, NOT 3rd party) and disabling Javascript, other than paranoia and/or a bad case of nerd grump.

The site http://paranoia.on.nimp.org demonstrates this, but do NOT visit this site unless you've turned OFF JavaScript and plug-ins for this domain.