210 likes | 315 Views
Tracking Cookies. ECE 4112 Final Project Phillip Shatzman and Jeff Magee December 4, 2007. Overview. Background Tracking Cookies in Action Code analysis Cookie Defense Spybot – Search & Destroy What students will learn / do. Background. Track web activity Marketing Online Retailer
E N D
Tracking Cookies ECE 4112 Final Project Phillip Shatzman and Jeff Magee December 4, 2007
Overview • Background • Tracking Cookies in Action • Code analysis • Cookie Defense • Spybot – Search & Destroy • What students will learn / do
Background • Track web activity • Marketing • Online Retailer • Privacy violations • Compiled in databases • Multiple cookies per website • e.g. Link4Ads • Third-party cookies • Pop-up banners
Tracking Cookies in Action • Created 3 “domains” • Each uses the same ad service • Result: Each domain can target specific services based on users browsing habits
Index Webpage Code <html> <frameset rows="20%,15%,65%"> <frame src="welcome.html"> <frame src="c:\ece4112\ads\determineadcasino.html"> <frame src="info.html"> </frameset> </html> • Advertisement frame is different for each, but in the same domain (“ad”) • determineadflorida, determineadretire
determinead Webpage Code <script language="Javascript"> function checkCookie(){ //Initialization of variables to be used var lf = "\n"; //character for next line var CookieString = document.cookie; var CookieSet = CookieString.split(';'); var SetSize = CookieSet.length; var CookiePieces; var ReturnValue=""; //set default empty return if no cookie found var x = 0; for (x = 0; ((x < SetSize) && (ReturnValue == "")); x++){ CookiePieces = CookieSet[x].split('=');
determinead Code (cont.) if (CookiePieces[0].substring(0,1) == ' ' ){ CookiePieces[0] = CookiePieces[0].substring(1, CookiePieces[0].length); }//end if if (CookiePieces[0] == "ad1"){ ReturnValue = CookiePieces[1]; }//end if }//end for return ReturnValue; }//end checkCookie()
determinead Code (cont.) function SetCookie(cookieName,cookieValue,nDays){ var today = new Date(); var expire = new Date(); if (nDays==null || nDays==0) nDays ==1; expire.setTime(today.getTime() + 3600000*24*nDays); document.cookie = cookieName+"="+escape(cookieValue)+";expires="+expire.toGMTString(); }
determinead Code (cont.) if (CookiePieces[0].substring(0,1) == ' ' ){ CookiePieces[0] = CookiePieces[0].substring(1, CookiePieces[0].length); }//end if if (CookiePieces[0] == "ad1"){ ReturnValue = CookiePieces[1]; }//end if }//end for return ReturnValue; }//end checkCookie()
determinead Code (cont.) var returnval = checkCookie(); if (returnval == ""){ // no cookie found SetCookie("ad1","florida",100); returnval="florida";} if (returnval == "casino"){ SetCookie("ad1","floridacasino",100); window.location.href="floridacasino.html";} else if (returnval == "retire"){ SetCookie("ad1","floridaretire",100); window.location.href="floridaretire.html";} else if (returnval == "casinoretire"){ SetCookie("ad1","floridacasinoretire",100); window.location.href="floridacasinoretire.html";} else window.location.href=returnval+".html" </script>
Several Methods • Delete Cookies on Close • “Learning” • Block all Cookies • Can do this in most any browser Cookie Defense
Cookie Defense – Delete on Close • Delete cookies when exiting • Can still be tracked while browsing • On open, no website will know you • Pro: Past activity unknown to tracking websites since cookies are gone • Con: Legitimate websites with logins often use cookies to remember users
Cookie Defense – “Learning” • Two options: Block bad or Allow good • Block Bad • Accept Cookies • See a bad cookie, delete and block source • Accept Good • Block All Cookies • When finding a legitimate website, allow • Pro: Very effective after a long time • Con: Takes a while and is a pain
Cookie Defense – Block All • No cookies allowed on PC. • Pro: Most effective • Con: Many legitimate websites require cookies. • Alternative: Block all and allow individual • AKA, “Accept Good Learning” • More of a pain than “Block Bad Learning”
Cookie Defense – Internet Explorer Settings • IE has similar settings to Firefox except it also has built-in, customizable security levels
Spybot – Search and Destroy • Searches the computer for tracking cookies. • Uses a frequently updated list of known tracking cookies • Freeware • Can be used for many security issues on computers, such as Spyware
Spybot – After Scan Actions • Immunize (see previous slides screenshot) • Add the domains found in Spybot to the blocked cookies list using the “learning” mode defense discussed earlier
Students Will… • Gain a understanding of tracking cookies • See them in action by visiting mock pages • Analyze the code to see how it worked • Secure their browser against bad cookies • Use anti-spyware software to protect browser