Are you secure? What is Cookie?

In the past two days, because of 315, cookies have suddenly become very popular. It is said that many netizens are busy deleting cookies in their browsers. At first, I was bored. CCTV didn't know what to say. Two days ago, a relative at home told me, "You all know what we used to do online and read our emails. This is not a matter of privacy. It's terrible ."

I realized that this problem was too misleading. As an engineer who has been engaged in Internet Web development for many years, I think I should say something. Next I will introduce the Cookie to you to see if your Cookie is secure?

　　1. What is a Cookie?

The explanation of CCTV is that it is a data packet. Each time a website is accessed, the browser sends the Cookie of the website back to the website server, at the same time, the website can also modify the corresponding Cookie on your machine at will. However, a very important information video does not mention that there is not only one Cookie, but one website. Therefore, it is inaccurate to regard it as a network ID card. It is not your unique identifier on the Internet, but your unique identifier on a website.

　　2. What are in cookies?

This depends on the website itself. The video says that the website will store some important user information (What username, password, browsing record, IP address or something) into the Cookie. In fact:

Ordinary websites do not store important information. They only store your login status, that is, the token you exchange the user name and password, there is also the website's determination for you (for example, what is the unique identifier of your website, which server you visit, which product version do you use? You don't need to care about this information. It has nothing to do with your privacy.

Literary websites encrypt the information to prevent others from spoofing the information.

The website described by CCTV (storing the user name and password in the Cookie may be CCTV) is extremely rare on the Internet, this may only be done by a layman or a student who has just learned how to develop the network. This kind of website is extremely insecure, and your information is easily leaked, so there is still less access.

　　3. Will cookies be stolen?

As mentioned in the video, cookies can only be read by websites where they are stored. This is ensured by the browser, which is also an important security mechanism of the browser. If you think your browser cannot guarantee this, you can change to a reliable one, such as IE9, Chrome, and Firefox. So the Cookie is safe? Not necessarily, cookies may be stolen by websites during transmission. Here is an inappropriate example:

We can compare a user's Website access process with the process of writing a letter to the website. The content of the letter can be compared with the information you submit to the website (such as your gender or age ), cookie can be used to identify who you are than the sender in the envelope. In the whole process of sending emails, the post office has the opportunity to steal your envelopes, and the website can sell your envelopes to others. But !!! The two parties actually have the content of your letter. Do you think it is necessary for them to steal your envelope?

In fact, Cookie theft occurs only when you use insecure networks (such as Wi-Fi in Public Places) or websites with security vulnerabilities, the former has a lower probability of occurrence, and the latter has a much greater impact on the website than the Cookie Theft. It is a serious fault for Internet companies and will soon be blocked once discovered.

　　4. What do they say about mastering hundreds of millions of cookies, website distribution codes, and so on? What does this happen?

We have learned from the above that Cookie theft is a relatively low probability event and cannot reach hundreds of millions. The various gorgeous data claimed in the video is actually the advertiser being fooled by the sales staff. It makes a very simple practical technical term awesome. The truth is:

As mentioned above, "each time a website is accessed, the browser sends the Cookie of the website to the website server ". If I have an image on my website, which Cookie will be sent when the browser accesses this image? The answer is to provide cookies for Image Service websites. For example, if a website's page contains an image from a marketing website B, the relationship between them is as follows:

When you access website S, you also access website B as a user B. You said, "I have not registered with website B. Why is it a user of website B ". Hey hey, you don't need to sign up, because you don't need to know. He automatically assigns an account to you. If there are more websites like S, what should I do if website B wants to locate you across different websites? Store the account allocated to you in B's Cookie. This is what they call hundreds of millions of cookies. As for the layout code, it is actually the code for accessing the image, or even the advertisement diagram you see on the page. You may have noticed that website B still obtains some information while receiving cookies. If this information involves privacy, it depends on the website's program. Generally, large websites only send some simple page information to B, such as what videos and news they watch. The goal is to make the advertisement delivered by advertisers more accurate. As for getting the username and password, I can only say that if you are a phishing scam, it is impossible for the website to sell the password of your own user. This is meaningless, it is estimated that you have visited a messy website, lied to you to fill in the username and password, and then sold the information. This has nothing to do with Cookie hair.

　　5. Is this a violation of privacy?

This is hard to say. For example, what news do you think you are paying attention to, what toys you have bought, and what videos you have watched (love action movies skipped) may not be private. However, you may not want others to know what medicine you have bought. You have read the webpage about the treatment of some diseases, which is private for many people. This is the most controversial aspect of access tracking technology.

　　6. What should I do if I don't want to be tracked because I am clean?

All browsers have a function to disable third-party cookies. You only need to enable the function and you will not be tracked, !!! Some website functions may be unavailable. So proceed with caution.

　　7. How can I protect my privacy from leakage?

This topic is too big. Let me talk about some principles:

Do not fill in any personal information on the webpage that you are not clear about the source, such as knowing your age, gender, income, etc, in fact, the information you fill in on different websites is obtained by them and then integrated, because there are still some personal information sold by unscrupulous companies on the market, they only need to compare the data to match you.

Do not fill in sensitive information on any website. Although large websites do not sell your information on their own initiative, the system may have vulnerabilities and leak some personal information. If there are many examples, I will not name them.

　　8. What do you think of this CCTV report?

I did not have a thorough investigation in fields that I don't know yet. I listened to a few sales staff's scams and made a report about the disowner of the audience. I should review it myself. Yang Yonglin (Sina Weibo frontend technical expert)