Cookies sent over plaintext HTTP are visible to anyone on the network. This visibility exposes substantial amounts of data to network attackers (passive or active). We know, for example, that long-lived and stable cookies have enabled pervasive monitoring in the past (see Google's PREF cookie), and we know that HTTPS provides significant confidentiality protections against this kind of attack.
Ideally, browsers would mitigate these monitoring opportunities by making it more difficult to persistently track users via cookies sent over non-secure connections.The author/developer proposes several potential solutions to avoid the risks of sending cookies over non-secure channels. A primary option is migrating to HTTPS for those that haven't already. According to the author, 70% of browsing activity is done via secure connections.
Another option is setting a cookie's expiration date to a year or so. Chrome collected metrics to determine the age of the oldest cookie sent to a non-secure endpoint. The author provides a breakdown in the posting as of March 2018. Setting an expiration date to a year would impact about 6% of same-site requests and 7% of cross-site requests. Developers could also add a 'Secure' attribute to their cookie if they are already delivering their sites over HTTPS. According to Chrome's data only around 7.5% of cookies use the Secure attribute.
No comments:
Post a Comment