|
Browsing Safely: Understanding Active Content and Cookies
Many people browse the Internet without much thought to what is
happening behind the scenes. Active content and cookies are common
elements that may pose hidden risks when viewed in a browser or email
client.
|
What is active content?
To increase functionality or add design embellishments, web sites
often rely on scripts that execute programs within the web
browser. This active content can be used to create "splash pages" or
options like drop-down menus. Unfortunately, these scripts are often a
way for attackers to download or execute malicious code on a user's
computer.
- JavaScript - JavaScript is just one of many web scripts (other
examples are VBScript, ECMAScript, and JScript) and is probably the most
recognized. Used on almost every web site now, JavaScript and other
scripts are popular because users expect the functionality and "look"
that it provides, and it's easy to incorporate (many common software
programs for building web sites have the capability to add JavaScript
features with little effort or knowledge required of the
user). However, because of these reasons, attackers can manipulate it
to their own purposes. A popular type of attack that relies on
JavaScript involves redirecting users from a legitimate web site to a
malicious one that may download viruses or collect personal
information.
- Java and ActiveX controls - Different from JavaScript, Java and
ActiveX controls are actual programs that reside on your computer or
can be downloaded over the network into your browser. If executed by
attackers, untrustworthy ActiveX controls may be able to do anything
on your computer that you can do (such as running spyware and
collecting personal information, connecting to other computers, and
potentially doing other damage). Java applets usually run in a more
restricted environment, but if that environment isn't secure, then
malicious Java applets may create opportunities for attack as well.
JavaScript and other forms of active content are not always dangerous,
but they are common tools for attackers. You can prevent active
content from running in most browsers, but realize that the added
security may limit functionality and break features of some sites you
visit. Before clicking on a link to a web site that you are not
familiar with or do not trust, take the precaution of disabling active
content.
These same risks may also apply to the email program you use. Many
email clients use the same programs as web browsers to display HTML,
so vulnerabilities that affect active content like JavaScript and
ActiveX often apply to email. Viewing messages as plain text may
resolve this problem.
What are cookies?
When you browse the Internet, information about your computer may be
collected and stored. This information might be general information
about your computer (such as IP address, the domain you used to
connect (e.g., .edu, .com, .net), and the type of browser you
used). It might also be more specific information about your browsing
habits (such as the last time you visited a particular web site or
your personal preferences for viewing that site).
Cookies can be saved for varying lengths of time:
- Session cookies - Session cookies store information only as long
as you're using the browser; once you close the browser, the
information is erased. The primary purpose of session cookies is to
help with navigation, such as by indicating whether or not you've
already visited a particular page and retaining information about your
preferences once you've visited a page.
- Persistent cookies - Persistent cookies are stored on your
computer so that your personal preferences can be retained. In most
browsers, you can adjust the length of time that persistent cookies
are stored. It is because of these cookies that your email address
appears by default when you open your Yahoo! or Hotmail email account,
or your personalized home page appears when you visit your favorite
online merchant. If an attacker gains access to your computer, he or
she may be able to gather personal information about you through these
files.
To increase your level of security, consider adjusting your privacy
and security settings to block or limit cookies in your web browser
(see Evaluating Your
Web Browser's Security Settings for more information). To make
sure that other sites are not collecting personal information about
you without your knowledge, choose to only allow cookies for the web
site you are visiting; block or limit cookies from a third-party. If
you are using a public computer, you should make sure that cookies are
disabled to prevent other people from accessing or using your personal
information.
Author: Mindi McDowell
Copyright 2004 Carnegie Mellon University. Terms of use
|
|
|
Last
updated
June 20, 2007
|
|