- Jan 8, 2017
- 1,320
Google engineers plan to improve user privacy and security by putting a short lifespan on cookies delivered via HTTP connections.
Google hopes that the move will force website developers and advertisers to send cookies via HTTPS, which "provides significant confidentiality protections against [pervasive monitoring] attacks."
Sending cookies via plaintext HTTP is considered both a user privacy and security risk, as these cookies could be intercepted and even modified by an attacker.
Banning the sending of cookies via HTTP is not yet an option, so Chrome engineers hope that by limiting a cookie's lifespan, they would prevent huge troves of user data from gathering inside cookies, or advertisers using the same cookie to track users across different sites.
HTTP cookie lifespan capping scheduled for Chrome 70
Chrome engineers wish to limit HTTP cookie lifetime at an initial maximum value of one year, which they later plan to slowly shrink to a few days.
.....
.....
HTTP cookie lifespan capping won't visibly affect websites
Google engineer Mike West doesn't believe websites and web apps will break when Chrome starts forcing HTTP cookies to expire earlier and earlier.
"Cookies are somewhat fragile, and can be evicted at any time for reasons outside developers' control, so there is unlikely to be a high compatibility cost," West says. "Users are not likely to see breakage."
"On the other hand, services that use long-lived non-secure cookies are likely to be unhappy, which is good. There are distinct risks to sending cookies over non-secure channels, especially when done at scale as part of an advertising network," West adds.
....
....