Cookies
Imagine meeting an amnesiac person who cannot remember faces or names. Instead they ask if they can leave a business card in your coat pocket. Whenever you next meet them they presume to rummage through your pockets until they find evidence that they know you.
That's cookies. A sweet name for a very bad non-solution to the non-problem that HTTP was designed as a stateless (or non session oriented) protocol. The web was designed as an informational request-response system. Most commercial development in this century has been a terrible mistake. Instead of using a stateful protocol like SSH where needed, companies added half-baked ideas to implement:
- sessions
- identity
- persistent data storage
The mess we're left with is the "modern web". Where:
- advertisers track cookies to share information about which sites you visit
- malicious programs can steal cookies from you to impersonate you
- regulation and cookie acceptance banners cause fatigue
Mitigation
- Avoid non-informational websites that "require" cookies in the first place. As a backlash against abusive web technology many sites are falling back, under popular pressure, to offering anonymous informational services in the traditional style.
- Use a fully sand-boxed amnesiac browser. [Qubes] or [Tails] type virtual machines are good choices.
- For informational tasks use a highly configurable text-only type browser like W3M or Links. Such a browser can appear to a malicious website as a "docile and cooperative" browser, but trick it by pretending to accept cookies which it then just deletes.