Nom Nom Nom
- (2 points.) Suppose that you log into
https://www.linkedin.com/and then decide you’d like to visit someone’s profile anonymously, without LinkedIn knowing. And so you open a new, cookie-less tab in incognito (aka private) mode, within which you visit the profile. In no more than three sentences, how might LinkedIn still know, at least with some probability, that the visitor is still you?
If a user visits a website like https://www.example.com/ and the server, www.example.com, responds with HTTP headers like
HTTP/1.1 200 OK
Set-Cookie: foo=oHg5SJYRHA0
then foo is considered a “first-party cookie,” since it came from that same server. If there happens to be an advertisement on the page, as via an HTML tag like
<img alt="advertisement" src="https://ad.doubleclick.net/ovaltine.jpg">
and the advertisement’s server, ad.doubleclick.net, response with HTTP headers of its own like
HTTP/1.1 200 OK
Set-Cookie: bar=9K4FsAHB-C8
then bar is considered a “third-party cookie,” since it came from a server other than the one in the browser’s address bar.
Browsers typically allow users to disable third-party cookies and even first-party cookies. And some browsers even disable third-party cookies by default.
-
(2 points.) In no more than three sentences, why might disabling first-party cookies “break” some websites?
-
(2 points.) In no more than three sentences, why might enabling third-party cookies be a potential threat to users’ privacy?
It turns out that Safari and Brave are among the browsers that disable third-party cookies by default. As a result, Duo’s Remember me checkbox, which you see after logging into HarvardKey or Yale CAS, does not work on Safari or Brave, per help.duo.com/s/article/2189. Even if you try checking the checkbox, Duo forgets that you’ve checked it.
- (3 points.) Explain, in technical terms but no more than three sentences, how Duo must be implementing its Remember me option and why it does not work with HarvardKey or Yale CAS on Safari or Brave by default.