Google Chrome to Boost User Privacy by Improving Cookies Handling Procedure

Google engineers plan to improve user privacy and security by putting a short lifespan on cookies delivered via HTTP connections.

Google hopes that the move will force website developers and advertisers to send cookies via HTTPS, which "provides significant confidentiality protections against [pervasive monitoring] attacks."

Sending cookies via plaintext HTTP is considered both a user privacy and security risk, as these cookies could be intercepted and even modified by an attacker.

Banning the sending of cookies via HTTP is not yet an option, so Chrome engineers hope that by limiting a cookie's lifespan, they would prevent huge troves of user data from gathering inside cookies, or advertisers using the same cookie to track users across different sites.

HTTP cookie lifespan capping scheduled for Chrome 70

Chrome engineers wish to limit HTTP cookie lifetime at an initial maximum value of one year, which they later plan to slowly shrink to a few days.

The capping of HTTP cookies is currently scheduled for Chrome 70, slated to be released in late October 2018.

Telemetry data gathered by the Chrome team suggests that a large number of HTTP-transmitted cookies have a lifespan bigger than a year.

HTTP cookie lifespan capping won't visibly affect websites

Google engineer Mike West doesn't believe websites and web apps will break when Chrome starts forcing HTTP cookies to expire earlier and earlier.

"Cookies are somewhat fragile, and can be evicted at any time for reasons outside developers' control, so there is unlikely to be a high compatibility cost," West says. "Users are not likely to see breakage."

"On the other hand, services that use long-lived non-secure cookies are likely to be unhappy, which is good. There are distinct risks to sending cookies over non-secure channels, especially when done at scale as part of an advertising network," West adds.

This move won't stop user tracking on the Internet but will make it more secure and prevent unauthorized third-parties from accessing this data by actively or passively observing cookies flow through a network's traffic.

Mozilla experimented with deprecating HTTP cookies by adding a special "network.cookie.lifetime.httpSessionOnly" flag in Firefox 49, but the flag never made it into the Firefox stable release.