"Much web security rests on illusion and hope," said Fu. He noted that most web users have heard of cookies that web servers send to a browser to identify the user at a later date, but warned that few understand the security risk they can pose.
"Cookies are insecure, no matter what you do," said Fu. He went on to concede that cookies "aren't that dangerous" when used for things like storing preferences on personalized web pages, but argued that their use to authenticate online shoppers can be much more problematic.
It's these so-called "authentication cookies" that are often exploitable, said Fu. The academic's research finds that someone who has accessed a series of cookies on a hard drive can look for a pattern and then backtrack to come up with the algorithm that generated them. "It's the kind of thing a bored teenager could do in a few hours," claimed Fu.
Fu believes that the best login methods do not employ cookies, but use client certificates in SSL. But, according to the academic, retailers do not use SSL technology as they want to offer quick, easy shopping. "Cookies get the most sales in the shortest time, and if no one is attacking, they work just fine", he argued.
Despite these reservations Fu said he shops online himself: "There isn't much of an alternative for consumers. Even if you shop by phone, the attendant often enters your data on the same web page you are trying to avoid."