Re: Evil Cookies.

From: Dylan Griffiths (Dylan_Gat_private)
Date: Mon Feb 07 2000 - 15:18:17 PST

Next message: Kelly.Setzerat_private: "DBI bind values [was Re: RFP2K01 - "How I hacked Packetstorm""

Previous message: NAI Labs: "SCO OpenServer SNMPD vulnerability"
Maybe in reply to: Iain Wade: "Evil Cookies."
Next in thread: Tim Adam: "Re: Evil Cookies."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thomas Reinke wrote:
> There is no easy patch to this problem. The only solution I
> can think of, which is not an easy one, would be to have browsers
> have intimate knowledge of what constitutes an organization's
> "domain of influence", and limit cookies accordingly. This
> is essentially impossible to implement.

A better solution would be explicit (ie: finer grained) control of cookies.
Not as finely grained as the prompt option of Lynx, but more specific than
the current Netscape settings.

> (Consider  domain.city.state.country - where is the allowable
> domain of influence here? Probably 4 levels deep, but how
> to indicate this to the browser).

Perhaps this would be an exercise best left up to the user, as there is
currently no way to indicate the scope of the authority (harmless TLD,
country, normal domain, etc) in the DNS system.

[snip]

> Unless someone can think of some sinister twist to which this
> capability can be put to use?

Considering the recent doubleclick.net situation, by which they were able to
track people across all sites that had doubleclick.net banners (thanks to
the cookie specification allowing for cookies to be sent with images as well
as HTML content), and was able to correlate this with a database the company
had merged with earlier in the year.  They claimed they'd not used the
information for tracking, and were found to be lying.  They've once again
claimed to allow people to opt out via another cookie, and are currently
being sued in California.

This is why I reccomend using a tool like junkbuster
(http://www.junkbuster.com and http://www.waldherr.org/junkbuster/ ) which
allows explicit "opt in" cookie control for domains that is transparent to
the end user (once it is set as a proxy via a manual setting or auto
configure URL).  You can set it to deny or allow all cookies by default, and
allows for exclusions to the deny policy of read only cookies, and read
write cookies (ie: certain domains can get and set, while others can only
get).

--
Hi! I'm a .signature virus! Copy me into your ~/.signature to help me
spread!

Next message: Kelly.Setzerat_private: "DBI bind values [was Re: RFP2K01 - "How I hacked Packetstorm""
Previous message: NAI Labs: "SCO OpenServer SNMPD vulnerability"
Maybe in reply to: Iain Wade: "Evil Cookies."
Next in thread: Tim Adam: "Re: Evil Cookies."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:33:46 PDT