Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Evil Cookies.
From: Dylan_G () BIGFOOT COM (Dylan Griffiths)
Date: Mon, 7 Feb 2000 17:18:17 -0600


Thomas Reinke wrote:
There is no easy patch to this problem. The only solution I
can think of, which is not an easy one, would be to have browsers
have intimate knowledge of what constitutes an organization's
"domain of influence", and limit cookies accordingly. This
is essentially impossible to implement.

A better solution would be explicit (ie: finer grained) control of cookies.
Not as finely grained as the prompt option of Lynx, but more specific than
the current Netscape settings.

(Consider  domain.city.state.country - where is the allowable
domain of influence here? Probably 4 levels deep, but how
to indicate this to the browser).

Perhaps this would be an exercise best left up to the user, as there is
currently no way to indicate the scope of the authority (harmless TLD,
country, normal domain, etc) in the DNS system.

[snip]

Unless someone can think of some sinister twist to which this
capability can be put to use?

Considering the recent doubleclick.net situation, by which they were able to
track people across all sites that had doubleclick.net banners (thanks to
the cookie specification allowing for cookies to be sent with images as well
as HTML content), and was able to correlate this with a database the company
had merged with earlier in the year.  They claimed they'd not used the
information for tracking, and were found to be lying.  They've once again
claimed to allow people to opt out via another cookie, and are currently
being sued in California.

This is why I reccomend using a tool like junkbuster
(http://www.junkbuster.com and http://www.waldherr.org/junkbuster/ ) which
allows explicit "opt in" cookie control for domains that is transparent to
the end user (once it is set as a proxy via a manual setting or auto
configure URL).  You can set it to deny or allow all cookies by default, and
allows for exclusions to the deny policy of read only cookies, and read
write cookies (ie: certain domains can get and set, while others can only
get).

--
Hi! I'm a .signature virus! Copy me into your ~/.signature to help me
spread!



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]