Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Microsoft IE cookies readable via about: URLS
From: Valdis.Kletnieks () vt edu
Date: Mon, 12 Nov 2001 13:14:44 -0500

On Fri, 09 Nov 2001 21:20:29 EST, Oliver Petruzel <opetruzel () cox rr com>  said:
This brings to mind a question:  has anyone collected a list of the most
revealing KNOWN cookies in the wild?  Is there a resource (site)
available with a list for me to use in order to perhaps blacklist the
URL's personally?  I often find myself studying my local cookies and
have noticed repeat offenders from very popular sites that I avoid now
because of this; and I believe such a public list would serve as a way
to prevent cookies from becoming too powerful or revealing.  A cookie
reporting service possibly.  Anyone with a link for this if it already
exists or with the energy to compile it yourself, go for it, and plz let
us know.

A far better approach is to use software that blocks *all* cookies, and
then have an exemption list for those sites that *YOU* visit that specifically
need cookies in order to function.

Remember - cookies as data harvesting tools only work because a large
percentage of people allow cookies.  If the *default* behavior of people
was to tolerate only cookies that allow (for instance) session management
of a single visit, or only retain very basic cross-session information,
then the site operators wouldn't have much reason to use cookies.

Something that's a *bigger* issue is probably the infamous "web bug", which
usually shows up as a 1x1 transparent pixel.  Now *THERE* is a area where
a "black list" might be more useful (because you can have an <IMG> tag
that points off-site to a tracking service, where the user may have
said "only allow cookies from this server").

There's Unix software for all this at www.junkbuster.com.  I have *NOT*
tried their Windows software.  It's not a *total* solution, but it's
a start.
                                Valdis Kletnieks
                                Operating Systems Analyst
                                Virginia Tech

Attachment: _bin

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]