W3C home > Mailing lists > Public > www-talk@w3.org > March to April 2000

Cookies Security Vulabilities

From: Joris Dobbelsteen <j.p.tdobbelsteen@freeler.nl>
Date: Sun, 19 Mar 2000 22:49:56 +0100
To: <www-talk@w3.org>
Message-ID: <000601bf91ed$49e16c50$0d0aa8c0@Thuis.local>
Reseach Security Vulabilities by the use of cookies.

After someone on the radio complained about that cookies where a violation
to his privacy:
- They should get information about his browsing behaviour
- Access to this personal information (e-mail, name, e.d.)
- Pages provide cookies without noticing the user.
AND
	Pages were not available when he did not accept cookies.


Resulting:
--------------
Cookies are only used to esablish sessions on a session-less protocol (as
HTTP is). They are NOT a security vulability because cookies only can
contain information about what they know about you, and that is what YOU
send to them.
Also cookies are stored on clients hard drive and NOT on the server, however
the server do can log information, but this is also possible without
cookies.
Also (most) cookies have a short life-time and are discarted after a while.

This means:
- Don't fill in privacy information anywhere on the Internet.
- Ensure you don't send headers that may violate you privacy (like the FROM
or VIA header).
- It's recommended to send you personal information only over a secure
connection (HTTPS e.g.)

If a servers gets privacy information from you:
- It should not send privacy information in the cookie.
- Not distribute this information (law MAY prevent this)

What can a server do with a cookie (with privacy information)
- Track the browsing behaviour from a unknown user.
Tracking can be done otherwise, however, and most servers log the hits of
pages and record the times a link is pressed, but however these statistics
seem to be global, they can be mapped into a area or known to be from a
company (depending on the IP address and by doing a reverse domain-name
lookup). There are even free services on the Internet that can do this for
you!
- Use cookies permanently on a users computer track this browsing behaviour.

Common implementations of cookies:
- For a internet shop (shopping basket). (as in the RFC)
- Other web applications that require a session.



Cookies themselfs should NOT be considered as a violation of security and
privacy. There are other factors that violate the privacy and security.
The only way cookies ' violate ' - how you will call it? - you privacy is
the ability to track the browsing behaviour of an UNKNOWN user, but this was
also told in the RFC and can not be considered as a big security vulability.
And beside that, there are many other ways this can also be done.

SO:	There are other security vulabilities that violate you privacy. Cookies
can NOT do this.




Security Considerations when browsing on the Internet
----------------------------------------------------------------------------
---
	(Out of scope for this document)

Private information from a user can be obtained from a user by:
- asking the user for it (this should be considered safe, since the user is
aware)
- unsafe header fields in HTTP (e.g. From, Referer, Via e.d.)
- Scripts inside HTML documents that obtain information without the user
knowning it.
- Virusses that send data.
??? More ways ???

solutions:
Users SHOULD be able to disable the use of unsafe headers in both
user-agents and proxies (some provide this functionality)
Script engines SHOULD restrict file i/o and access to other locations that
MAY contain personal information by denying this functionality or warning
the user about a possible security warning.
Users SHOULD not download (or start) files where they don't know from that
they are safe and the use of updated virusscanners is recommanded.



	Does anyone have some comment on this conclusion????



	- Joris Dobbelsteen
Received on Sunday, 19 March 2000 16:50:35 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:24 GMT