W3C home > Mailing lists > Public > www-talk@w3.org > March to April 2000

Re: Security: Cookies

From: Clover Andrew <aclover@1VALUE.com>
Date: Mon, 20 Mar 2000 09:09:58 +0100
Message-ID: <5F78AA062F6AD311A59000508B4AAF6D092AE6@pcs02>
To: "'www-talk@w3.org'" <www-talk@w3.org>
Antoni Matheu <amatheu@ati.es> wrote:

> I think that cookies do not send any information not previously 
> stored in it, and this information has been available to the server 
> by other means.

There is some risk in that it is not always obvious to whom information
is being sent.

Specifically, most browsers allow cookies to be sent and received on
embedded objects in a web page: frame, object, embed, and image.

When a user inputs a URL on www.a.com they are implicitly agreeing that
their access can be logged by a.com and may be used for marketing
purposes. However, if www.a.com/index.html includes an image stored
at images.b.com, the user will unknowingly be allowing b.com to log not
only the access to images.b.com, but also, by implication, the original
access to www.a.com. If b.com ensures that it has embedded images on
a great number of sites, it can use a cookie at images.b.com to tie
together accesses to all its partner sites and obtain a detailed
report on individuals' browsing habits.

more on this: http://www.tiac.net/users/smiths/privacy/banads.htm

The solution is to stop browsers from sending cookies to places the
user would not expect for the URL they typed. At the moment the best
one can do is use Internet Explorer's Zone feature to allow cookies
only on a few trusted sites, or turn cookies off in Netscape. The
'prompt on cookies' options tend to be impractical as one is then
barraged with cookie requests on many pages, making it tempting to
simply say "yes" to get the prompts to go away.

It strikes me Microsoft could blackmail DoubleClick for large sums
by threatening to set "don't allow cookies from embedded objects"
as the default in Internet Explorer.

-- 
Andrew Clover
Technical Support
1VALUE.com AG
Received on Monday, 20 March 2000 03:12:50 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:24 GMT