Re: making progress on State-Info from Koen Holtman on 1995-12-11 (ietf-http-wg@w3.org from October to December 1995)

From: Koen Holtman <koen@win.tue.nl>
Date: Mon, 11 Dec 1995 14:31:40 +0100 (MET)
To: "David W. Morris" <dwm@shell.portal.com>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <199512111331.OAA06269@wsooti04.win.tue.nl>

David W. Morris:
>
>On Sun, 10 Dec 1995, Koen Holtman wrote:
>
>>           host name has the form HOST.DOMAIN_NAME where HOST may not
>>           contain any periods.  Also, domains must have at least two
>>           (2) periods in them to prevent domains of the form: ".com"
>>           and ".edu".
>
>Well, your proposed rule would, if I understand it, preclude my host
>and root domain:
>   xpasc.com
>from using the facility.

If you have only one host, you do not need to share cookies between
hosts, so you have no use for the facility anyway.  Or do you also
have hosts like www1.xpasc.com and www2.xpasc.com?

I did not intend my proposed rule to be a 100% solution for this
problem: I think no rule that only uses simple minded matching on host
and domain names can be.

[...]
>In any case, if security is an issue, surely your hypothetical user will
>use SSL or SHTTP? Perhaps the protection should be based on some aspect
>of the SSL / SHTTP key certificate. 

My hypothetical user is not a computer expert: he will in general not
even be aware of the possibility that the web can be insecure, nor
will he know that he really ought to use secure protocols for some
applications.  Also, there is a 30% chance that the software used by
my hypothetical user does not support any form of encryption.

My hypothetical user will simply expect all shopping sites to work
with his software.  If acme.co.uk thinks he is called BILL_GATES, it
will be acme.co.uk that he will blame.  On broadcast TV.

As usual, it is the responsibility of the service provider to
implement a working site.  If the only way to prevent cookie spoofing
is to require your users to use a secure protocol (as seems to be the
case now), cookies become a lot less usable.

This brings the number of cookie disaster scenarios waiting to happen
to 2:

1) If less ethical service providers implement a large scale user
tracking scheme using persistent cookies, the discovery of that
scheme, and subsequent media coverage, may cause a crisis in user
trust that will impact on the acceptance of all web applications.

2) Sites may loose their reputation as a result of cookie spoofing
attacks.

>Dave Morris

Koen.

Received on Monday, 11 December 1995 05:35:31 UTC