- From: Joris Dobbelsteen <j.p.tdobbelsteen@freeler.nl>
- Date: Sun, 19 Mar 2000 22:49:56 +0100
- To: <www-talk@w3.org>
Reseach Security Vulabilities by the use of cookies. After someone on the radio complained about that cookies where a violation to his privacy: - They should get information about his browsing behaviour - Access to this personal information (e-mail, name, e.d.) - Pages provide cookies without noticing the user. AND Pages were not available when he did not accept cookies. Resulting: -------------- Cookies are only used to esablish sessions on a session-less protocol (as HTTP is). They are NOT a security vulability because cookies only can contain information about what they know about you, and that is what YOU send to them. Also cookies are stored on clients hard drive and NOT on the server, however the server do can log information, but this is also possible without cookies. Also (most) cookies have a short life-time and are discarted after a while. This means: - Don't fill in privacy information anywhere on the Internet. - Ensure you don't send headers that may violate you privacy (like the FROM or VIA header). - It's recommended to send you personal information only over a secure connection (HTTPS e.g.) If a servers gets privacy information from you: - It should not send privacy information in the cookie. - Not distribute this information (law MAY prevent this) What can a server do with a cookie (with privacy information) - Track the browsing behaviour from a unknown user. Tracking can be done otherwise, however, and most servers log the hits of pages and record the times a link is pressed, but however these statistics seem to be global, they can be mapped into a area or known to be from a company (depending on the IP address and by doing a reverse domain-name lookup). There are even free services on the Internet that can do this for you! - Use cookies permanently on a users computer track this browsing behaviour. Common implementations of cookies: - For a internet shop (shopping basket). (as in the RFC) - Other web applications that require a session. Cookies themselfs should NOT be considered as a violation of security and privacy. There are other factors that violate the privacy and security. The only way cookies ' violate ' - how you will call it? - you privacy is the ability to track the browsing behaviour of an UNKNOWN user, but this was also told in the RFC and can not be considered as a big security vulability. And beside that, there are many other ways this can also be done. SO: There are other security vulabilities that violate you privacy. Cookies can NOT do this. Security Considerations when browsing on the Internet ---------------------------------------------------------------------------- --- (Out of scope for this document) Private information from a user can be obtained from a user by: - asking the user for it (this should be considered safe, since the user is aware) - unsafe header fields in HTTP (e.g. From, Referer, Via e.d.) - Scripts inside HTML documents that obtain information without the user knowning it. - Virusses that send data. ??? More ways ??? solutions: Users SHOULD be able to disable the use of unsafe headers in both user-agents and proxies (some provide this functionality) Script engines SHOULD restrict file i/o and access to other locations that MAY contain personal information by denying this functionality or warning the user about a possible security warning. Users SHOULD not download (or start) files where they don't know from that they are safe and the use of updated virusscanners is recommanded. Does anyone have some comment on this conclusion???? - Joris Dobbelsteen
Received on Sunday, 19 March 2000 16:50:35 UTC