Bugtraq mailing list archives
Re: Evil Cookies.
From: Dylan_G () BIGFOOT COM (Dylan Griffiths)
Date: Mon, 7 Feb 2000 17:18:17 -0600
Thomas Reinke wrote:
There is no easy patch to this problem. The only solution I can think of, which is not an easy one, would be to have browsers have intimate knowledge of what constitutes an organization's "domain of influence", and limit cookies accordingly. This is essentially impossible to implement.
A better solution would be explicit (ie: finer grained) control of cookies. Not as finely grained as the prompt option of Lynx, but more specific than the current Netscape settings.
(Consider domain.city.state.country - where is the allowable domain of influence here? Probably 4 levels deep, but how to indicate this to the browser).
Perhaps this would be an exercise best left up to the user, as there is currently no way to indicate the scope of the authority (harmless TLD, country, normal domain, etc) in the DNS system. [snip]
Unless someone can think of some sinister twist to which this capability can be put to use?
Considering the recent doubleclick.net situation, by which they were able to track people across all sites that had doubleclick.net banners (thanks to the cookie specification allowing for cookies to be sent with images as well as HTML content), and was able to correlate this with a database the company had merged with earlier in the year. They claimed they'd not used the information for tracking, and were found to be lying. They've once again claimed to allow people to opt out via another cookie, and are currently being sued in California. This is why I reccomend using a tool like junkbuster (http://www.junkbuster.com and http://www.waldherr.org/junkbuster/ ) which allows explicit "opt in" cookie control for domains that is transparent to the end user (once it is set as a proxy via a manual setting or auto configure URL). You can set it to deny or allow all cookies by default, and allows for exclusions to the deny policy of read only cookies, and read write cookies (ie: certain domains can get and set, while others can only get). -- Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread!
Current thread:
- Microsoft Security Bulletin (MS00-007), (continued)
- Microsoft Security Bulletin (MS00-007) Aleph One (Feb 01)
- Re: Tempfile vulnerabilities Werner Koch (Feb 02)
- Re: Tempfile vulnerabilities Theo de Raadt (Feb 02)
- Evil Cookies. Iain Wade (Feb 02)
- UPDATE: Sygate 3.11 Port 7323 Telnet Hole jalerta () nestworks com (Feb 03)
- Re: Evil Cookies. Joachim Feise (Feb 03)
- Re: Evil Cookies. Jon Paul, Nollmann (Feb 05)
- Reminder: BOF on Distributed DoS, San Jose 2/7/00 David Kennedy CISSP (Feb 06)
- Infosec.20000207.axis700.a Vitek, Ian (Feb 07)
- Re: Evil Cookies. Thomas Reinke (Feb 04)
- Re: Evil Cookies. Dylan Griffiths (Feb 07)
- 'cross site scripting' CERT advisory and MS Eric Lecht (Feb 08)
- Re: 'cross site scripting' CERT advisory and MS Dustin Miller (Feb 09)
- Re: 'cross site scripting' CERT advisory and MS David LeBlanc (Feb 10)
- Re: 'cross site scripting' CERT advisory and MS Marc Slemko (Feb 11)
- Re: 'cross site scripting' CERT advisory and MS Rishi Lee Khan (Feb 14)
- Packet Tracing (linux klog patch) Dragos Ruiu (Feb 12)
- Re: Packet Tracing (linux klog patch) Andrzej Bialecki (Feb 15)
- Re: Packet Tracing (linux klog patch) Dragos Ruiu (Feb 17)
- Re: Packet Tracing (linux klog patch) Andrzej Bialecki (Feb 17)
- crash windows boxes on your local network (twinge.c) sinkhole () NILL NET (Feb 10)