IE6 Privacy and Secure Web Site

From: dross@ITWSouthland.com
Date: 01/23/02


To: focus-ms@securityfocus.com
From: dross@ITWSouthland.com
Date: Wed, 23 Jan 2002 12:22:20 -0500

Internet Explorer 6 security settings: cookies and secure web sites.

Internet Explorer 6 has the ability to set the level of security (Privacy)
for the cookies a web site places in the internet files folder. The default
setting is set to medium.

Example:
User goes to a web site to access secure data. The user is prompted for
logon and password. The Logon proceeds fine but when the user attempts to
use the features of the secure web site they are prompted to enable cookies
in their browser. Cookies are enabled by default in the browser
(IE6/Privacy) set to medium. To enable the features of the secure web site
the privacy setting must be set to low. The secure web site then places two
cookies in the internet file folder. The first cookie contains the logon
information for the user and remains (Persistent) in the internet file
folder after the user has logged off the site. The second cookie contains
the web IP of the user and disappears (Session) after the user has logged
off. The data stored within the first cookie is not encrypted, the logon is
displayed as clear text and the password as ???. The logon is set by the
secure web site and is a value which should never be used as a logon and
the password is limited in set and size.

This does not seem to be safe and secure.
With about nine or is it eleven unresolved vulnerabilities currently in ie6
the following setting have been made to the browser.

ie6 Advanced Settings
Under Security Check: Do not save encrypted pages to disk
and Empty Temporary Internet Files folder when browser is closed

Have the user manually: Delete Cookies...Delete Files...and reset the
Privacy setting to medium (prefer medium high) after logging off secure web
site.

Recommendations please, is this a problem with ie6, the secure web site and
the use of cookies or both.

Daniel Ross
System Support Analyst
ITW Southland
dross@itwsouthland.com
(757) 213-2445



Relevant Pages

  • RE: IE6 Privacy and Secure Web Site
    ... cookies for any secure sites that need them while keeping the other sites ... IE6 Privacy and Secure Web Site ... |use the features of the secure web site they are prompted to ...
    (Focus-Microsoft)
  • RE: IE6 Privacy and Secure Web Site
    ... all cookies from a specific web site or domain, ... to authorize cookies from that secure web site, ... > prompted for logon and password. ...
    (Focus-Microsoft)
  • Re: Cookie Removal
    ... I have tried to restrict all but desireable cookies from invading my ... cookies & temp internet files from being saved on my workstation. ... my data backup uses a DOS batch file and XCOPY. ... change the privacy level or to view summaries of each privacy level. ...
    (microsoft.public.windowsxp.general)
  • Re: Cookies and SP2
    ... > no icon for Cookies. ... Close all Internet Explorer Windows. ... - When the internet properties window opens click the Privacy tab. ... Delete all temporary internet files and change ...
    (microsoft.public.windowsxp.security_admin)
  • RE: Internet explorer 7-problem with capitalone website/cookies disabl
    ... I get a Cookies disabled page. ... In internet options, under security I tried accessing the login ... You can check the entries for the Hosts File as described below. ... computer and try to establish a connection and try the link, ...
    (microsoft.public.windowsxp.general)