RE: How secure are cookies ?

From: Alexander Sarras (SEA) (Alexander.Sarras@sea.ericsson.se)
Date: 08/30/01 

Message-ID: <F0F5F5C6F71AD5119D380008C75DA44C69E244@eatvint902>
From: "Alexander Sarras (SEA)" <Alexander.Sarras@sea.ericsson.se>
To: "'Pradeep Kumar'" <pradeep.pillai@nexsi.com>, "Tarek W." <tarek@cyberia.net.lb>, security-basics@securityfocus.com
Subject: RE: How secure are cookies ?
Date: Thu, 30 Aug 2001 08:42:03 +0200

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It's not the cookies that hurt, just like a hammer it's the misuse. A
lot of socalled secure sites with logins use cookies with plaintext
information, constant seession id's and other niceties. Cookies can
be redirected and/or sniffed. So much for security.

So the problem is not that there are cookies, it's the most misuse
them. BTW, in most cases there unnecessary, too, from a users point
of view. Most times they are used for surf control and tracking and
I'm just to mistrusting for that.

Crowbars aren't a security risk per se. The are a tool. If a cop sees
you wandering around with one on the parkdeck he might just get a
little suspicious. Same goes for me and cookies.

Maybe we should make a contest on this list. Think up applications
needing cookies, and then try to design a workaround which doesn't
use cookies at all. I suppose you could get by without those little
rats, which would show them to be a complete waste of bandwith.

m 2EUR
SaS
- --
Dr. Alexander Sarras
Product Unit Enterprise Communication Systems
Ericsson Enterprise AB

Tel: +43/1/811 00 4668
Fax: +43/1/811 00 11 4668
email: Alexander.Sarras@ericsson.com

> -----Original Message-----
> From: Pradeep Kumar [mailto:pradeep.pillai@nexsi.com]
> Sent: Thursday, August 30, 2001 12:12 AM
> To: Tarek W.; security-basics@securityfocus.com
> Subject: RE: How secure are cookies ?
>
>
> Cookies dont hurt. Whoever says Cookies compromise security
> doesnt know what
> cookies are.
>
>
> For a test, set a cookie server and sniff the packets . See
> what it has to
> say .
>
>
>
>
> -----Original Message-----
> From: Tarek W. [mailto:tarek@cyberia.net.lb]
> Sent: Wednesday, August 29, 2001 9:02 AM
> To: security-basics@securityfocus.com
> Subject: RE: How secure are cookies ?
>
>
> At 05:45 PM 8/29/2001, you wrote:
> >Within an intranet environment?
> >
> >Normally, cookies are not safe with an experience cracker
> lurking about.
> >They can use the cookie's information for various exploits.
> Be careful
> when
> >using cookies or accepting cookies. There are cookie
> monitoring programs
> >out
> >there in the market. I think a really good one is cookie
> police or cookie
> >patrol,
> >something like that. On my browsers, I enabled prompt me
> >everytime a
> cookie
> >is to
> >be downloaded and etc. However, this gets so annoying after a
> >while
> because
> >every
> >web site you go to, it appears that they have a million
> cookies to load.
> >[...]
>
> Also, be alert to the fact that Javascript leaves cookies on
> ur system too,
> God only knows what Java applets do behind ur back... I've
> been surfing the
> net on a Windows machine with javascript disabled for 4 years!
>
>

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBO43gPH/j44UBWb5aEQJ2vQCfXYzqFBtpDBUgdB/7qeUtm3997OQAoJ8g
N87DD51Ssuh6KFelwaLLtN+g
=dR2a
-----END PGP SIGNATURE-----

Quantcast