RE: How secure are cookies ?

From: Gregory_DeGennaro@csaa.com
Date: 08/30/01


Message-ID: <97E963187BE1D211AF210008C7916094062C88F1@EXCHMO03>
From: Gregory_DeGennaro@csaa.com
To: Alexander.Sarras@sea.ericsson.se, pradeep.pillai@nexsi.com, tarek@cyberia.net.lb, security-basics@securityfocus.com
Subject: RE: How secure are cookies ?
Date: Thu, 30 Aug 2001 13:58:21 -0700

Absolutely true

So, use a more secured authentication ... which was my point at the
beginning of this thread.

Unless, it is going to be used in an intranet environment. However, think
twice about doing that as well.

By the way, what is a parkdeck? ... :-)

-----Original Message-----
From: Alexander Sarras (SEA) [mailto:Alexander.Sarras@sea.ericsson.se]
Sent: Wednesday, August 29, 2001 11:42 PM
To: 'Pradeep Kumar'; Tarek W.; security-basics@securityfocus.com
Subject: RE: How secure are cookies ?

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It's not the cookies that hurt, just like a hammer it's the misuse. A
lot of socalled secure sites with logins use cookies with plaintext
information, constant seession id's and other niceties. Cookies can
be redirected and/or sniffed. So much for security.

So the problem is not that there are cookies, it's the most misuse
them. BTW, in most cases there unnecessary, too, from a users point
of view. Most times they are used for surf control and tracking and
I'm just to mistrusting for that.

Crowbars aren't a security risk per se. The are a tool. If a cop sees
you wandering around with one on the parkdeck he might just get a
little suspicious. Same goes for me and cookies.

Maybe we should make a contest on this list. Think up applications
needing cookies, and then try to design a workaround which doesn't
use cookies at all. I suppose you could get by without those little
rats, which would show them to be a complete waste of bandwith.

m 2EUR
SaS
- --
Dr. Alexander Sarras
Product Unit Enterprise Communication Systems
Ericsson Enterprise AB

Tel: +43/1/811 00 4668
Fax: +43/1/811 00 11 4668
email: Alexander.Sarras@ericsson.com



Relevant Pages

  • Logging into and parsing a website using Perl
    ... The login form uses cookies to establish identity. ... log on to the secure areas of the site. ... properly POSTing the login form data, or otherwise not 'following' the redirect ...
    (comp.lang.perl.misc)
  • Re: Is it possible at all to secure an unencrypted website?
    ... "Joe Kaplan" wrote: ... switching to secure mode for actual ordering operations and other similar ... Once way to do this is to ensure that your actual authentication cookies are ... the secure and unsecure parts used different ASP Session IDs. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: comunication between 2 WebApplications with Webservices
    ... how secure does this need to be? ... The site then calls the authority information service (the site itself, ... > No these 2 webapplikations are on diffrent domains! ... > Problem with Cookies ...
    (microsoft.public.dotnet.framework.aspnet.webservices)
  • Logging into and parsing a website using Perl
    ... The login form uses cookies to establish identity. ... log on to the secure areas of the site. ... properly POSTing the login form data, or otherwise not 'following' the redirect ...
    (comp.lang.perl)
  • Coding question wrt Cookies Module
    ... The login form uses cookies to establish identity. ... log on to the secure areas of the site. ... properly POSTing the login form data, or otherwise not 'following' the redirect ...
    (comp.lang.perl.modules)