I'm not sure .. of course all the reports I've seen are going for shock
value and leaving the technical details usefull to the rest of us out. You
could test it I suppose. You could set such a cookie on your computer and
then go to the test site mentioned in the article and see if the exploit can
find your cookie .. it gives you the option to type in a speciffic domain
name to search for. It would be really kinda cool if it wasn't a potential
hazard.
BTW, Amazon and friends encrypt their cookies, from what I've heard. Anyone
have any CF related info on doing the same?
.Todd
----- Original Message -----
From: Steve Aylor <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, May 16, 2000 5:39 PM
Subject: Re: "You have nice cookies .. mind if I have a look?"
>
> > Like I said .. turning off cookies won't save you from someone getting
to
> > the cookies you already have stored on your machine. Besides, the
problem
> > ISN'T with cookies .. it's with crappy MS security .. supprise,
supprise.
> > Notice how the only people affected by this at all are people using IE
and
> > Windows ... quite the dynamic duo.
>
> The problem has NEVER "really" been about cookies anyway. Its the
> "PERCEPTION" of what site developers may or may not be storing in cookies
> that is freakin out the surfers/users at large. And these whores in the
> media are just trying to capitalize on this overblown issue as a way to
pump
> up the banner ad impressions and click thru's. The media should be
roasting
> the site developers that place sensitive info in cookies, and do a more
> thurough job of discussing the real issues.
>
> Hardly any "secure" sites are storing "sensitive" information in a cookie.
> Decent security for web sites is based on both something you "have", and
> something you "know" - not just a cookie's value - sensitive or
> insensitive. If a web sites sole security mechanism is cfid & cftoken - Id
> have to say then its flawed and needs to be fixed - the solution isnt to
> eradicate cookies - fix the security model. If someone can buy stuff from
> Amazon.com based solely on the value they store in my cookie - then I'd
have
> to say that Amazon.com's "Patented 1 - Click" checkout horse pucky is
> severely flawed - as well as MS's IE. Maybe Amazon should have spent the
$$$
> on security experts vs. patent attorneys......
>
> > Netscape doesn't have this problem and
> > neither do any other operating systems. I say don't worry about it and
> use
> > your cookies .. just, now we have to take on the added responsibility of
> > designing our sites to provide Microsoft's cookie security for them.
Now
> ..
> > anyone have any usefull ideas on how to do this?
>
> Does the security breach discussed apply where the developer is setting
> cookies to be seen only by webservers in the "domain" that set the
cookie??
> Isnt that a specific cookie setting "option"?
>
> well... gotta go... .. got to go turn off Javascript in in many computers
> now.... sheeeeesh
>
> Steve
------------------------------------------------------------------------------
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
