On Thu, 27 Apr 2000, Nick Tonkin wrote:
> On Thu, 27 Apr 2000, Marc Slemko wrote:
>
> > Cookies are not secure and will never be secure. They may be "good
> > enough", and you may not have much choice, but they are still simply not
> > secure when you put everything together.
>
> Can you be more specific about why you say that? If I set an encrypted,
> short-lived cookie upon validated authentication, why is that any less secure than
>any
> of the other approaches you mentioned?
It isn't necessarily any "less secure", but you just have to understand
and properly manage what it opens you up to. I'm not suggesting
alternatives because they are very limited.
What it means is that if anyone can make a normal user (eg. javascript
enabled, etc.) follow an arbitrary link while they have that cookie, then
the cookie can be stolen, either through "cross site scripting" type
attacks (and I can guarantee you that if you have a site with any real
amount of dynamic content, you are almost certain to be vulnerable) or
browser specific bugs that have been or will be made known.
Sure, there is a limited time period during which that risk may be open.
Compared to a crazy site like barnesandnoble.com, where if you enable
their fast checkout, then a cookie is stored that will give you full
access to your account forever without entering any more information; you
can even change your password, etc. without having to know the current
one.
Sure, you have to get the user to follow an arbitrary link, but that is
downright easy in many cases. Granted, a lot easier for a site like
amazon.com than joescornergrocerystore.com.
But the risks are very real and very poorly understood. However, they
will be problems for years to come. The only way they will stop being a
problem is if people deploy and use a real authentication method designed
for authentication with very controlled access, instead of tacking it onto
cookies that are wide open.
