On Fri, 12 May 2000, Stas Bekman wrote:
>
> For all those who favor chocolate cookies (mostly related to the latest
> discussion about the sessions):
>
> IE hole exposes Web surfers' private data: Microsoft is working on a
> patch that will prevent its Internet Explorer browser from inadvertently
> letting Web sites peer into any visitor's cookie files.
> http://2.digital.cnet.com/cgi-bin2/flo?x=dAEoBmhggowKmYuum
> http://slashdot.org/articles/00/05/11/173257.shtml
>
> Now, think how many users will go use another similar service if yours
> will force using cookies. No kidding, press (and the reality) teaches
> people what to do and what not. It will take a while before the cookies
> will be turned on by these frightened IE users, but I'm sure long time
> before there will be another bug announced, so people will stop using them
> at all. I can see a scenario where the "user-friendly" M$ will start
> shipping IE preconfigured with cookies turned off.
>
> M$ doesn't only prevent technologies from emerging, it also renders the
> existing ones useless. This sucks!
In reality, IE's recently publicized hole (which I reported to them, in a
slightly modified form, months ago but they didn't see fit to release a
patch...) doesn't change much.
Hotmail? Yahoo mail? amazon.com? etc. Your cookies for all those sites
are vulnerable anyway due to the "cross site scripting" issue. This
particular hole in IE doesn't change things too much. Sure, there may be
the rare site that isn't vulnerable to cross site scripting. But that is
the very rare site, and most sites that think they aren't vulnerable are.
Cookies are not secure and will never be secure. I have said it before
and will say it again many times before I die. Unfortunately, it isn't as
simple as saying "well, don't use cookies". There isn't much in the way
of alternatives for a lot of things...
