On Thu, 11 May 2000, Marc Slemko wrote:
> In reality, IE's recently publicized hole (which I reported to them, in a
> slightly modified form, months ago but they didn't see fit to release a
> patch...) doesn't change much.
>
> Hotmail? Yahoo mail? amazon.com? etc. Your cookies for all those sites
> are vulnerable anyway due to the "cross site scripting" issue. This
> particular hole in IE doesn't change things too much. Sure, there may be
> the rare site that isn't vulnerable to cross site scripting. But that is
> the very rare site, and most sites that think they aren't vulnerable are.
>
> Cookies are not secure and will never be secure. I have said it before
> and will say it again many times before I die. Unfortunately, it isn't as
> simple as saying "well, don't use cookies". There isn't much in the way
> of alternatives for a lot of things...
Cross-site scripting attacks are hard for most people to wrap their minds
around. There are a zillion sites that are vulnerable, mainly because
they parrot back to the user whatever they submitted without doing any
validation or HTML/URL escaping. Then there are browser bugs that don't
treat excaped character properly. Sigh.
Mayhaps will we have a cross-site scripting bof at oracon?
-jwb
