"Jeffrey W. Baker" wrote:
>
> On Thu, 11 May 2000, Marc Slemko wrote:
>
> > In reality, IE's recently publicized hole (which I reported to them, in a
> > slightly modified form, months ago but they didn't see fit to release a
> > patch...) doesn't change much.
> >
> > Hotmail? Yahoo mail? amazon.com? etc. Your cookies for all those sites
> > are vulnerable anyway due to the "cross site scripting" issue. This
> > particular hole in IE doesn't change things too much. Sure, there may be
> > the rare site that isn't vulnerable to cross site scripting. But that is
> > the very rare site, and most sites that think they aren't vulnerable are.
> >
> > Cookies are not secure and will never be secure. I have said it before
> > and will say it again many times before I die. Unfortunately, it isn't as
> > simple as saying "well, don't use cookies". There isn't much in the way
> > of alternatives for a lot of things...
>
> Cross-site scripting attacks are hard for most people to wrap their minds
> around. There are a zillion sites that are vulnerable, mainly because
> they parrot back to the user whatever they submitted without doing any
> validation or HTML/URL escaping. Then there are browser bugs that don't
> treat excaped character properly. Sigh.
>
Whether we're talking about the IE bug, or cross-site scripting issues,
wouldn't the whole thing be solved by users turning *off* scripting and
leaving the cookies *on*? I.e., in what ways are cookies not safe if
scripting is turned off?
What great functionality is lost if users turn off their scripting?
Of course, this may be an abstract question in terms of programming, if
users *do* insist on enabling scripting.
I do notice that both Microsoft and CERT, in their different ways,
recommend that folks turn off scripting for best protection against
cross-site scripting attacks:
http://www.cert.org/advisories/CA-2000-02.html
http://www.microsoft.com/technet/security/crsstQS.asp
So maybe some will get the message.
Though making ridiculous recommendations like avoiding "promiscuous
browsing" (CERT's words) doesn't help.
And MS's recommendation simply eliminates E-mail-based attacks using
their product (Outlook), while leaving others exposed. They make it
ridiculously hard to turn off scripting, then show you how to do it only
in a limited way.
But it does seem like not even MS is saying "Don't accept cookies".
Though they're still pretty quiet on the latest IE hole.
