The issue isn't the technical aspects of the bug, or even the fact that
users don't have to turn off cookies to fix the bug... the issue is that
this, with help from the talented press, will cause more people to simply
disable cookies whether right or wrong.
This ties back into a previous discussion about storing sessions (or
session_id) in a cookie and how reliable (or unreliable) that is.
Jay Jacobs
LachNet Inc.
On Fri, 12 May 2000, Keith G. Murphy wrote:
> "Jeffrey W. Baker" wrote:
> >
> > On Thu, 11 May 2000, Marc Slemko wrote:
> >
> > > In reality, IE's recently publicized hole (which I reported to them, in a
> > > slightly modified form, months ago but they didn't see fit to release a
> > > patch...) doesn't change much.
> > >
> > > Hotmail? Yahoo mail? amazon.com? etc. Your cookies for all those sites
> > > are vulnerable anyway due to the "cross site scripting" issue. This
> > > particular hole in IE doesn't change things too much. Sure, there may be
> > > the rare site that isn't vulnerable to cross site scripting. But that is
> > > the very rare site, and most sites that think they aren't vulnerable are.
> > >
> > > Cookies are not secure and will never be secure. I have said it before
> > > and will say it again many times before I die. Unfortunately, it isn't as
> > > simple as saying "well, don't use cookies". There isn't much in the way
> > > of alternatives for a lot of things...
> >
> > Cross-site scripting attacks are hard for most people to wrap their minds
> > around. There are a zillion sites that are vulnerable, mainly because
> > they parrot back to the user whatever they submitted without doing any
> > validation or HTML/URL escaping. Then there are browser bugs that don't
> > treat excaped character properly. Sigh.
> >
> Whether we're talking about the IE bug, or cross-site scripting issues,
> wouldn't the whole thing be solved by users turning *off* scripting and
> leaving the cookies *on*? I.e., in what ways are cookies not safe if
> scripting is turned off?
>
> What great functionality is lost if users turn off their scripting?
>
> Of course, this may be an abstract question in terms of programming, if
> users *do* insist on enabling scripting.
>
> I do notice that both Microsoft and CERT, in their different ways,
> recommend that folks turn off scripting for best protection against
> cross-site scripting attacks:
>
> http://www.cert.org/advisories/CA-2000-02.html
> http://www.microsoft.com/technet/security/crsstQS.asp
>
> So maybe some will get the message.
> Though making ridiculous recommendations like avoiding "promiscuous
> browsing" (CERT's words) doesn't help.
> And MS's recommendation simply eliminates E-mail-based attacks using
> their product (Outlook), while leaving others exposed. They make it
> ridiculously hard to turn off scripting, then show you how to do it only
> in a limited way.
>
> But it does seem like not even MS is saying "Don't accept cookies".
> Though they're still pretty quiet on the latest IE hole.
>
