On Fri, 12 May 2000, Jay Jacobs wrote:
> The issue isn't the technical aspects of the bug, or even the fact that
> users don't have to turn off cookies to fix the bug... the issue is that
> this, with help from the talented press, will cause more people to simply
> disable cookies whether right or wrong.
I second that.
> This ties back into a previous discussion about storing sessions (or
> session_id) in a cookie and how reliable (or unreliable) that is.
I think a hybrid of cookie/URI_embedding is the only way to go. If a user
supports cookie, shoot it out, if not rewrite URIs. I know it sucks but
JavaScript and HTML designers are always developing a different version of
their work for each platform...
> Jay Jacobs
> LachNet Inc.
>
>
> On Fri, 12 May 2000, Keith G. Murphy wrote:
>
> > "Jeffrey W. Baker" wrote:
> > >
> > > On Thu, 11 May 2000, Marc Slemko wrote:
> > >
> > > > In reality, IE's recently publicized hole (which I reported to them, in a
> > > > slightly modified form, months ago but they didn't see fit to release a
> > > > patch...) doesn't change much.
> > > >
> > > > Hotmail? Yahoo mail? amazon.com? etc. Your cookies for all those sites
> > > > are vulnerable anyway due to the "cross site scripting" issue. This
> > > > particular hole in IE doesn't change things too much. Sure, there may be
> > > > the rare site that isn't vulnerable to cross site scripting. But that is
> > > > the very rare site, and most sites that think they aren't vulnerable are.
> > > >
> > > > Cookies are not secure and will never be secure. I have said it before
> > > > and will say it again many times before I die. Unfortunately, it isn't as
> > > > simple as saying "well, don't use cookies". There isn't much in the way
> > > > of alternatives for a lot of things...
> > >
> > > Cross-site scripting attacks are hard for most people to wrap their minds
> > > around. There are a zillion sites that are vulnerable, mainly because
> > > they parrot back to the user whatever they submitted without doing any
> > > validation or HTML/URL escaping. Then there are browser bugs that don't
> > > treat excaped character properly. Sigh.
> > >
> > Whether we're talking about the IE bug, or cross-site scripting issues,
> > wouldn't the whole thing be solved by users turning *off* scripting and
> > leaving the cookies *on*? I.e., in what ways are cookies not safe if
> > scripting is turned off?
> >
> > What great functionality is lost if users turn off their scripting?
> >
> > Of course, this may be an abstract question in terms of programming, if
> > users *do* insist on enabling scripting.
> >
> > I do notice that both Microsoft and CERT, in their different ways,
> > recommend that folks turn off scripting for best protection against
> > cross-site scripting attacks:
> >
> > http://www.cert.org/advisories/CA-2000-02.html
> > http://www.microsoft.com/technet/security/crsstQS.asp
> >
> > So maybe some will get the message.
> > Though making ridiculous recommendations like avoiding "promiscuous
> > browsing" (CERT's words) doesn't help.
> > And MS's recommendation simply eliminates E-mail-based attacks using
> > their product (Outlook), while leaving others exposed. They make it
> > ridiculously hard to turn off scripting, then show you how to do it only
> > in a limited way.
> >
> > But it does seem like not even MS is saying "Don't accept cookies".
> > Though they're still pretty quiet on the latest IE hole.
> >
>
>
______________________________________________________________________
Stas Bekman | JAm_pH -- Just Another mod_perl Hacker
http://stason.org/ | mod_perl Guide http://perl.apache.org/guide
mailto:[EMAIL PROTECTED] | http://perl.org http://stason.org/TULARC/
http://singlesheaven.com| http://perlmonth.com http://sourcegarden.org
----------------------------------------------------------------------
