At 07:28 PM 5/12/00 +0300, Stas Bekman wrote:
>On Fri, 12 May 2000, Keith G. Murphy wrote:
>
> > "Jeffrey W. Baker" wrote:
> > >
> > > On Thu, 11 May 2000, Marc Slemko wrote:
> > >
> > > > In reality, IE's recently publicized hole (which I reported to
> them, in a
> > > > slightly modified form, months ago but they didn't see fit to release a
> > > > patch...) doesn't change much.
> > > >
> > > > Hotmail? Yahoo mail? amazon.com? etc. Your cookies for all
> those sites
> > > > are vulnerable anyway due to the "cross site scripting" issue. This
> > > > particular hole in IE doesn't change things too much. Sure, there
> may be
> > > > the rare site that isn't vulnerable to cross site scripting. But
> that is
> > > > the very rare site, and most sites that think they aren't
> vulnerable are.
> > > >
> > > > Cookies are not secure and will never be secure. I have said it before
> > > > and will say it again many times before I die. Unfortunately, it
> isn't as
> > > > simple as saying "well, don't use cookies". There isn't much in
> the way
> > > > of alternatives for a lot of things...
> > >
> > > Cross-site scripting attacks are hard for most people to wrap their minds
> > > around. There are a zillion sites that are vulnerable, mainly because
> > > they parrot back to the user whatever they submitted without doing any
> > > validation or HTML/URL escaping. Then there are browser bugs that don't
> > > treat excaped character properly. Sigh.
> > >
> > Whether we're talking about the IE bug, or cross-site scripting issues,
> > wouldn't the whole thing be solved by users turning *off* scripting and
> > leaving the cookies *on*? I.e., in what ways are cookies not safe if
> > scripting is turned off?
>
>You are absolutely right. The question is who is going to explain this to
>users, MS?
MS Marketing engine is very strong and people get shocked when they read
something like that, but expedience says that most poeple think "Well, it
probably wont happen to me".
For example... Just because IIS itself has a lot of holes doesn't mean that
some of the top financial institutions don't use it for the websites (do a
random probe of financial SSL sites with Netcraft's utility)...
In fact, they probably love the holes because they get publicity and the
people with money remember the brand but rarely remember the techie details
of the problem. "Well as long as it was fixed, we should be able to run IIS
now right?". :)
> > [snipped]
>
> > But it does seem like not even MS is saying "Don't accept cookies".
> > Though they're still pretty quiet on the latest IE hole.
>
>Heh, you probably have never didn't do support :) it's enough for them to
>see the two words: "cookies" and "evil" in the same sentence, you know how
>most of them will conceive it, you shouldn't think twice. I doubt they
>know what "scripting" is. Also remember the bad history cookies carry with
>them.
Although I am sure there are people who turn off cookies, I believe that
there are many more people who couldn't care less and will leave them on.
However, I do concede that forcing users to use cookies for an open
internet site is silly. And it is becoming a lot sillier for eCommerce as
technologies like PDAs become more prevalent for people doing quick
searches and the like on the Web (PDAs typically do not implement cookie
capabilities)
__________________________________________________
Gunther Birznieks ([EMAIL PROTECTED])
Extropia - The Web Technology Company
http://www.extropia.com/
