See responses inline On Apr 30, 2007, at 2:58 PM, Adam Shirey wrote:
> This is not entirely true. Cookies can (and should) be limited to the > originating site, but this is not always the case. To me, this is much > like how your REALbasic applications should always run at the lowest > possible permissions at any given time: The cookies you create should > be limited to only your domain and the relevant path. > > Furthermore, while they are not always a security risk, they most > definitely can be. Cookies, IHMO, should really only be used for > storing session information or the like. I only use cookies for > storing a unique ID that indexes into a table as relevant to the > website and database (though I do incorporate an authorization into > the cookie so it can't be falsified). I have seen sites out there that > store plaintext username/password combinations into the cookie to > facilitate a perpetual login sequence. THAT poses a security risk. HTTP requires that only cookies matching the correct parameters are sent back in the request headers. Anything else is a bug of the browser. For example, my site could request a cookie be placed on realbasic.com. The browser *should* deny this behavior. Regardless, I simply won't receive cookies from realbasic.com unless the browser is misbehaving. And you are 100% correct regarding the second paragraph, something I said in an earlier e-mail. >> Cookies are very, very, very, very, very rarely a security risk. I >> can't even provide personal information to Amazon, and have site x >> look it up later. > > Sites like Amazon -- and really, any service which purports to be > professional -- should never share any personally identifiable > information via cookies. Not even with itself (eg, a cookie limited to > its own domain). HTTP is not a protocol designed with security in > mind; cookies were an afterthought hack to provide a sort of fluid > data flow across page hits. Correct. HTTP does not have any kind of persistence, so cookies were hacked into it later. >> The reason cookies are believed to be a security risk is simple. They >> are typically stored in a text file on your computer. It is very easy >> for a malicious program to look up your Amazon cookies and use that >> to log in. But Amazon, and most sites, are not stupid enough to allow >> this to actually work. It was an easy trick years ago, which is why >> cookies got a bad rap, but these days it would be pointless. > > I don't agree with this completely, either. I lock my computers down > fairly well, but I occasionally find myself on some website that tries > to sell me products/services tailored to my location. How did they > know to send me ads for St. Cloud, MN? I certainly never provided THEM > with that information. The only answer that makes any sense is that > there is a cookie stored on my computer that indicates my zip code, > and that cookie is readily accessible to sites that know to look for > it. Incorrect. It is done using IP Lookup. Your IP address can be used to get a relative position of your location. No cookies, spyware, etc. necessary. -- Thom McGrath, <http://www.thezaz.com/> "You realize you've created God in your own image when God hates all the same people you do." _______________________________________________ Unsubscribe or switch delivery mode: <http://www.realsoftware.com/support/listmanager/> Search the archives: <http://support.realsoftware.com/listarchives/lists.html>
