[2398] in WWW Security List Archive
RE: private cookies
daemon@ATHENA.MIT.EDU (Dirk Husemann)
Mon Jul 15 05:16:11 1996
Date: Mon, 15 Jul 1996 08:55:29 +0200
From: Dirk Husemann <hud@zurich.ibm.com>
To: F.AbdulRahman@cs.ucl.ac.uk
Cc: lensmith@mta-usa.org, risopoul@informatik.uni-hamburg.de,
www-security@ns2.rutgers.edu
In-Reply-To: <1519.837374916@cs.ucl.ac.uk>
Errors-To: owner-www-security@ns2.rutgers.edu
>>>>> "FAR" == Farez Abd-Rahman <F.AbdulRahman@cs.ucl.ac.uk> writes:
FAR> --------------------------------------------------------
FAR> I only have a vague idea of the cookie mechanism, but i was just wondering
FAR> if one site can obtain cookies issued to us by another site from our
FAR> browser. if it can, then there could be a threat to privacy, especially
FAR> if ost of the sites we visit hands us a cookie, ie. info on the sites we
FAR> visit may be available to an arbitrary server.
No, it cannot. The this thing works is that you go to a page <A> of company A,
let's say. This page <A> contains among other things an image: Image links
are of the form <IMG SRC="URL">. In case of company A's page <A> the image
URL points to an image supplied by company Z. Your browser tries to load
all the images on page <A> and will consequently access the IMG URL
pointing to company Z. As this image URL is indeed a URL your browser will
perform each of its URL-loading acts: one of these steps involves checking
for URL for company Z (and in turn storing one supplied by company
Z). Thus, although you never really went to a page of company Z your
browser did by loading the image.
Regards,
Dirk
--
Dr. Dirk Husemann Phone +41 1 724 8573
IBM Research Division FAX +41 1 710 3608
IBM Zurich Research Laboratory
Saeumerstrasse 4 Internet hud@zurich.ibm.com
CH-8803 Rueschlikon WWW: http://www.zurich.ibm.com/~hud/
Switzerland
