[2405] in WWW Security List Archive
Re: cookies and privacy
daemon@ATHENA.MIT.EDU (Dave Kristol)
Tue Jul 16 11:11:32 1996
Date: Tue, 16 Jul 1996 09:09:14 -0400
To: Hal <hfinney@shell.portal.com>
From: dmk@bell-labs.com (Dave Kristol)
Cc: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Hal Finney wrote:
>I have read your draft, and while I think it is an improvement over
>the current cookie implementation, I am still not happy with some of
>the uses of cookies which would be allowed by the draft. I am not sure
>an I-D will be effective in specifying default behaviors on interactions
>between users and user agents. The only real leverage the draft has is
>in the communication between servers and clients. Habits like Netscape
>has of saving cookies in disk files between sessions, or bombarding the
>user with warnings when he tries to prevent cookies from being accepted,
>are in violation of the I-D but there is no guarantee that these things
>will be changed.
None of us who worked on the cookie I-D think it is perfect. We tried to
codify what existed already while tightening up the privacy details.
I think the "bombarding the user with warnings" problem is a question of
tuning the user interface to be more appropriate. The I-D says the user
should be able to control what's happening without saying how.
>
>Another thing I was not happy with was the definition of unverifiable
>transactions, and the emphasis on this distinction. This really shows up
>when you call transactions verifiable just because it is possible to view
>the source of a web page and see where the submit button will send you!
>Sure that's not a reasonable way of "verifying" a transaction. And it
>doesn't make sense to me that viewing a page with inline images, or, say,
>Java turned off, and then turning it on, will cause otherwise
>unverifiable transactions to become verifiable.
I agree it's messy. Broadly what we were trying to do was to distinguish
between what a user has a chance to inspect in advance and what happens
invisibly. If you think you get too many warnings now, what would happen
if you got asked about everything? In any case, in the end the cookie I-D
is a *protocol* specification, not a user interface specification. We hope
user feedback and experience will lead vendors to tune the user interfaces
to give the right amount of notification. Browsers have only just started
notifying users at all.
Dave Kristol
