[2477] in WWW Security List Archive
Cookies: summary
daemon@ATHENA.MIT.EDU (Dave Kristol)
Fri Jul 19 20:37:28 1996
Date: Fri, 19 Jul 96 18:29:02 EDT
From: dmk@allegra.att.com (Dave Kristol)
To: tdf@ble.org
Cc: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Tom Fetherston <tdf@ble.org> asked for a summary of the cookies discussion.
> Suggested summary headers:
>
> A. What is the security risk/threat of 1) implementing cookie distribution
> 2) receiving cookes with your browser?
In neither case is there a *security* risk. There is a privacy risk to
the user.
>
> B. Can a cookie server possibly write to other files besides the
> cookie database?
Not if the client is implemented correctly.
>
> C. How can the risk/threat be minimized or eliminated?
I believe the only risk is a privacy risk to the user. If you suppress
all cookies, you avoid the risk. (One cute Unix hack someone here
mentioned is to create a symbolic link from the cookie file to
/dev/null. Poof! No more cookies.) On other platforms, enable
whatever options will allow you to suppress accumulating cookies.
Dave Kristol
