[3752] in WWW Security List Archive
Re: Cookie question
daemon@ATHENA.MIT.EDU (Paul Phillips)
Mon Dec 9 08:06:37 1996
Date: Mon, 9 Dec 1996 03:02:04 -0800 (PST)
From: Paul Phillips <psp@well.com>
To: Darren Cook <darren@factcomm.co.jp>
cc: www-security@ns2.rutgers.edu
In-Reply-To: <19961209010644046.AAA172@p12.pm-3.escot.co.jp>
Errors-To: owner-www-security@ns2.rutgers.edu
On Mon, 9 Dec 1996, Darren Cook wrote:
> I was at a computer user club meeting last week, and there was a lively
> discussion about cookies, mostly people asking how to switch them off, find
> out where the cookies were stored on disk so they could delete them, etc.
> People regarded them as a danger on a par with viruses.
Let's all take a moment to thank the media.
> A cookie only stores something put there by the server. The server cannot
> read anything from your hard disk that is not a cookie. So the only danger
> is of the server wasting your disk space (most cookies are only a few bytes,
> but I suppose a nasty server could send a 1Gb cookie if it wanted?).
No, four kilobytes. Far less than a penny's worth of disk. People do
think about this stuff, you know.
> Is this possible?
> I believe a machine can pretend to have another IP address can't it?
Yes, but spoofing is much harder than just changing the machine's IP
address. First, the spoofing machine must be able to get its packets out
without being filtered as illegal traffic. For example, an ISP with
an a.b.0.0 netblock should be dropping all outgoing packets that don't
appear to originate at a.b.*.*.
More seriously, server-to-client packets will not get to the spoofing
machine unless the spoofing attack is combined with a succesful routing
attack, which requires significantly greater skill. Either way, the
attacker will have to do quite a bit more than change the machine's IP
address and fire up a web browser.
It's a bad idea to trust anything of serious import to IP address
authentication for a number of reasons, but it's sufficient for most
WWW purposes, given the current Internet architecture.
--
Paul Phillips <psp@well.com>
