[3770] in WWW Security List Archive
Cookies: An Expert's Observations
daemon@ATHENA.MIT.EDU (David Kennedy)
Wed Dec 11 04:08:20 1996
Date: 11 Dec 96 02:17:58 EST
From: David Kennedy <76702.3557@compuserve.com>
To: WWW Security List <WWW-SECURITY@ns2.rutgers.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
[DMK: If you don't know the FROM: on this post, shame on you, and visit your
local library or bookstore.]
From RISKS 18.65:
Date: Tue, 03 Dec 1996 08:25:13 -0500
From: "Simson L. Garfinkel" <simsong@vineyard.net>
Subject: Combatting cookies
I've been thinking a lot about (web) cookies lately. One of the problem
with the current situation is that you basically have two choices with the
User Interface that both Netscape and Microsoft have created for your
browsers:
1. You can simply accept all cookies.
2. You can have your browser warn you every time a cookie is sent
your way and have the option of accepting it or not.
A cookie, for those not in he know, is a little tarball of data that gets
sent to your browser. Cookies can be used to track users, by keying their
browsers to a database. Or they can be used to preserve privacy, by storing
private information on the user's browser, rather than on the web server.
Right now, a cookie gets sent to your browser whenever you get an HTTP
response with the words "Set-Cookie:" in the header. After that, whenever
you contact the web site, you send the cookie back.
It seems to me that an excellent way to deal with the cookie problem would
be to have more user interface options:
* Simply do not accept cookies.
* Specify who you will accept cookies from, and who not.
* Accept cookies, but do not send them back.
* Have a decent user interface to show which cookies you have and how
often they are used. Let you delete them individually, rather than just
all or nothing.
I've written more about cookies in an upcoming article for HotWired. It will
appear at http://www.packet.com/garfinkel on Wednesday, 11 Nov 1996.
