[3782] in WWW Security List Archive
Re: Cookie question
daemon@ATHENA.MIT.EDU (David Ray)
Thu Dec 12 02:31:23 1996
Date: Wed, 11 Dec 1996 21:32:12 -0800
To: www-security@ns2.rutgers.edu
From: daver@idiom.com (David Ray)
Errors-To: owner-www-security@ns2.rutgers.edu
At 12:24 AM 12/12/96, Edwin Ng wrote:
> If the service provider's server stores your password in your cookie file,
> then you should stop using its services. Storing login passwords in a
> cookie file is a big security risk. I still firmly believe typing in the
> password and login name over and over again....
I agree, if they store the password in clear text, and I hope that nobody
would be stupid enough do that. More likely they would encrypt it using a
sufficiently strong encryption algorythm like DES. If sensitive information
is sufficiently encrypted then it's safe to be in the cookie.
One way hackers break into systems is by sniffing packets and listening for
login ids and passwords. While login/passwords from a secure Web page form
would be sufficiently encrypted (using RC4-40 or 128), the NCSA style
authentication is trivial to break, so just using a login and password
doesn't guarantee that it is secure. I believe using the same password over
and over again over the Internet is not safe unless it is sufficiently
encrypted. For logins that are not in an encryption wrapper, there are
emerging technologies such as Skey that issue single-use passwords so that
hackers can't re-use them. These are available for telnet, but haven't yet
been implemented on Web servers, although there is a lot of discussion
about this.
Cookies can easily be read by opening the cookie file, so I would hope that
nobody would be dumb enough to put sensitive information there that wasn't
encrypted.
-Dave
