[3824] in WWW Security List Archive
RE: Germany bans cookies! (and a whole lot more)
daemon@ATHENA.MIT.EDU (Jacob Rose)
Tue Dec 17 16:33:29 1996
Date: Tue, 17 Dec 1996 13:33:49 -0500 (EST)
From: Jacob Rose <jacob@whiteshell.com>
Reply-To: Jacob Rose <jacob@whiteshell.com>
To: "Phillip M. Hallam-Baker" <hallam@ai.mit.edu>
Cc: "'John Anonymous MacDonald, a remailer node'" <nobody@cypherpunks.ca>,
"www-security@ns2.rutgers.edu" <www-security@ns2.rutgers.edu>
In-Reply-To: <01BBEB71.DB4FC310@crecy.ai.mit.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
Phillip wrote:
> I have always considers cookies to be a pretty
> disgusting kludge. I never accepted Netscape's
> excuse that they wanted to move the burden of
> maintaining state from the server to the client.
> Essentially I don't think they understand about
> threads. I know that there are some UNIX boxes
> on which threads are poorly implemented but I
> don't accept that a protocol should be designed
> around O/S bugs.
I'm not sure exactly what you mean by this; if you mean that Web servers
should spawn stateful threads to handle each session, this isn't possible
either without some kind of client identification, since HTTP requests
from a single client are all totally independent, each a seperate event.
Cookies allow the server to assign an unknown client a magic number that
the server will recognize in future, so that no serial number must be
emblazoned on each copy of the software. This should really be a
pro-privacy scheme, since each server sees only the identification number
it gave a particular user's client.
However, there is one (and only one, as far as I know) problem: *any* http
transfer can trigger a cookie. This means that if Insidious, Inc.
(ii.com) gets Collaboration Corporation (cc.com) and Leech Ltd (ll.com) to
plant an IMG tag on their pages that refers to an "invisible dot" image on
the ii.com web server, each time someone visits cc.com or ll.com, the
SAME cookie is sent to ii.com when the user's browser loads that invisible
dot.
The result is that the sessions can be correlated through ii.com's logs.
So, to me, it makes sense to impose a tiny artificial restriction in the
browser that says, "Don't send cookies to hosts that the user doesn't know
he or she is visiting." How do users know what site they are visiting?
The URL in the "Location" blank at the top of the screen. Thus, the
solution, as I see it, is to send cookies only to the server in the
Location field.
------------------------------------------------------------------------
Jacob Rose All you and I must agree upon is peace.
------------------------------------------------------------------------
