[3839] in WWW Security List Archive
RE: Germany bans cookies! (and a whole lot more)
daemon@ATHENA.MIT.EDU (Dave Kristol)
Wed Dec 18 13:05:42 1996
Date: Wed, 18 Dec 96 09:53:37 EST
From: dmk@research.bell-labs.com (Dave Kristol)
To: jacob@whiteshell.com
Cc: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Jacob Rose <jacob@whiteshell.com> wrote:
> [...]
> However, there is one (and only one, as far as I know) problem: *any* http
> transfer can trigger a cookie. This means that if Insidious, Inc.
> (ii.com) gets Collaboration Corporation (cc.com) and Leech Ltd (ll.com) to
> plant an IMG tag on their pages that refers to an "invisible dot" image on
> the ii.com web server, each time someone visits cc.com or ll.com, the
> SAME cookie is sent to ii.com when the user's browser loads that invisible
> dot.
>
> The result is that the sessions can be correlated through ii.com's logs.
>
> So, to me, it makes sense to impose a tiny artificial restriction in the
> browser that says, "Don't send cookies to hosts that the user doesn't know
> he or she is visiting." How do users know what site they are visiting?
> The URL in the "Location" blank at the top of the screen. Thus, the
> solution, as I see it, is to send cookies only to the server in the
> Location field.
> [...]
The IETF is in the process of standardizing state management (aka,
"cookies"). The current spec., which will advance as a Proposed Standard,
is at
http://ds.internic.net/internet-drafts/draft-ietf-http-state-mgmt-05.txt
In general the draft tries to be as protective as possible of users'
privacy. Of particular interest is the description of "unverifiable
transactions", which is the label for the kinds of collusive activities
described above. The draft calls on user agents to alert users when
such links are followed. The idea is that, at all times, users should
be aware when cookies are arriving or departing.
The draft doesn't talk about "Location" fields in browsers, because
that's an artifact (although a common one) of a particular
implementation.
Dave Kristol
