[662] in Intrusion Detection Systems
RE: netscape
daemon@ATHENA.MIT.EDU (Paul Danckaert)
Mon Mar 18 05:03:20 1996
Date: Mon, 4 Mar 1996 12:41:42 -0500 (EST)
From: Paul Danckaert <pauld@umbc.edu>
To: ids@uow.edu.au
In-Reply-To: <199603011331.IAA03366@smooth.internic.net>
Reply-To: ids@uow.edu.au
On Fri, 1 Mar 1996, allwyn wrote:
> Anyone looked at the feature of Netscape's Navigator called "cookies"?
Its pretty well documented on netscape's homepage:
http://home.netscape.com/newsref/std/cookie_spec.html
You will also see people discussing various aspects of it on netscape's
news server, located at:
snews://secnews.netscape.com/
Cookies are trivial to add to an existing web page.. for example, on my
web server I have my homepage directed to a perl script which will
generate the page at connection time. It will send you a cookie, and if
you have a cookie, it greets you with the last time you connected to my
server. (The cookie I send is simply the UNIX time..)
Cookies have limits in size and expiration time, and aren't really
active, so I don't feel they are _too_ much of a threat.. they simply say
you have been there before. They can't give away more info about you
than your browser does already (machine type, etc..).
Much nastier is JavaScript. There are all of the various exploits for it
already.. for example, when you look at my web page with netscape 2.0,
your browser will send me mail automatically. No java is involved, and
you can't disable it. Javascript cannot be disabled within the browser,
though it would be interesting to write a small proxy to filter out any
javascript in a document.. and I don't even want to get into java..
Paul Danckaert
(For the brave, or atleast people who like to mail me automatically, my test
server is located on http://lemur.acs.umbc.edu/ )
