[13760] in bugtraq
Re: Evil Cookies.
daemon@ATHENA.MIT.EDU (Ari Gordon-Schlosberg)
Wed Feb 9 02:25:53 2000
Mail-Followup-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000208162458.A6631@nebcorp.com>
Date: Tue, 8 Feb 2000 16:24:58 -0600
Reply-To: Ari Gordon-Schlosberg <regs@NEBCORP.COM>
From: Ari Gordon-Schlosberg <regs@NEBCORP.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <389F52B9.B9D63B00@bigfoot.com>; from Dylan_G@BIGFOOT.COM on Mon,
Feb 07, 2000 at 05:18:17PM -0600
[Dylan Griffiths <Dylan_G@BIGFOOT.COM>]
> Thomas Reinke wrote:
> > There is no easy patch to this problem. The only solution I
> > can think of, which is not an easy one, would be to have browsers
> > have intimate knowledge of what constitutes an organization's
> > "domain of influence", and limit cookies accordingly. This
> > is essentially impossible to implement.
>
> A better solution would be explicit (ie: finer grained) control of cookies.
> Not as finely grained as the prompt option of Lynx, but more specific than
> the current Netscape settings.
Actually, this is implemented in a rudimentary way in IE 5.x, with their
"zones" of security. If you're interested, take a look at Mozilla's M13
milestone release. It allows fine-grained control of cookiees, with its
"Never Accept Cookiees" domain/site list. It also gives the user an
intuitive interface to actually browse their cookiees. (Look in the Wallet
section).
--
Ari there is no spoon
-------------------------------------------------------------------------
http://www.nebcorp.com/~regs/pgp for PGP public key
