[23110] in bugtraq
Re: Microsoft IE cookies readable via about: URLS
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Mon Nov 12 16:27:31 2001
Message-Id: <200111121814.fACIEjMb019224@foo-bar-baz.cc.vt.edu>
To: Oliver Petruzel <opetruzel@cox.rr.com>
Cc: bugtraq@securityfocus.com
In-Reply-To: Your message of "Fri, 09 Nov 2001 21:20:29 EST."
<000701c1698e$44cf66c0$8800a8c0@cox.rr.com>
From: Valdis.Kletnieks@vt.edu
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="==_Exmh_-617991236P";
micalg=pgp-sha1; protocol="application/pgp-signature"
Content-Transfer-Encoding: 7bit
Date: Mon, 12 Nov 2001 13:14:44 -0500
--==_Exmh_-617991236P
Content-Type: text/plain; charset=us-ascii
On Fri, 09 Nov 2001 21:20:29 EST, Oliver Petruzel <opetruzel@cox.rr.com> said:
> This brings to mind a question: has anyone collected a list of the most
> revealing KNOWN cookies in the wild? Is there a resource (site)
> available with a list for me to use in order to perhaps blacklist the
> URL's personally? I often find myself studying my local cookies and
> have noticed repeat offenders from very popular sites that I avoid now
> because of this; and I believe such a public list would serve as a way
> to prevent cookies from becoming too powerful or revealing. A cookie
> reporting service possibly. Anyone with a link for this if it already
> exists or with the energy to compile it yourself, go for it, and plz let
> us know.
A far better approach is to use software that blocks *all* cookies, and
then have an exemption list for those sites that *YOU* visit that specifically
need cookies in order to function.
Remember - cookies as data harvesting tools only work because a large
percentage of people allow cookies. If the *default* behavior of people
was to tolerate only cookies that allow (for instance) session management
of a single visit, or only retain very basic cross-session information,
then the site operators wouldn't have much reason to use cookies.
Something that's a *bigger* issue is probably the infamous "web bug", which
usually shows up as a 1x1 transparent pixel. Now *THERE* is a area where
a "black list" might be more useful (because you can have an <IMG> tag
that points off-site to a tracking service, where the user may have
said "only allow cookies from this server").
There's Unix software for all this at www.junkbuster.com. I have *NOT*
tried their Windows software. It's not a *total* solution, but it's
a start.
--
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech
--==_Exmh_-617991236P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Exmh version 2.5 07/13/2001
iQA/AwUBO/ARlHAt5Vm009ewEQJLKgCgn/JqpbJNxVvgm+1+JcfO6hYK/5AAoOdQ
CS67ZvYU6iHOC7AjGWeDdTBp
=9MA4
-----END PGP SIGNATURE-----
--==_Exmh_-617991236P--
