Cookies and "smart fine print"

• To: frank@netscape.com, www-security@ns2.rutgers.edu
• Subject: Cookies and "smart fine print"
• From: Prentiss Riddle <riddle@is.rice.edu>
• Date: Tue, 9 Jul 1996 21:42:31 -0500 (CDT)
• Cc: tomhavbe@martin.luther.edu, szabo@netcom.com
• In-Reply-To: <31E2A012.5ECB@netscape.com> from "Frank Chen" at Jul 9, 96 11:08:18 am

> Date: Tue, 09 Jul 1996 11:08:18 -0700
> From: Frank Chen <frank@netscape.com>
> Organization: Netscape Communications
> To: Benjamin Tomhave <tomhavbe@martin.luther.edu>
> Subject: Re: Smart Fine Print
> 
> In Navigator 3.0, click the "Protocols" tab of "Network Preferences"
> (under the Options menu).  You will be able to toggle a preference
> that determines whether you are alerted whenever a server delivers you
> a cookie.  When the server presents a cookie, you then have the choice
> of accepting or rejecting the cookie.  I believe this preference
> should allay any of the potential privacy concerns associated with
> cookies.

Thanks for replying to this thread.  I'm very glad to see Netscape
staff participating in the www-security list -- your perspective has
been missed in the past.

I've been running Navigator 3.0 with the "ask before accepting cookie"
option turned on for a few days now.  I'm afraid it's not as useful as
one might hope.  For one thing, on some sites there are a half dozen or
more cookie requests per page (attached to inline images, I suppose).
The continual cookie approval popups get to be very annoying.

It is tempting to try to disable cookies altogether, but as has been
pointed out, making the cookie file unwritable is ineffective, since
cookies will survive in memory within a Navigator session.  A "disable
all cookies" preference might be a welcome enhancement for the truly
paranoid.

But I'm starting to think that a real solution might necessarily be
more complex.  The problem is that a user might want to enable cookies
at some trusted sites, to disallow all cookies at others, and to be
prompted on a case-by-case basis at others.  The result starts to
resemble Usenet "killfiles".

I fear that the whole cookie idea, while not as pernicious as some
paint it to be, wasn't very well thought out from a privacy point of
view.  I suspect that the pooling of cookie information by advertisers
is only the beginning.

And the moral of the story is: making complex features invisible to the
user is likely to come back to bite you.  Users want transparency in
the sense of comprehensibility and simplicity, not transparency in the
sense of covert browser behavior.

-- Prentiss Riddle ("aprendiz de todo, maestro de nada") riddle@rice.edu
-- RiceInfo Administrator, Rice University / http://is.rice.edu/~riddle
-- Opinions expressed are not necessarily those of my employer.

• Re: Cookies and "smart fine print"
• From: Laurent Demailly <dl@hplyot.obspm.fr>
• Re: Cookies and "smart fine print"
• From: "David W. Morris" <dwm@shell.portal.com>

• Re: Smart Fine Print
• From: Frank Chen <frank@netscape.com>

• Previous: Re: Smart Fine Print
• Next: Re: Smart Fine Print
• Index(es):
  • Index
  • Thread