[Previous] [Next] [Index]
[Thread]
Re: Cookies and "smart fine print"
On Tue, 9 Jul 1996, David W. Morris wrote:
> First, I doubt many people give a damn. Cookies for tracking purposes
> have any number of alternatives for those with nasty intent.
>
Again, it is quite dependent on what the tracking information is being
used for. This is comparable to grocery stores providing credit cards for
their customers to use. It simply allows them to track purchasing trends
and adjust the price accordingly (usually to their advantage, not yours).
However, there is more to this than just the issue of people being tracked
on the web. It's more about having information stored on your machine
without your knowledge. It is about a remote user (usually automated)
having enough access to write to a file on your machine. This is why
JavaScript and Java have received quite a bit of heat. It's because they
allow direct access to your local machine w/o direct authorization. This
is the security issue at hand.
> How many people who call 800#s realize that the party paying for the call
> gets the caller's phone number and if they did how many would refuse to
> make the call? Most of us recognize that there is a cost associated
> with providing services whether it be on the WWW or an 800# one can call
> for pre-sales product information. Most of us live our lives in
> a fashion that we aren't ashamed of what we do. Its really quite
> simple, if you don't want people to know youve been somewhere, it is
> best not to go. True in life and true on-line.
>
It is not a matter of being ashamed of what I do. With modern technology,
anybody can get a little box that tells you who is calling before you pick
up the phone. This is not new, nor is it something which has been kept
from the public. However, the issue of cookies being written to your
machine and the amount of access which certain companies seem to have to
you is the concern. I doubt that any of the readers of the mailing list
are naive enough to think that when they connect to a site, that site has
access to quite a bit of information about them (including IP address,
hostname, host type, etc.). Most of us don't complain about this, though,
because it is common in the protocols which are used to make those
connections. I know BBS's which have been using this sort of information
to protect themselves for years. However, a red flag is raised when the
remote site which you are visiting starts to access your machine w/o
authorization or authentication. This is the kind of issue we are dealing
with in the case of the cookies.
> If you insist, wear protection ... in this case it is trivial to
> write an HTTP proxy in perl which can filter cookies and and a few
> other things as well. Of course if there is a cop in the parking lot
> snapping pictures you may still have a problem. Watch out for dem log
> files, etc.
>
Yeah, and every user of the Internet has the expertise necessary to write
those kinds of programs...not in your life!
> This thread has mostly nothing to do with security, how about taking
> the wasted bandwidth elsewhere?
>
I disagree wholeheartedly with you here. It is all about security. It
simply exceeds what you think is an acceptable level of paranoia. You may
not care if someone at a remote site writes to your local computer w/o
authorization or authentication, but some of us do care. I think we would
all agree that even the smallest hole in a system's security can result in
much trouble. What's to say that the people using cookies aren't looking
for "average" users with no clue about security in order to manipulate
them? It's possible, though (hopefully) not probable.
--------------------------------------------------------------------------------
|
Benjamin Tomhave | Shell to DOS...Come in DOS...Do you Copy?
Luther College |
Decorah, IA 52101 | $ rm * .* "Hey, where'd everything go?
tomhavbe@martin.luther.edu |
| What's an ID-10-T error? :)
|
--------------------------------------------------------------------------------
References: