Re: cookie overloading (denial of service)

• To: www-security@ns2.rutgers.edu, bob@lava.net
• Subject: Re: cookie overloading (denial of service)
• From: brandon@rd.bbc.co.uk (BrandonButterworth)
• Date: Fri, 19 Jul 96 20:54:32 BST

> From: bob@lava.net (Robert P Cunningham)
>
> Having seen a pages out there issuing 40 or more cookies, I began
> wondering how easy it would be to overload a browser with cookies
> (and force it to delete other cookies).

Neat but I still think we're worrying too much about cookies
and letting major future vulnerabilites sneak by:

> From brandon Thu Jul 18 20:24:12 1996
> To: bob@lava.net
> Subject: Re:- cookies and privacy
>
> > Either way, a "denial of service" attack might just be possible.
> > Could a collection of sites cooperate to load browsers with their
> > own cookies, causing a browser to cease loading of other cookies?
> 
> Or a few big sites could be persuaded to fill you up to displace
> a competitors cookie.
> 
> If you have 399 from Microsoft and 1 from say Netscape which one
> stands the most chance of being lost as you hit more friends of MS 
> sites?
> 
> I'm not too worried about the cookies as whilst we're worrying about
> a minor vulnerability Microsoft are successfully waging an anti Java
> campaign over here.
> 
> The press and the PC entranced are buying it - better than Java
> as it doesn't have the security limitations, more secure because
> the sites offering content will be MS approved...
> 
> So an ActiveX applet that can go anywhere on your disk is OK because
> MS say so?

Brandon

--
Brandon Butterworth         phone: 01737 836592
BBC Research & Development  fax:   01737 832336
Kingswood Warren, Tadworth  email: brandon@rd.bbc.co.uk
Surrey, KT20 6NP            URL:   http://www.bbc.co.uk/

• Previous: Re: Need Help regarding Internet Security ..-reply
• Next: Re: cookies and privacy
• Index(es):
  • Index
  • Thread