Cookies: summary

To: tdf@ble.org
Subject: Cookies: summary
From: dmk@allegra.att.com (Dave Kristol)
Date: Fri, 19 Jul 96 18:29:02 EDT
Cc: www-security@ns2.rutgers.edu

Tom Fetherston <tdf@ble.org> asked for a summary of the cookies discussion.
  > Suggested summary headers:
  > 
  > A.  What is the security risk/threat of 1) implementing cookie distribution 
  > 2) receiving cookes with your browser?
In neither case is there a *security* risk.  There is a privacy risk to
the user.

  > 
  > B.  Can a cookie server possibly write to other files besides the 
  > cookie database?
Not if the client is implemented correctly.

  > 
  > C.  How can the risk/threat be minimized or eliminated?
I believe the only risk is a privacy risk to the user.  If you suppress
all cookies, you avoid the risk.  (One cute Unix hack someone here
mentioned is to create a symbolic link from the cookie file to
/dev/null.  Poof!  No more cookies.)  On other platforms, enable
whatever options will allow you to suppress accumulating cookies.

Dave Kristol

Follow-Ups:

Suppressing cookie files does not suppress cookies

From: Prentiss Riddle <riddle@is.rice.edu>

Previous: Re: Security/Privacy of Certificates in Netscape 3.0 (fwd)
Next: unsubcribe
Index(es):
- Index
- Thread