[Previous] [Next] [Index]
[Thread]
Re: Bloody cookies...
It would help if those criticizing the cookies discussion as
"not a security issue" could recommend a better forum. It
seems that this list is a forum for discussing general
WWW security-related issues, not merely issues that
pertain strictly to break-ins on the server side. There
are several ways in which this discussion is related to security:
* Hidden actions -- software taking actions that are important
to but hidden from the user -- are a major security issue, and
this is an example. (Another example, much more serious
when discussing strictly break-ins, are spoofed login
terminals, which also hide the recipient of the user's
information from the user).
* Client side file system access to the server in general is a security
issue, and cookies are a (almost surely benign, in terms of break-ins)
example of it.
* Confidentiality (aka privacy ) is a security issue -- the entire
purpose of traditional cryptography was to maintain confidentiality.
Large amounts of clickstream data, linked by shared cookies,
are a threat not only to personal privacy but to corporate
confidentiality as well. For example, it might be used
to collect dossiers on your employees' browsing habits
to enable social engineering. Clickstream data might leak information on
confidential partnerships and joint projects. Surely this falls
under the purview of the information security officer, another
recent thread that is probably farther from strict WWW security
than this one. That said, end-user privacy is every bit as
pertinent, and as important a security issue as business confidentiality,
even if many of us often fail to see beyond the immediate issuer where our
paychecks are coming from.
Nick Szabo
szabo@netcom.com
http://www.best.com/~szabo/
References: