RE: Any Security Concerns Here? Passing Token in URL [CF-Talk]

Mon, 02 Oct 2000 09:33:15 -0700 

> > So if I think this out logically, the ONLY way to ensure 
> > absolute security is if the user has their cookies turned on.
> 
> Well...  That's not 100% secure either.  It *is* possible for a
> malicious user to share his cookies with others.  A malicious user
> could ALSO manually add ?CFID=XXX&CFTOKEN=XXX to any URL on their
> site & assume someone else's session.

I'd like to second that. Cookies, like anything else sent from the browser
to the server, can be manipulated by the end user. It's pretty trivial to
see what cookies you've received, then send back different cookies.

> And speaking of cookies...  I am inclined to wonder what the big deal
> about cookies is.  All of our CF sites require cookies, and I've yet
> to get any complaints about them.

The big deal about cookies is the way that they can be used by ad providers
like DoubleClick. Since lots of sites use ads, you might have something like
this happen:

1. User goes to http://www.imagoodperson.com.
2. Ad banner on that site is drawn from http://evilads.com.
3. The evilads server sets a cookie, and records that the cookie was set for
a visitor to imagoodperson.com.
4. User later goes to http://www.pornyoudbeashamedof.com/.
5. Ad banner on that site is also drawn from http://evilads.com.
6. The evilads server receives the cookie back, and records that the cookie
was received.

As a result, evilads.com now has recorded that somebody visited
imagoodperson.com and pornyoudbeashamedof.com. In addition, if
imagoodperson.com had an affiliation with evilads.com, it's possible that
imagoodperson.com has revealed any personal info you provided to them to
evilads.com, which could then correlate that info with the other info
they've already recorded.

This is what's happening right now - this is what ad providers do. Given
that this practice actually occurs, it's easy to see why the mainstream
press says "cookies bad" - it's pretty hard to differentiate between "good"
and "bad" uses of cookies.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444
------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/[email protected]/
To Unsubscribe visit 
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a 
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.

Reply via email to