On Fri, 12 May 2000, Keith G. Murphy wrote:
> "Jeffrey W. Baker" wrote:
> >
> > On Thu, 11 May 2000, Marc Slemko wrote:
> >
> > > In reality, IE's recently publicized hole (which I reported to them, in a
> > > slightly modified form, months ago but they didn't see fit to release a
> > > patch...) doesn't change much.
> > >
> > > Hotmail? Yahoo mail? amazon.com? etc. Your cookies for all those sites
> > > are vulnerable anyway due to the "cross site scripting" issue. This
> > > particular hole in IE doesn't change things too much. Sure, there may be
> > > the rare site that isn't vulnerable to cross site scripting. But that is
> > > the very rare site, and most sites that think they aren't vulnerable are.
> > >
> > > Cookies are not secure and will never be secure. I have said it before
> > > and will say it again many times before I die. Unfortunately, it isn't as
> > > simple as saying "well, don't use cookies". There isn't much in the way
> > > of alternatives for a lot of things...
> >
> > Cross-site scripting attacks are hard for most people to wrap their minds
> > around. There are a zillion sites that are vulnerable, mainly because
> > they parrot back to the user whatever they submitted without doing any
> > validation or HTML/URL escaping. Then there are browser bugs that don't
> > treat excaped character properly. Sigh.
> >
> Whether we're talking about the IE bug, or cross-site scripting issues,
> wouldn't the whole thing be solved by users turning *off* scripting and
> leaving the cookies *on*? I.e., in what ways are cookies not safe if
> scripting is turned off?
You are absolutely right. The question is who is going to explain this to
users, MS?
> [snipped]
> But it does seem like not even MS is saying "Don't accept cookies".
> Though they're still pretty quiet on the latest IE hole.
Heh, you probably have never didn't do support :) it's enough for them to
see the two words: "cookies" and "evil" in the same sentence, you know how
most of them will conceive it, you shouldn't think twice. I doubt they
know what "scripting" is. Also remember the bad history cookies carry with
them.
______________________________________________________________________
Stas Bekman | JAm_pH -- Just Another mod_perl Hacker
http://stason.org/ | mod_perl Guide http://perl.apache.org/guide
mailto:[EMAIL PROTECTED] | http://perl.org http://stason.org/TULARC/
http://singlesheaven.com| http://perlmonth.com http://sourcegarden.org
----------------------------------------------------------------------
