> Cookies and user tracking are wonderful things. If you are a intelligence > service, that is.
We actually described that attack in draft-trammell-perpass-ppa-01, which we submitted last month: 4.3.5. Tracking address use with web cookies Many web sites only encrypt a small fraction of their transactions. A popular pattern was to use HTTPS for the login information, and then use a "cookie" to associate following clear-text transactions with the user's identity. Cookies are also used by various advertisement services to quickly identify the users and serve them with "personalized" advertisements. Such cookies are particularly useful if the advertisement services want to keep tracking the user across multiple sessions that may use different IP addresses. As cookies are sent in clear text, a PPA can build a database that associates cookies to IP addresses for non-HTTPS traffic. If the IP address is already identified, the cookie can be linked to the user identify. After that, if the same cookie appears on a new IP address, the new IP address can be immediately associated with the pre-determined identity. Your analysis goes one step further, linking cookies to active attacks. We only considered "pervasive passive attacks" in the problem statement, but it is pretty clear that we want to also consider the active attacks. Packet injection can act as an efficiency multiplier on top of the passive monitoring. In any case, it is pretty clear that if a connection carries identifying data such as cookies, then it should be encrypted. Alternately, we may want to convince browser developers to allow a privacy setting "no cookies in clear text." -- Christian Huitema _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
