cookies and biscuits

Place to discuss anything, almost. No politics, religion, Microsoft, or anything else that I (the nazi censor) deem inappropriate.
Post Reply
caveman
programmer
programmer
Posts: 130
Joined: Sun Feb 09, 2003 1:08 pm
Location: Midrand Gauteng, South Africa

cookies and biscuits

Post by caveman » Sun Jun 08, 2003 9:31 am

Hi.

Would just like to know how u guys feel about allowing cookies :roll:

My online banking will suddenly not work - after about 27 months -
unless I allow cookies :shock:

Now, to me, allowing cookies is like leaving a rapist alone with the wife and daugthers
then going out fishing. :evil:

So what is the use of all the online security if I keep the backdoor open, never
mind locked!

Maybe I'm wrong and my mindset about security is wrong.
Maybe hiding in my cave to long?? 8)

Some feedback shall be appreciated - either to put my mind at rest or
take a big stick to the bank.

Regards

PS. Biscuits -you ask? they're made for eating! I hope...........

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Sun Jun 08, 2003 9:58 am

It's not so much security as it is privacy when it comes to cookies. Some web sites are designed to use cookies (like these forums for instance) to make things like a "user session" possible. That is, in the case of this web site when you log in a cookie is created and it knows who you are as you navigate through the forums. Without using the cookie you would have to log in for each and every thing you wanted to do that should be specific to you personally.

Now where cookies usually become an issue is for advertising and tracking. For instance, a web site may have an advertisement and when that advertisement is displayed in your browser a cookie is set. This cookie can be checked by any other web site and if tied with a place that you have to log on (web based mail, etc) then your individual habits can be tracked, when/where/etc, and be tied directly to you and the information you used when you signed up at the web based mail site. Double-Click were/are notorious for this. Wherever a double-click ad is displayed a bean counter was/is updated with your information.

So the cookie itself doesn't have any special power and doesn't cause a security concern but privacy issues may be raised depending on who issues the cookie and what they want to use it for.

I really like Mozilla's cookie manager. I have it set to ask me how I want to handle a cookie when a site wants to shove one on me. I can examine where the cookie comes from etc. I reject most cookies, but some cookies I will accept if the cookie is from the site I am visiting and I know it is needed by the software used on the site (forum, banking, etc). If the cookie comes from a different site than the one that I am on then there is a 99% chance it is just advertising stuff and I reject. The cookie manager remembers my decision for each web site I visit and if I want to change my decision for a site there is a menu option with a nice cookie manager for changing my options for a particular site.

Now I may not have done a very good job of explaining it but I'm sure there is much information on cookies and security/privacy out there with a google search.

caveman
programmer
programmer
Posts: 130
Joined: Sun Feb 09, 2003 1:08 pm
Location: Midrand Gauteng, South Africa

Post by caveman » Sun Jun 08, 2003 2:12 pm

Tx Voidmain

Is about what I was getting at.

I've allways set my browsers - currently Mozilla - to ask me before
accepting cookies. Massive shlep sometimes - but I don't mind.

My own machines are running different versions of Redhat.
None of the winbloze machines are allowed to start m$ internet exploder
or any of the m$ packed crap as far as I can help it and are set never
to accept any cookies!

My concern - does a cookie allways belong only to the sending URL or
can someone else gain access to it? Directly or thru some devious means?

Further - I try never to save delicate username/passwords combinations
using the browsers when asked for it.

Regards

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Sun Jun 08, 2003 2:20 pm

There is no way for say "double-click.net" to see your "voidmain.is-a-geek.net" cookie. At least not as far as I know. If it could then you would certainly have a security concern.

Tux
guru
guru
Posts: 689
Joined: Wed Jan 08, 2003 10:40 am

Post by Tux » Sun Jun 08, 2003 3:12 pm

I think there is some tricksy way that cookies can be read by any domain, but it specific to that one bad cookie :)
What I mean by that is www.evil-cracker-site.cx couldnt access your www.hsbc.com cookie.
But as far as I know this violates the way cookies are supposed to work, and browsers therefore warm you aout them or reject them.

User avatar
Calum
guru
guru
Posts: 1349
Joined: Fri Jan 10, 2003 11:32 am
Location: Bonny Scotland
Contact:

Post by Calum » Mon Jun 09, 2003 3:54 am

personally i always allow only cookies from the same server as the site i am visiting in the browser, i also have it so all cookies are deleted when i close the browser. Both of these can be set up using one checkbox in mozilla and phoenix, sadly these features are STILL not available in konqueror or galeon.

this way no 3rd party cookies find their way in, and every new browser session starts up with no cookies left over from last time.

Linux Frank
administrator
administrator
Posts: 239
Joined: Fri Jan 10, 2003 2:06 pm

Post by Linux Frank » Tue Jun 10, 2003 1:15 pm

On cookies, don't get me started.

Oh what the hell.

Hate them, detest them and I am paranoid about them. I have seen nothing anywhere to convince me cookies are secure and/or safe. I fully agree with the privacy issues. I block third party and I use the cookie manager to ban cookies. I'm building up quite a list. Just need to figure out how to export and import it.

There is one reason for requiring cookies that is acceptable and that is user session verification, such as forums.

I resent any statisical monitoring, which is probably the secondary reason for cookies on your banking site. I have an account over in the UK, which does this via a third party cookie, which if banned causes the site to fail on me.

However you should be careful. There is a nasty trick going on now that makes a system essentially insecure (in my opinion). Yes I know of a bank that if you don't allow Javascipt to post cookies, and don't allow Javascript to read cookies you cannot access the secure part of their site. Now I could just about except cookies, but Javascript controlled cookies, that is a basic insecurity and has now resulted in me taking actions to close my account (there are other issues such as not supporting a secure browser). I do not trust Javascript, I am not convinced it is secure, and I certianly am not going to put my trust in a bank that uses it until scripting is proven to be relatively secure.

Of course if anyone can show me different I'll listen, but no-one ever has.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Tue Jun 10, 2003 1:47 pm

Heck, I don't have to go that far to not do online banking. I don't trust banks that use Microsoft server software, period. It automatically raises a flag in my mind of the competency of the people developing the web site. There is no way I'll ever see closed source software as secure for a plethora of reasons.

User avatar
Calum
guru
guru
Posts: 1349
Joined: Fri Jan 10, 2003 11:32 am
Location: Bonny Scotland
Contact:

Post by Calum » Wed Jun 11, 2003 7:03 am

well when it comes to that, i agree, online banking was invented by Satan.

my comments about cookies above really only apply to normal browsing.

I have been known to buy things using the browser, and also to accept paypal payments, but these are all only using i think a total of 3 sites that i trust (they are paypal, amazon and ebay) i would not trust my bank's online services because according to netcraft: The site www.natwest.com is running Microsoft-IIS/5.0 on Windows 2000. 'Nuff said.

caveman
programmer
programmer
Posts: 130
Joined: Sun Feb 09, 2003 1:08 pm
Location: Midrand Gauteng, South Africa

Post by caveman » Wed Jun 11, 2003 12:55 pm

All the URL's for my bank end in ".asp"
and only really renders proper with m$ internet exploder.

That should be enough proof that the website is m$
based.

Is there another way of getting some more info?
eg. using pinky,finger or some such? to see the rev
or type of system/engines used?

Post Reply