Page 1 of 1
cookies and biscuits
Posted: Sun Jun 08, 2003 9:31 am
Would just like to know how u guys feel about allowing cookies
My online banking will suddenly not work - after about 27 months -
unless I allow cookies
Now, to me, allowing cookies is like leaving a rapist alone with the wife and daugthers
then going out fishing.
So what is the use of all the online security if I keep the backdoor open, never
Maybe I'm wrong and my mindset about security is wrong.
Maybe hiding in my cave to long??
Some feedback shall be appreciated - either to put my mind at rest or
take a big stick to the bank.
PS. Biscuits -you ask? they're made for eating! I hope...........
Posted: Sun Jun 08, 2003 9:58 am
Now where cookies usually become an issue is for advertising and tracking. For instance, a web site may have an advertisement and when that advertisement is displayed in your browser a cookie is set. This cookie can be checked by any other web site and if tied with a place that you have to log on (web based mail, etc) then your individual habits can be tracked, when/where/etc, and be tied directly to you and the information you used when you signed up at the web based mail site. Double-Click were/are notorious for this. Wherever a double-click ad is displayed a bean counter was/is updated with your information.
So the cookie itself doesn't have any special power and doesn't cause a security concern but privacy issues may be raised depending on who issues the cookie and what they want to use it for.
I really like Mozilla's cookie manager. I have it set to ask me how I want to handle a cookie when a site wants to shove one on me. I can examine where the cookie comes from etc. I reject most cookies, but some cookies I will accept if the cookie is from the site I am visiting and I know it is needed by the software used on the site (forum, banking, etc). If the cookie comes from a different site than the one that I am on then there is a 99% chance it is just advertising stuff and I reject. The cookie manager remembers my decision for each web site I visit and if I want to change my decision for a site there is a menu option with a nice cookie manager for changing my options for a particular site.
Now I may not have done a very good job of explaining it but I'm sure there is much information on cookies and security/privacy out there with a google search.
Posted: Sun Jun 08, 2003 2:12 pm
Is about what I was getting at.
I've allways set my browsers - currently Mozilla - to ask me before
accepting cookies. Massive shlep sometimes - but I don't mind.
My own machines are running different versions of Redhat.
None of the winbloze machines are allowed to start m$ internet exploder
or any of the m$ packed crap as far as I can help it and are set never
to accept any cookies!
My concern - does a cookie allways belong only to the sending URL or
can someone else gain access to it? Directly or thru some devious means?
Further - I try never to save delicate username/passwords combinations
using the browsers when asked for it.
Posted: Sun Jun 08, 2003 2:20 pm
There is no way for say "double-click.net" to see your "voidmain.is-a-geek.net" cookie. At least not as far as I know. If it could then you would certainly have a security concern.
Posted: Sun Jun 08, 2003 3:12 pm
I think there is some tricksy way that cookies can be read by any domain, but it specific to that one bad cookie
What I mean by that is www.evil-cracker-site.cx
couldnt access your www.hsbc.com
But as far as I know this violates the way cookies are supposed to work, and browsers therefore warm you aout them or reject them.
Posted: Mon Jun 09, 2003 3:54 am
personally i always allow only cookies from the same server as the site i am visiting in the browser, i also have it so all cookies are deleted when i close the browser. Both of these can be set up using one checkbox in mozilla and phoenix, sadly these features are STILL not available in konqueror or galeon.
this way no 3rd party cookies find their way in, and every new browser session starts up with no cookies left over from last time.
Posted: Tue Jun 10, 2003 1:15 pm
On cookies, don't get me started.
Oh what the hell.
Hate them, detest them and I am paranoid about them. I have seen nothing anywhere to convince me cookies are secure and/or safe. I fully agree with the privacy issues. I block third party and I use the cookie manager to ban cookies. I'm building up quite a list. Just need to figure out how to export and import it.
There is one reason for requiring cookies that is acceptable and that is user session verification, such as forums.
I resent any statisical monitoring, which is probably the secondary reason for cookies on your banking site. I have an account over in the UK, which does this via a third party cookie, which if banned causes the site to fail on me.
Of course if anyone can show me different I'll listen, but no-one ever has.
Posted: Tue Jun 10, 2003 1:47 pm
Heck, I don't have to go that far to not do online banking. I don't trust banks that use Microsoft server software, period. It automatically raises a flag in my mind of the competency of the people developing the web site. There is no way I'll ever see closed source software as secure for a plethora of reasons.
Posted: Wed Jun 11, 2003 7:03 am
well when it comes to that, i agree, online banking was invented by Satan.
my comments about cookies above really only apply to normal browsing.
I have been known to buy things using the browser, and also to accept paypal payments, but these are all only using i think a total of 3 sites that i trust (they are paypal, amazon and ebay) i would not trust my bank's online services because according to netcraft: The site www.natwest.com
is running Microsoft-IIS/5.0 on Windows 2000. 'Nuff said.
Posted: Wed Jun 11, 2003 12:55 pm
All the URL's for my bank end in ".asp"
and only really renders proper with m$ internet exploder.
That should be enough proof that the website is m$
Is there another way of getting some more info?
eg. using pinky,finger or some such? to see the rev
or type of system/engines used?