RE: Microsoft IE cookies readable via about: URLS

["Oliver Petruzel" <opetruzel () cox rr com>]

Moderators: [This is much more appropriate for the vuln-dev or privacy
arena, so I am cross-posting to move it in that direction.]


> -----Original Message-----
> From: Continental Technologies, Inc. [mailto:ctinc () powersupply net] 
> Sent: Monday, November 12, 2001 1:56 PM

> Many firewalls already monitor cookie information allow you 
> to build an exemption list on the fly.  That is, if you don't 
> mind the constant nagging of the accept/reject mechanism.
>
> Regards,
>  
> Steven Kadesch

I guess my line of thought was more of a disclosure issue with known
offenders.  I am familiar with several "cookie blocking" mechanisms but
this still begs for a centralized disclosure solution.  Web-bugs are of
course more destructive or intrusive rather, but my concern is with
"popular" sites that may be collecting too much information on ALL
visitors to their sites, and using IE "funstionality" to do so.

A list of this sort would create a sense (somewhat) of fear in the
offenders, as their name is mentioned in a negative light.  Raised
awareness of their intrusive nature may cause them to reevaluate their
need for personal information such as SSN and CC's and weigh it against
negative publicity.  This may lead to their removing these "personal"
portions of their cookies thus returning to a purely functional use.
(pipedream?)

With w3c and XML developments expanding in the near future, the
meta-data should include DETAILED information on cookies and such being
issued when a site is served.  Who knows, that may be the solution to
this disclosure issue, but in the meantime perhaps a simple blacklist is
in order.

Oliver P.
Computer Security Specialist (IC)
Near DC...