[LINK] Playing with cookies

David Chia dchia@www2.untpdc.org
Mon, 20 Mar 100 05:24:25 +0000 () 

> 1) Some cookie implementations are flawed in relation to domains and 
> country TLDs.
> 2) Browsers can provide "incorrect" cookies to sites within the
> same domain (unless the site developers have made efforts to detect and
> handle this).
> 3) The combination of the above can lead to cookies inadvertently being
> passed between domains which use country TLDs.
> 4) If sensitive information is contained in cookies, which does happen,
> (3) can be a problem.
> 5) Cross-domain privacy also depends on DNS, which is generally not
> secure.
> 6) Due to the nature of hypertext, visiting a site may result in cookie
> exchanges with third party servers, which may provide third party servers
> with information about your activities on the original site.
> 7) Third party servers which are referenced across domains may track
> your activity across domains (not necessarily with any associated 
> identity, although this could happen if you provide personal details to
> a site).
> 8) Cookies can be subverted trivially in a number of ways.
> 9) Cookie implementations vary considerably between different
> brands and versions of browsers and servers.
> 10) Cookies are not required at all to maintain state during a session.
> 11) The only advantage of cookies for users is maintaining state between
> sessions, generally to save logging in to non-secure sites.


In retrospect, the concept that the use of web cookies can be controlled
in general was reported to be flaw to begin with. It was too US centric
which mostly uses a single level of generic top level domains and the
concept could not be effective when trying to apply in countries that
use second or more generic subdomains.  Thus there is no suprise that no
software implementations can prevent such problem in general.  It was
revealed that soon after the invention of the Netscape cookie standard
the technical flaw was discovered. It was realized then that the flaw
could not be fixed in general. The latest IETF RFC deviates from the
original Netscape Cookie Standard. The reality at this stage is that
any attempts to partially fix the problem will break some significant
internet services and a decision not to do so was made.

The flaw affect internet domains which have second or lower generic
sub-domains, e.g. com.au , i.e. in such domains it is possible to
share cookie data directly (hence to correlate activities) across web
domains (e.g. a.com.au with b.com.au through cookies set with com.au
domain). In such domains any personal data submitted in one
web site are potentially directly transferable to another through such
cookies. Relying on the websites (that are interested in collecting and
sharing such data) not to abuse such loophole will not work.

The problem do not affect most of the people in US and it was not until
1 1/2 years ago that the problem was discovered in NZ. The alternate
solution is to drop the second generic sub-domains, e.g. like in
.ca and .de .


David Chia