1996-07-01 - Re: [Fwd: Doubleclick]

Header Data

From: “Yanni” <jon@aggroup.com>
To: Eric Murray <scott_wyant@loop.com
Message Hash: 1b9dc04882f8a8c50eaecdf7b54fd856993f16e7b7f7c968e3d380b7f98971d1
Message ID: <9606301649.AA32058@jon.clearink.com>
Reply To: N/A
UTC Datetime: 1996-07-01 07:45:20 UTC
Raw Date: Mon, 1 Jul 1996 15:45:20 +0800

Raw message

From: "Yanni" <jon@aggroup.com>
Date: Mon, 1 Jul 1996 15:45:20 +0800
To: Eric Murray <scott_wyant@loop.com
Subject: Re: [Fwd: Doubleclick]
Message-ID: <9606301649.AA32058@jon.clearink.com>
MIME-Version: 1.0
Content-Type: text/plain


> There's a very obvious way to get their cookie put in your cookies
> file without you explicitly going to their site.

This is my favorite example...

You work at a company.

Evil co-worker there says...check out this webpage I just setup.

You goto that page, the server gives you a cookie with
confidential information.
( 4k can store a lot of data..:) )...

Boss comes around and looks at your cookie file, notices
confidential information.

You get fired, sued, whatever....

> The server can send whatever it wants to you in the Set-Cookie:
> header.  Read the spec.

Yes, but you know the server that sent it. A Set-Cookie header can't
set the domain to be other than the domain that the cookie came from.
The message that was copied to the list implied that one domain could set
a cookie for another domain. That isn't true unless you have access the
the persons cookie file. ( as you implied in your response, but which
is beyond the scope of the original letter ).

Regards,

-jon

Jon (no h) S. Stevens        yanni@clearink.com
ClearInk WebMagus      http://www.clearink.com/
finger pgp@sparc.clearink.com for pgp pub key
We are hiring! Check out...
http://www.clearink.com/clearink/home/job.html





Thread