RE: netscape

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Mark Joseph Crosbie: "Re: Neural networks in IDS"
• Previous message: Fence-Walker: "CIAC Notes 96-01"

>from the server's environment under $ENV{"HTTP_COOKIES"}.  The only =
>security problem I see is servers using this information to cache and =
>automatically parse a users password for their site.  However, this is =
>
        Uhmm, there's another side to the story. With a server popular
enough one could think of distributing hidden data over the net: first
save in their cookies an estimate of how frequently they connect, then
if a computer connects whose profile is acceptable, save the info in a
cookie there.

        Now suppose I work in an organization and want to hide some
sensitive data: I can see who connects to the server say, every day,
and then distribute the sensitive info in their cookies. Now I delete
it from my directory. I no longer have it, no one can say I have it,
in theory I no longer have access to it. But I do, I can always gather
it in just one day from the cookies of those computers.

        An interesting variant would be to save (encrypted/disguised) 
user:password pairs in another user's file: that way if any one user 
looks at his file s/he won't see anything suspicious or familiar. And then
when you need one, just wait for the frequent client to connect.

        Well, there could be lots of variants. You get the picture. The
problem is: how can one detect this kind of information leakages not
only in this case but on any forthcoming similar application. One can't 
even try to look for "cookies.txt" files since they could be in any 
unaccessible computer (a PC, a remote host in the antipods, etc).

        Oh well, thanks to Netscape for making us live in interesting 
times! :-)

                                jr

• Next message: Mark Joseph Crosbie: "Re: Neural networks in IDS"
• Previous message: Fence-Walker: "CIAC Notes 96-01"