OT: Cookies -- I told you so

greenspun.com : LUSENET : TimeBomb 2000 (Y2000) : One Thread

Cookies CAN be read, and you won't even know you're getting them!


Some of the techies have said "NO PROBLEMO" re cookies, Java, and Java script, and whatever Microsucks calls their javascript equivalent.

I have said the equivalent of "I did not have sex with that woman" [Bill Clinton].

-- A (A@AisA.com), December 05, 1999


Clarification: Saying "no problemo" in this case is like Klinton saying "I did not..."

-- A (A@AisA.com), December 05, 1999.

Of course they can be read - otherwise there would be no point in writing them! But that is *all* that can be read - not your directory contents, not any password lists, not your inside leg measurement.

The recent fuss is over the fact that companies are matching up the IDs stored in cookies during previous vists to web sites with name, address & interests information supplied on web sites visited later on.

So, for example, if my "LinkExchange" (or whatever) ID is 177784322, any other LinkExchange member can read it from a cookie on my PC and try to ask a me a few questions. Say, for example, it finds out that I am worried about Y2K because I check a box on a form. This information, that "Y2KGardener is concerned about Y2K" can then be updated into a central database using access key 177784322.

For this information to be of any use, they have to have gleaned your contact details (e-mail, address, tel no, etc.) also at some point so that they can spam you or fill your mailbox with junk.

I have not tried it, partly because I am not yet seriously worried, but I would assume that some program which deletes cookies when you close your browser would confuse them: your ID would be lost forever and they'd have to start all over again.

Anyone know more?

-- Y2KGardener (govegan@aloha.net), December 05, 1999.


I agree with Y2KGardener when he says "Of Course they can be read".

If only want the site that sent you the cookie to be able to read it all you have to do in Netscape is go into Edit-Preferences-Advanced and click 'Only accept cookies that get sent back to the originating server'. This way you can register with a site without anyone else being able to read the cookies.

Also, it looks like in order for the bug to work in the site you referenced you would BOTH have to have visited a site AND been dumb enough to launch an attachment (even an HTML one) that was sent from someone you didn't know.

Let me ask you something since your all freaked out about this; just what do YOU think can be accomplished with cookies that would violate your privacy??


-- TECH32 (TECH32@NOMAIL.COM), December 05, 1999.

I've set MSIE 4.0 to let me choose whether or not to accept any cookie presented. Unless I'm entering a passworded site, or filling a shopping cart, or signing up with a fee-based sevice, I reject all cookies. Some sites are very persistent! But they all give up in the end.

-- Tom Carey (tomcarey@mindspring.com), December 05, 1999.

Try the Electronic Privacy Information Center at http://www.epic.org/privacy/tools.html

They have a lot of useful information, and free software downloads.

Good luck,

-- Midas (midas_mulligan_2000@yahoo.com), December 05, 1999.

All -- I use Netscape and am familiar with setting Edit | Preferences | Advanced ....

I also keep "cookies.txt" available for my easy editing by NotePad from Start | Documents (from the Task Bar).

Some sites INSIST that you accept cookies and/or have Javascript on. As soon as I exit those sites, I have to go back to Edit Preferences and re-edit them back, and I also EDIT Cookie.txt by deleting all but the header lines.

I do all this, and I still don't trust that MY MACHINE is secure from attack. I also have McAfee VirusScan/VShield installed and active, and I still don't trust that MY MACHINE is secure from attack. Just call me paranoid. But "whodathunkit" BEFORE THE FACT of Word Macro viruses, and Microsucks Internet Explorer/Outlook viruses, etc? There are people with obviously more time on their hands than we on this forum :-) who regard the challenge of virus creation as even more fun than sex.

-- A (A@AisA.com), December 05, 1999.

I'm familiar with how CGI and cookies work. The whole cookie scare is hysteria, generally.

Basically, the reason cookies exist is because Hypertext Transfer Protocol is a stateless protocol. When you visit a web site, your browser connects to port 80 (or 443 for enciphered http) and sends a GET or a POST request to the remote server. This connection with a web server lasts only as long as is necessary for the remote server to receive a request and send a reply.

The remote server can determine who you are if your machine uses separate user names, like unix or NT, and has that service enabled. It can tell what IP # you are coming from, but that reveals little if you are behind a firewall. Basically, there is no way for the remote server to know who you are.

Imaging going to a general store where the store clerk has a very poor memory. You go to the store clerk and say, "Give me 20 lbs of rice." The store clerk hands over the rice, takes your money, and you leave.

Suppose you come back 5 minutes later and say, "I want 20 lbs of what you gave me 5 minutes ago." Your clerk has a really short memory. He has no idea what he gave you five minutes ago.

A cookie solves this problem by sending a Set-cookie request to the remote client. The set cookie request looks something like this:

Set-Cookie: webcustomer=JoeSixpack00392; domain=.storeclerk.com; path=/; expires=31-Dec-1999 23:59:59 GMT; secure

When Joe Sixpack visits cgi.storeclerk.com, his browser sends the cookie along with the request, and the remote server uses the cookie to reference Joe Sixpack's customer record. Thus, the web site responds to Joe Sixpack's visit by informing him of a special on rice and maybe even offers up a few rice recipes.

Some websites might use this information for purposes that one might find less than desirable, but it's hardly a conspiracy to track everything you do on the web.


-- Tim the Y2K nut (tmiley@yakko.cs.wmich.edu), December 06, 1999.


But "whodathunkit" BEFORE THE FACT of Word Macro viruses, and Microsucks Internet Explorer/Outlook viruses, etc?

I wouldathunkit. In fact, I did. I remember back in the 80's when Bill Gates had a real hard-on for the Basic programming language. At the time the dBase/xBase language was dominating the field and he hated it. Consequently he started adding Basic Scripting to all Microsoft Products (Word,Multiplan,etc). When I saw that happening I said to myself "Gee, how dumb can you be? You've just made simple documents carriers of malicous code". Didn't take long for others (some with ill-will) to pick up on it as well.

Btw, you still didn't answer my question; what are you afraid of from cookies??


-- TECH32 (TECH32@NOMAIL.COM), December 06, 1999.

Hey! To see what can be gleaned (usurped) from you while surfing the web, visit Shields Up! web site.

Shields UP! quickly checks the SECURITY of YOUR computer's connection to the Internet.

You can get your and your ports probed!
Recommended is various firewall/ security software suppliers (e.g. www.atguard.com ), or get some free software there called "noshare.exe" (very small patch, not as thorough as extra sftwr, but helpful).

Worth the effort. :^)

-- Suspicious of (Uncles@sam.usa), December 06, 1999.


Well, I just tried it and it said the only thing I had open was NETBIOS but that it rejected outside connections (this is true since I run a LAN in the house and it's protected by my ISDN router which also functions as a firewall). The weird thing is it said my 'name' was HP CUSTOMER and that I was part of PAVILLION. Unless this came from my HP printer drivers I would say they were quite off there (I do have File and Printer sharing DISABLED).

Interesting stuff though...


-- TECH32 (TECH32@NOMAIL.COM), December 06, 1999.

Moderation questions? read the FAQ