[plug] Cookies

Christian christian at amnet.net.au
Wed Nov 29 09:53:00 WST 2000 

On Wed, Nov 29, 2000 at 07:57:59AM +0800, Bret Busby wrote:
 
> Privacy alone, was the issue. That was until Christian indicated that
> security could be an issue. If the use of cookies decreases security,
> then, it appears to me, to defeat the purpose of the security on the
> password-protected Internet site. Thus, cookies appear to be an
> Archilles heel, in the security.

Bret, you are badly misinterpreting what I am saying -- it appears to be
so that you can confirm your own already established opinions.
Cookies DON'T decrease security rather the way in which they are used
MAY introduce a security problem.  It is not simply a matter of "Cookies
bad, No Cookies good."  If implemented correctly then cookies are
probably the best way of establishing a secure session across a
stateless protocol.  All I said was that they could be implemented
incorrectly and allow the session to be compromised.

> As I have stated, Amway had had the secure website functioning, without
> cookies, previous to the current version. Also, the ANZ (which, however,
> now, says that its accounts that have Internet banking access are
> completely insecure, and that it assumes no responsibility for the
> security from the bank end) has had a (previously) secure website, with
> 128-bit encypotion, and, no cookies.

There is probably a reason why they changed and I'm sure it had nothing
to do with introducing cookies in order to alienate you (or any other
user for that matter!).  Most likely they added new functionality and
the only way to support that functionality was with cookies.  Also, from
what I remember of the previous email, the Amway person seemed to be
indicating that they had been doing things a different way but moved to
cookies because they believed it to be MORE secure.  Finally, from what
you said previously the ANZ bank used JavaScript which likely would be
much less secure than the cookies approach so this does not support your
argument.

> Oh, and, BillK; trading with Amway can still be done without using the
> Internet site, but the ability to use the Internet site makes it faster,
> more convenient, and, easier to verify details of transactions (if it
> wasn't for the use of cookies).

Then you have a decision to make.  Either you take advantage of the
convenience of the web site and accept an implicit risk (both to privacy
and security) or you decide the risk too great (or unknown) and you are
willing to forego that convenience.  Either way I think the general
consensus has been that cookies in this situation are not the privacy
risk you would like and the security risk is also probably not worth all
the stress either.

More information about the plug mailing list