*** NSCLean, IECLean provide privacy for surfers Heightened awareness of cookies, user IDs, history files and the like has left some web users a little spooked about their favorite browser's ability to track their movements over the Internet. Surfers can erase Netscape's electronic trail with NSClean, available from AXXIS Corporation. For the full text story, see http://www.merc.com/stories/cgi/story.cgi?id=788417-312 AXXIS Corporation also released IEClean software which enables Microsoft Internet Explorer users to surf privately. For the full text story, see http://www.merc.com/stories/cgi/story.cgi?id=788418-28e -- Vipul Ved Prakash | - Electronic Security & Crypto vipul@pobox.com | - Internet & Intranets 91 11 2233328 | - Web Development & PERL 198 Madhuban IP Extension | - Linux & Open Systems Delhi, INDIA 110 092 | - (Networked) Multimedia
Vipul Ved Prakash wrote:
*** NSCLean, IECLean provide privacy for surfers
Heightened awareness of cookies ...
I see complaints about cookies all the time, and I just have to wonder why the fuss seems so relatively, well, unsophisticated, for lack of a better word. The cookie idea, in and of itself, is really a pretty good one and can provide some useful features. Things like auto-configuring web sites ("my Yahoo", though I don't know for sure how that works) can exploit the cookie capability to provide convenience. I just can't get worked up over it. The cookie issuer still doesn't really know who the visitor is, of course, unless the visitor explicitly hands over that information. "Naughty" uses of cookies for tracking sites visited might be objectionable, I suppose. It's easy enough to do selective editing of the cookie file of course (maybe this NSClean product can do that). One of the scary things might be that though cookies can be made hard to forge, it's clearly impossible for cookie issuers to ensure the cookies aren't stolen or deliberately distributed. If a site uses a "secure" cookie as a means of identifying the web visitor, there's certainly some risk if it then allows access to sensitive information. -- ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ Mike McNally -- Egregiously Pointy -- Tivoli Systems, "IBM" -- Austin mailto:m5@tivoli.com mailto:m101@io.com http://www.io.com/~m101 ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^
Mike McNally writes:
I see complaints about cookies all the time, and I just have to wonder why the fuss seems so relatively, well, unsophisticated, for lack of a better word.
Probably because cookies aren't explained well to the 'lay public'.
The cookie idea, in and of itself, is really a pretty good one and can provide some useful features.
Yep, it's a good alternative to stuffing a cookie in the URL and running everything through a CGI script. The objection I have with cookies are that they can be used to pass information between servers. And they're being used to track where browsers go (see http://www.doubleclick.com for an example, theyre not the only people doing this).
"Naughty" uses of cookies for tracking sites visited might be objectionable, I suppose. It's easy enough to do selective editing of the cookie file of course (maybe this NSClean product can do that).
Editing the cookie file doesn't have any effect while the browser is running. You could visit one Doubleclick-infested site and get one of their cookies then go to another infested site in the same session. A better method is to be able to selectively accept/send cookies from certain sites while blocking them from others. As it happens I've written a program that does that. See http://www.lne.com/ericm/cookie_jar. It's still got some bugs but it generally works ok. Note that you need access to a unix shell and perl to run it. It would be even better if browser writers added similar features to their browsers. My program is a kludge.
One of the scary things might be that though cookies can be made hard to forge, it's clearly impossible for cookie issuers to ensure the cookies aren't stolen or deliberately distributed. If a site uses a "secure" cookie as a means of identifying the web visitor, there's certainly some risk if it then allows access to sensitive information.
Servers in that position would encrypt the data sent in cookie, no? -- Eric Murray ericm@lne.com ericm@motorcycle.com http://www.lne.com/ericm PGP keyid:E03F65E5 fingerprint:50 B0 A2 4C 7D 86 FC 03 92 E8 AC E6 7E 27 29 AF
participants (3)
-
Eric Murray -
Mike McNally -
Vipul Ved Prakash