[Javascript] Can I Give Myself a Cookie ?

David T. Lovering dlovering at gazos.com
Mon Apr 21 09:52:32 CDT 2003 

Well, for starters --

  Most cookie generators (particularly those for e-commerce) use "standard" encryption tools provided by M$oft, et al.  This is all very well and good, except for two things: (i) an index of the cookie identifiers used by major vendors, banks, etc. can be
had by developers (or those that can convince the proper authorities that they ARE developers), and (ii) the encryption algorithm is fairly easy to break.  This means that for all practical purposes anybody that knows that cookie ident #0xfe0506****** is
a mastercard cookie (for example), and has a cracking tool for the usual encryption cipher can (a) search your machine's cookie cache, (b) find the cookie, and (c) take it apart to find your credit card number, expiration date, and PIN.  Say hello Tahiti!
 This is one of the most pervasive forms of credit-card fraud, aside from simply picking up credit-card receipts that have been discarded and which don't have the bi-partite carbons.

  Now before anybody flames me, I know it is somewhat more complicated than that -- but not by much.  [I once saw a demo at a CSI-sponsored trade show where they demonstrated a package that could decrypt most cookies in under a minute]. What's far worse
is when your personal information (home address, home phone number, etc.) are stored in cookies on your machine.  A web site that you visit could just as well scan ALL your cookies for lightly encoded objects, and pull those it can break apart into useful
tidbits of knowledge about you.  You may have an unlisted phone number, checks without your home number on them, and never give it out over the phone -- but if you use it in e-commerce, you might as well write it off, even if you religiously check the box
saying 'Do not disseminate my phone number to others' on all the transactional forms you fill out.  If somebody thinks this is impossible, I'll be glad to forward the URL for sites that have the methods online for public access to do this very sort of thing.

  The only responsible deployment for cookies (as far as I'm concerned) is the one-time use for a current window session to facilitate forms history.  I used to think that keeping a user's preferences on e-commerce and e-catalog sites was OK, until I read
an article encouraging businesses to use this information for profiling and credit evaluation.  It is my opinion that if a company is going to rape your info-self, the least they can do is pay for the disk to store the pilfered data on their own machines.

  -- Dave Lovering

Chris Tifer wrote:
> 
> > Cookies are useful, but the proliferation of them for trivial things are
> > posing dangers that I'm sure their creators never imagined.
> 
> What sort of dangers are you talking about?
> 
> Chris Tifer
> http://emailajoke.com
> 
> _______________________________________________
> Javascript mailing list
> Javascript at LaTech.edu
> https://lists.LaTech.edu/mailman/listinfo/javascript

More information about the Javascript mailing list