[thelist] [Security] Any security risks with Low privacy settingin IE?

Chris Marsh chris at ecleanuk.com
Wed Aug 6 08:59:44 CDT 2003


> Perhaps I need to clarify what I am looking for. I believe 
> that using a Privacy setting of Low in IE and allowing third 

These are two different things. Cookies do not represent a security
threat, and using a setting above "Low" will still allow cookies onto
your HDD unless you specifically either disallow them or specify that
you wish to be alerted when there is an attempt to store a cookie.
Disabling cookies will stop many web applications from working,
including those that utilise the Session object in ASP.

> pary cookies onto your computer is a security risk. Every 
> tech person I talk to agrees with me. However, I need to 
> convince a company that I am dealing with that it imposes a 
> security risk to their users.
> Therefore, what I am looking for are articles that will back 
> up this claim. Specifically, I am looking for articles that 
> outline in detail
> *exactly* why this imposes a security risk, what that risk 
> is, and the potential dangers that third party cookies represent.

Cookies *don't* pose much of a security threat.

> I understand what the setting mean, but that is not enough 

With the greatest of respect I don't think you do exactly. The company
you are dealing with needs the consequences of urging their users to set
their internet security settings to "Low" explained to them so that they
understand why it is a bad idea. Whether or not this is in print is

Synopsis: Company tells user to reduce security settings. User's PC
configuration is altered, third party software appears (at best) etc
etc. User gets annoyed. User's IT-literate friend tells user that all
his problems stem from the reduced security settings. User gets very
angry with company. Multiply by x% of company's user base.

Besides which, anyone who has anything to do with commissioning new
technology within a company who doesn't instinctively know that Low
Sekurity is a Bad Thing deserves to be shot anyway.

> proof and/or evidence. I need expert opinion from trusted 
> sources outlining the risks and detailing why a company 
> should not be asking its users to lower their Privacy settings.

I would think long and hard about becoming involved with a company that
asks you to provide research as to why it is bad to put your user base
at risk.


Chris Marsh

More information about the thelist mailing list