[thelist] [Security] Any security risks with Low privacysettingin IE?

Chris Johnston chris at fuzzylizard.com
Wed Aug 6 09:45:40 CDT 2003

> These are two different things. Cookies do not represent a security
> threat, and using a setting above "Low" will still allow cookies onto
> your HDD unless you specifically either disallow them or specify that
> you wish to be alerted when there is an attempt to store a cookie.
> Disabling cookies will stop many web applications from working,
> including those that utilise the Session object in ASP.

So a distinction can be made here, lowering Privacy Settings to "Low" does
not pose much of a security threat to a user. Lower the Security Settings
to  "Low" does.

> Cookies *don't* pose much of a security threat.

This includes both first and third party cookies? So what you are saying
is that lowering the privacy settings to "low" in IE 6 poses absolutely no
risk to users in anyway - security or otherwise?

>> I understand what the setting mean, but that is not enough
> With the greatest of respect I don't think you do exactly. The company
> you are dealing with needs the consequences of urging their users to set
> their internet security settings to "Low" explained to them so that they
> understand why it is a bad idea. Whether or not this is in print is
> irrelevant.

Here you are talking about the Security settings and not Privacy settings.
Is this a distinction you are making or are you using the two terms

> Synopsis: Company tells user to reduce security settings. User's PC
> configuration is altered, third party software appears (at best) etc
> etc. User gets annoyed. User's IT-literate friend tells user that all
> his problems stem from the reduced security settings. User gets very
> angry with company. Multiply by x% of company's user base.
> Besides which, anyone who has anything to do with commissioning new
> technology within a company who doesn't instinctively know that Low
> Sekurity is a Bad Thing deserves to be shot anyway.

I totaly agree with you, and if it had been my decision, I would not be
working with this company. Apparently this company has been in business on
the web for 5 years and people somewhere are very happy with what they do.

>> proof and/or evidence. I need expert opinion from trusted
>> sources outlining the risks and detailing why a company
>> should not be asking its users to lower their Privacy settings.
> I would think long and hard about becoming involved with a company that
> asks you to provide research as to why it is bad to put your user base
> at risk.

Unfortunately, the contract was already signed long before I had anything
to do with it and this piece of information did not surface till a few
days ago. After more then a year of negotiations with this company.

So, general question - do cookies pose any kind of security, or otherwise,
threat. And if not, why not just allow all cookies onto your machine?

If you could only access a web application by lowering your privacy
policy, would you use that application? And if not, why?

Are cookies truely benevolent pieces of text placed on a users computer or
can they be used for harm?

And yes, I am trying to find answers to this on google, but I would like
peoples opinions on this as well.

Chris Johnston

chris at fuzzylizard.com

More information about the thelist mailing list