[thelist] [Security] Any security risks with Low privacysettingin IE?

Simon Willison cs1spw at bath.ac.uk
Wed Aug 6 10:01:32 CDT 2003 

Hi Chris,

Wednesday, August 6, 2003, 3:45:40 PM, you wrote:
> So, general question - do cookies pose any kind of security, or otherwise,
> threat. And if not, why not just allow all cookies onto your machine?
>
> <snip>
>
> Are cookies truely benevolent pieces of text placed on a users computer or
> can they be used for harm?

Cookies cannot cause any physical harm to your computer - they cannot
be used to execute arbritry code, they can't be used to access their
files and they can't be used to steal or modify information on your PC
in any way.

The only valid concern about cookies is the threat they can have on
your privacy. Cookies can be used to track the web sites that you
visit (or at least, the web sites you visit that are "in bed" with
our mythical evil cookie abuser). Imagine a third party cookie that is
served up and read with all banner ads served up by a specific server.
Now let's say those banner ads are being displayed on a large number
of sites. If you allow third party cookies, the ad banner server can
construct a complete profile of the sites you are visiting and when
you visited them.

Then, let's say you enter some personal details on one of those sites.
If they are evil, they might share your personal details with the evil
ad banner cookie site. Then they know some more about you.

Taken to an extreme, our mythical cookie bogie monsters could find out
your address from some ecommerce transaction you make through one of
their evil minion sites, and tip off the feds that you've been looking
at bomb making recipe sites that happened to be serving up that
particular evil banner ad.

Pretty far fetched. The bigger concern is that companies will
accumulate bits and pieces of data about you without your knowledge
and use them to target ads (and possibly spam) at you.

On the positive side, cookies enable you to log in to web
applications and save site preferences. I leave my cookie settings
well alone.

Cheers,

Simon
-- 
http://simon.incutio.com/

More information about the thelist mailing list