[thelist] [Security] Any security risks with Low privacysettingin IE?

Chris Marsh chris at ecleanuk.com
Wed Aug 6 10:40:33 CDT 2003 

> > These are two different things. Cookies do not represent a security 
> > threat, and using a setting above "Low" will still allow 
> cookies onto 
> > your HDD unless you specifically either disallow them or 
> specify that 
> > you wish to be alerted when there is an attempt to store a cookie. 
> > Disabling cookies will stop many web applications from working, 
> > including those that utilise the Session object in ASP.
> 
> So a distinction can be made here, lowering Privacy Settings 
> to "Low" does not pose much of a security threat to a user. 
> Lower the Security Settings to  "Low" does.

Er, sort of. For some reason I read "Privacy" as "Security"; I could
blame the sweat in my eyes due to the unpleasant heat, but I won't :)

> > Cookies *don't* pose much of a security threat.
> 
> This includes both first and third party cookies? So what you 
> are saying is that lowering the privacy settings to "low" in 
> IE 6 poses absolutely no risk to users in anyway - security 
> or otherwise?

The cookies themselves are secure. The problem arises when the site
itself is insecure; eg cross-site scripting exploits.

[..]

> > Besides which, anyone who has anything to do with commissioning new 
> > technology within a company who doesn't instinctively know that Low 
> > Sekurity is a Bad Thing deserves to be shot anyway.
> 
> I totaly agree with you, and if it had been my decision, I 
> would not be working with this company. Apparently this 
> company has been in business on the web for 5 years and 
> people somewhere are very happy with what they do.

Unfortunately this is not necessarily a guarantee of competance (see
WorldCom). 

[..]

> So, general question - do cookies pose any kind of security, 
> or otherwise, threat. And if not, why not just allow all 
> cookies onto your machine?

Cookies themselves do not as long as the site depositing them on your
hard drive is secured.

> If you could only access a web application by lowering your 
> privacy policy, would you use that application? And if not, why?

Not a chance. I would be asking myself why the organisation in question
was not able to produce an application that didn't oblige me to alter my
browser settings. It also makes me think of a car manufacturer saying
"Buy our car! We've left out every known safety feature in order to
improve performance!"

> Are cookies truely benevolent pieces of text placed on a 
> users computer or can they be used for harm?

They cannot be directly used for harm. However, ask yourself if you
would save usernames and passwords in plain text on your computer.
Anyone with physical access to your computer can view these details. If
you access a site that deposits sensitive information in cookies, then
because they are plain text files, then this goes for these too.

If you ask users to lower their privacy settings, you need to put in
more work to secure your site. More work = more money. It would probably
be cheaper and certainly be more inviting for users if your client
accepts a different method for achieving their goals.

[..]

Regards

Chris Marsh

More information about the thelist mailing list