Re: draft-ietf-http-state-mgmt-01.txt LAST CALL

Benjamin Franz (snowhare@netimages.com)
Fri, 14 Jun 1996 16:19:11 -0700 (PDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Alan Freier: "Re: [touch@isi.edu: draft may be of interest]"
Previous message: David W. Morris: "Re: draft-ietf-http-state-mgmt-01.txt LAST CALL"
In reply to: Koen Holtman: "Re: draft-ietf-http-state-mgmt-01.txt LAST CALL"
Next in thread: Koen Holtman: "Re: draft-ietf-http-state-mgmt-01.txt LAST CALL"
Reply: Koen Holtman: "Re: draft-ietf-http-state-mgmt-01.txt LAST CALL"

On Sat, 15 Jun 1996, Koen Holtman wrote:

> Marc Salomon:
> >
> [On sharing of cookies across domains, in an earlier message:]
> 
> >Sharing would be possible only when there were multiple domains in
> >the Set-Cookie header.  Sharing with permission is OK, but leaking is
> >bad.
> 
> Whose permission: permission of the user or permission of service
> authors collaborating to do cross-server user tracking?
> 
> Many end users are very concerned about the way current netscape
> cookies can violate their privacy expectations (there has even been a
> WSJ article about this: `Internet Users Say they would Rather Not Share
> the Cookies').  The state management draft tries to address these
> concerns by, among other things, limiting the possible sharing of
> cookies to one domain.
> 
> While this limitation rules out some applications, as your example
> shows, it is necessary in order to address the privacy concerns.
> 

I hate to rain on your parade - but you can't stop sharing of cookie info
across cooperating domains. At all. No matter _how many_ restrictions you
put on who clients give cookies to. If the *ONLY* possible way I could
inform another site of the contents of a cookie and who it belonged to in
my domain was to use HTTP state related headers - maybe. Or maybe not. I
think you radically underestimate the ingenuity of site authors. 

But I am not (as a site author)  limited to the HTTP state headers. If
nothing else I could open a private connection to another site to give
them the cookie information, and then boot a person using a Location
header with attached GET method data to identify them as the person I just
gave cookie data on so they can be matched to the cookie. I could even put
the cookie information in the URL I boot them over with.  Heck, if I
chained redirects I could probably do it all but invisibly in many
browsers.

I could even not use offical cookies at all - instead just shoving all my
state tracking into the URLs:  the way *most* sites needing session
tracking do right now. Or I could use the IP address and other browser
identifying specifics to make a really good guess as to who is who and
pass all the matching information through a private 'out of band' channel
in advance. Utterly invisible and it can approach 100% accuracy - even
with proxy servers trying to mess things up.

Basically - you can achieve nothing except making me work *slightly*
harder to share information with a cooperating domain. If your cookie
headers won't do what I want - there are other headers I can mis-use quite
well.  The best you can hope to achieve is restricting the leaking of
cookie information between *non*-cooperating domains. Don't fool yourself
into thinking you can achieve any stronger protection than that:
You can't. 

-- 
Benjamin Franz

Next message: Alan Freier: "Re: [touch@isi.edu: draft may be of interest]"
Previous message: David W. Morris: "Re: draft-ietf-http-state-mgmt-01.txt LAST CALL"
In reply to: Koen Holtman: "Re: draft-ietf-http-state-mgmt-01.txt LAST CALL"
Next in thread: Koen Holtman: "Re: draft-ietf-http-state-mgmt-01.txt LAST CALL"
Reply: Koen Holtman: "Re: draft-ietf-http-state-mgmt-01.txt LAST CALL"