Article:  |
Cookie Specification Vulnerabilities | |
| Subject: | Misleading examples? | |
| Date: | 2004-04-02 03:25:48 | |
| From: | fagzal | |
|
I think your first two examples might be misleading. Sensible websites do not store sensible informations in cookies: a HTTPS website storing private data in cookies is a total disaster anyways. If it did that, it might as well send back your credit card information to you via e-mail. I think this is rather a programming mistake than a cookie vulnerabity: even SSH is not secure if you use a one letter password (note: as one of our clients did some time ago :-)). A decent programmer must know how cookies work, and use them accordingly - e.g. use them for setting up sessions. Probably this is what the moral of your article should have been :-) Also, as Raju has written, your comment on gTLDs is a little confusing: the domain can be any domain, including ccTLDs. (What is a "regional zone"?)
|
||
Women in Technology
Hear us Roar
