http://qs321.pair.com?node_id=30809


in reply to Security: Cookies vs HTTP authentication

How about sites that don't use HTTPS and still have some sensitive information that they secure by means of cookies.

Take for example www.egroups.com. You store sensitive information about yourself and the poeple in your group. Not to mention pictures, resumes, etc. Yet I don't remember having to go thru a HTTPS secured page to login or authenticate.

That kind of security is enough for me. What do you think.

  • Comment on Re: Security: Cookies vs HTTP authentication

Replies are listed 'Best First'.
RE: Answer: Security: Cookies vs HTTP authentication
by Russ (Deacon) on Sep 02, 2000 at 01:55 UTC
    For me, it is instinctive, reflexive and otherwise just subconscious to glance at the little padlock in the lower left of the Netscrape window before I even type something I consider sensitive into a browser window.

    I say this because you do not have to log in to be using https. Don't confuse SSL with security. SSL simply means "reduced risk of eavesdropping." Nor does logging in imply https. You could have logged in, then been dropped back out to a "normal" protocol.

    Further, it may be nearly impossible to know what egroups or anyone else is doing "behind-the-scenes." You may have logged in through an https page, and they are now ignoring that authentication information when they determine what data you may and may not view. If they use only cookies or CGI parameters to determine what you may access, their entire site, and all data in it, is probably up-for-grabs to anyone who wants to get it.

    So, IM(ns)HO, using the words "cookies" and "security" in the same context is fundamentally bogus. As to whether that level of security is enough...to each his own. As long as you do not put truly sensitive data on the site, who cares? If you store, on a site secured by cookies or CGI params only, anything you do not consider public knowledge, you are gambling against long odds. Pure and simple.

    Good luck. :-)

    Russ
    Brainbench 'Most Valuable Professional' for Perl

[reply]
RE: Answer: Security: Cookies vs HTTP authentication
by vaevictus (Pilgrim) on Sep 02, 2000 at 01:24 UTC
    IMHO, Securing "by cookies" is not securing at all... if you have not done some sort of user/password or crypto key exchange, then I'd be really worried about doing anything with www.egroups.com.
    It sounds like to me, that it would be pretty easy to obtain the data on egroups by inappropriate means. (Logging in as someone else.) I mean... the server can store data on your computer in those cookies... but all that says is "someone once connected here". Unencrypted cookies can be sniffed. Then they can be used *EASILY* by anyone with a 3rd grade hacking level.

    Thanks for the heads up on egroups though... i'll prolly avoid them now. :)

[reply]

In Section Seekers of Perl Wisdom