Hi Jean-Francois,
Thanks for your explanation!
On Mon, 3 Mar 2003, rj3 Jean-Francois RODRIGUEZ wrote:
> Well, about the cookies, for what I know :
>
> The cookies are pieces of text, written by the server on the client
> machine, if the browser accept them. For instance, Nescape, on Linux,
> write them here :~/.netscape/cookies
> where they appear as lines of this text file.
Yes, agree.
> Then, normally, only the server who has written a cookie can read it ( or
> modify it ) when you connect again to the same server.
Normally, yes. But you can change the cookies that can cause
problems to the server. That is why cookies is a security
issue too.
> Now, what happens when you download an image that you call Web Bug (I
> didn't know this name, and I find it nice ;) :- your browser meet a
> href to this image,
> - then, it must ask for a connection to the third party server where the
> image is on,- whith this connection, this server can ask to your browser
> if it accept
> a cookie to be written on your disk,- if your browser accepts, the
> cookie is written (first read and then
> written, if it already exists) on your machine.
OK, this means if I set my browser to rejct cookies then
no new cookies can come to my hard disk, even if I encounter
many web bugs.
> And the hint used to gather some information such as your browsing habits
> is that a server, as DoubleClick for instance, put href to Web Bugs on
> different web sites (paying their owners, of course !). So, when you visit
> these sites, it is always the same web server (doubleclick.com) that reads
> and writes the same cookie (it reads and writes on the same line beginning
> with 'www.doubleclick.com' on netscape/linux) ; and the data written when
> you are visiting a web site can contain the IP of the page you are
> visiting...
Any time I encounter a wen bug, that third party web site will
get my IP address regardless of cookies.
Correct?
> As a cookie can be identified by its server/owner, this server can link
> all the data brought by this cookie to one person.It doesn't matter
> if they don't have your name and address, what they want
> is consuming habits of persons, in order to make categories of web
> consumers...
So setting my browser to reject cookies is "a half way"
defense against the web bugs.
Agree?
> Well, quite a long explanation, but this is what I have understood about
> cookies and the "bad usage" of these tools !
> If anything is wrong, please correct me.
These "cookies/web bugs" all have security threats.
But I also believe they have other potential applications.
Very much appreciate your discussion!
Thank you!
Philip
> Bye
> Jean-François
>
> >
> > Hi Jean-Francois,
> >
> > Thanks for your explanation.
> >
> >
> > On Fri, 28 Feb 2003, rj3 Jean-Francois RODRIGUEZ wrote:
> >
> >> >
> >> > Hi All,
> >> >
> >> > Can some body explain the following:
> >> >
> >> > 1) Can a Web Bug (i.e., display of an image file from a third
> >> > party web site) be a security problem?
> >>
> >> I don't know about it.
> >>
> >> > 2) Does it cause a cookie to be sent from the browser to that
> >> > third party web site?
> >>
> >> About that, yes, it is used by advertisers to get cookies when you
> >> visit a website where they have put (paying $$) such an image.
> >> When your browser download this image, it must make a connection to
> >> the advertiser's website where this image comes from, and so they can
> >> ask to your browser to accept a cookie.By this way, this third party
> >> web site can
> >
> > By "accept a cookie" you mean "return (or send) a cookie"?
> >
> > I thought the browser already got the cookie (some where and some how>.
> >
> >
> >
> >> put and read cookies that your
> >> browser have accepted visiting different web sites, because they all
> >> come from the same advertiser's web site (and so they can gather
> >> different information about you : what kind of sites you are usual to
> >> visit, so what are your interests...).
> >
> > 1) So, by returning a cookie (because of connection via the web bug)
> > this third party will know that I had visited a particular site?
> >
> > 2) What if I had visited multiple sites? Can this one cookie tell
> > this third party web site what sites I had visited?
> >
> > Or do I (i.e., my browser) send more than one cookies?
> >
> > Any way, very interesting!
> >
> >
> >> I must have learned all that here : www.searchlores.org
> >
> > I'll visit this site.
> >
> > Thank you!
> >
> > Philip
> >
> >
> >> Regards
> >>
> >> Jean-François
> >>
> >>
> >> ------------------------------------------------------------------------
> >> To unsubscribe email security-discuss-request@linuxsecurity.com
> >> with "unsubscribe" in the subject of the message.
> >>
> >>
> >
> > ------------------------------------------------------------------------
> > To unsubscribe email security-discuss-request@linuxsecurity.com
> > with "unsubscribe" in the subject of the message.
>
>
>
> ------------------------------------------------------------------------
> To unsubscribe email security-discuss-request@linuxsecurity.com
> with "unsubscribe" in the subject of the message.
>
>
------------------------------------------------------------------------
To unsubscribe email security-discuss-request@linuxsecurity.com
with "unsubscribe" in the subject of the message.
