Beefy Boxes and Bandwidth Generously Provided by pair Networks
Just another Perl shrine
 
PerlMonks  

Answer: Security: Cookies vs HTTP authentication

( #30809=categorized answer: print w/ replies, xml ) Need Help??

Q&A > CGI programming > Security: Cookies vs HTTP authentication contributed by rodry

How about sites that don't use HTTPS and still have some sensitive information that they secure by means of cookies.

Take for example www.egroups.com. You store sensitive information about yourself and the poeple in your group. Not to mention pictures, resumes, etc. Yet I don't remember having to go thru a HTTPS secured page to login or authenticate.

That kind of security is enough for me. What do you think.

Comment on Answer: Security: Cookies vs HTTP authentication
RE: Answer: Security: Cookies vs HTTP authentication
by vaevictus (Pilgrim) on Sep 02, 2000 at 01:24 UTC
    IMHO, Securing "by cookies" is not securing at all... if you have not done some sort of user/password or crypto key exchange, then I'd be really worried about doing anything with www.egroups.com.
    It sounds like to me, that it would be pretty easy to obtain the data on egroups by inappropriate means. (Logging in as someone else.) I mean... the server can store data on your computer in those cookies... but all that says is "someone once connected here". Unencrypted cookies can be sniffed. Then they can be used *EASILY* by anyone with a 3rd grade hacking level.

    Thanks for the heads up on egroups though... i'll prolly avoid them now. :)

RE: Answer: Security: Cookies vs HTTP authentication
by Russ (Deacon) on Sep 02, 2000 at 01:55 UTC
    For me, it is instinctive, reflexive and otherwise just subconscious to glance at the little padlock in the lower left of the Netscrape window before I even type something I consider sensitive into a browser window.

    I say this because you do not have to log in to be using https. Don't confuse SSL with security. SSL simply means "reduced risk of eavesdropping." Nor does logging in imply https. You could have logged in, then been dropped back out to a "normal" protocol.

    Further, it may be nearly impossible to know what egroups or anyone else is doing "behind-the-scenes." You may have logged in through an https page, and they are now ignoring that authentication information when they determine what data you may and may not view. If they use only cookies or CGI parameters to determine what you may access, their entire site, and all data in it, is probably up-for-grabs to anyone who wants to get it.

    So, IM(ns)HO, using the words "cookies" and "security" in the same context is fundamentally bogus. As to whether that level of security is enough...to each his own. As long as you do not put truly sensitive data on the site, who cares? If you store, on a site secured by cookies or CGI params only, anything you do not consider public knowledge, you are gambling against long odds. Pure and simple.

    Good luck. :-)

    Russ
    Brainbench 'Most Valuable Professional' for Perl

Log In?
Username:
Password:

What's my password?
Create A New User
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others romping around the Monastery: (7)
As of 2014-07-25 23:07 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    My favorite superfluous repetitious redundant duplicative phrase is:









    Results (175 votes), past polls