Re: NSA Used Cookies to Track Visitors' Web Activities?

Wes Groleau wrote: 

AES wrote:

2) Does the protection reside in the nature of the Internet protocols itself? Or the browser one uses? Or the operating system on one's own machine? Could unwittingly installing a compromised browser open the doors wide to cookie-based intrusions? 


A "compromised browser" can do almost anything, so cookies would be
lost in the noise.  A cookie itself is unlikely to be a virus, but
if the browser code is written in C, it is very likely to have arrays
that are susceptible to "buffer overrun"  Sometimes a clever enough
person can use such a bug to cause executable code stored in an
allegedly non-executable file (image, cookie, etc.) to replace code
in your browser or operating system.  Yesterday, I posted a link
to a Washington Post article about just such a bug.

However, that code is for running on an Intel processor with a Windows
OS.  As long as you have a non-Intel Mac, it can't do what its designer
intended.

3) If one's computer were compromised, perhaps in some other way by an external intruder coming in over an Internet connection, presumably that intruder would have access to the cookies on one's machine. Would examination of one's cookies file give substantially more info to the intruder than, for example, examination of the bookmarks or History files associated with one's browser? 


No.  Many times a cookie just contains a unique code
generated by the originating website on the fly.  When
you visit that website again, their servers says to your
browser, "Let me see my cookie"  If the browser hands it
over, they look up the code and whatever info they stored
with it back then.  Sometimes an IDIOT programmer thinks
it clever to save himself storage space by putting important
information in the cookie itself, but I don't think this
happens very often.  However, I have been very selective about
who can store cookies on my computer since the day I discovered
a cookie containing my social security number.


I just looked through mine and a substantial number of them have configuration settings but most of the non-session ones have a last visited date, like laweekly.com and photo.net. In my current cookies I don't see any important info like SSNs.

Greg

--
"All my time I spent in heaven
Revelries of dance and wine
Waking to the sound of laughter
Up I'd rise and kiss the sky" - The Mekons
.

Relevant Pages

  • Re: NSA Used Cookies to Track Visitors Web Activities?
    ... Could unwittingly installing a compromised browser open the doors wide to cookie-based intrusions? ... A cookie itself is unlikely to be a virus, but if the browser code is written in C, it is very likely to have arrays that are susceptible to "buffer overrun" Sometimes a clever enough person can use such a bug to cause executable code stored in an allegedly non-executable file to replace code in your browser or operating system. ... external intruder coming in over an Internet connection, presumably that intruder would have access to the cookies on one's machine. ...
    (comp.sys.mac.system)
  • Re: Attempt to de-mystify AJAX
    ... "Hyperlinks" always open a new browser window. ... key (cookie) is still there and still contains the original value. ... You can get the cookies from the HTTP_COOKIE CGI environment variable. ...
    (comp.databases.pick)
  • Re: Cookies from ASP.NET app not persisting even when enabled!
    ... > I'm new to ASP.NET and have been developing a small app at work to test ... > and the authorization cookie is saved as expected on the local machine. ... any browser OTHER THAN the one on the development ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Great SWT Program
    ... Every browser I've ever ... server when requesting any URLs from that server. ... doesn't send the cookie. ... every so often nail the ones that got by adblock, ...
    (comp.lang.java.programmer)
  • RE: A technique to mitigate cookie-stealing XSS attacks
    ... Everyone interested in preventing XSS should review and understand ... remote procedure call instruction encoding where the browser or its OS ... browsers SHOULD adopt support for "client-side ... This new HTTPOnly security feature would simply stop cookie hijacking ...
    (Bugtraq)