[
Lists Home |
Date Index |
Thread Index
]
Joshua Allen of Microsoft wrote:
> Your privacy argument is fairly bogus
Thank you for your polite and civil comment...
My message stated a fact. It is a fact that "One of the
original motivations for doing cookies was to remove 'state
information' from the URL." Whether or not you think this was a bogus
concern is irrelevant to the truth of the statement. I participated in
the discussions I mentioned back in 1994 and know what was discussed.
In any case, it is *not* a "bogus" argument. The truth is that
there are no absolutely secure systems. The goal of security design is
to raise the bar to the point where it becomes difficult to compromise
a system. We do not have reasonable technology to make systems
completely impenetrable. When state information is in URL's, it gets
recorded in log files as referrer data and is easily accessible by
people with low skill levels. While it is possible to intercept TCP/IP
sessions and extract cookie information, it is much more difficult to
do so than simply reading a log file. Thus, while a cookie based
system is not impenetrable, it is likely to compromised by fewer
people than an URL based system. The degree of difference in the
security of the two methods is certainly of subject of debate --
however, it is not useful to debate whether a difference exists. Your
argument is bogus.
bob wyman
|