SitePoint Sponsor

User Tag List

Results 1 to 11 of 11
  1. #1
    SitePoint Evangelist thewitt's Avatar
    Join Date
    Apr 2001
    Posts
    468
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Unbelievable - IE cookie hole is real

    So for years we've all said that cookies are not unsafe and only the website that stored cookies on your computer can retrieve them. Not any more!

    Thanks to Microsoft's poor programming practices and lack of attention to security, websites CAN steal your cookie data with IE as your browser.

    http://www.computerworld.com/storyba...O65588,00.html

    Man I hate Microsoft!

    -t

  2. #2
    Digital Warrior Renegade's Avatar
    Join Date
    Nov 2000
    Location
    Portland, OR
    Posts
    480
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Good thing I use IE 5.01. Its not vurnerable to this security risk.

    Although, I am not sure who to blame really. Yes, MS is part of the problem. But the issuing script/website is the other part. You should never never never store anything in clear text on your computer. Ever...period. And CC info should NEVER be stored on the local machine. EVER That part is not MS's fault.

    I am currently writing a script, that stores the users username and pwd in a cookie on their machine. However, the password has been MD5'd, so security is of no threat if the cookie is ever stolen.
    --There's my 1.5 cents, now where is my change!?!?

  3. #3
    Xbox why have you forsaken me? moospot's Avatar
    Join Date
    Feb 2001
    Location
    Clearwater, FL
    Posts
    3,615
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Can you explain what MD5 is and how to use it?

  4. #4
    Making a better wheel silver trophy DR_LaRRY_PEpPeR's Avatar
    Join Date
    Jul 2001
    Location
    Missouri
    Posts
    3,428
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally posted by moospot
    Can you explain what MD5 is and how to use it?
    it's a function in PHP, MySQL, and other languages. it turns everything into a 32 character hex string. to use, in PHP:

    PHP Code:
    $encrypted md5('mysecretpassword'); 
    have you seen the long "garbage" string in the addresses on this forum, after the s=? that's the result of md5().
    - Matt ** Ignore old signature for now... **
    Dr.BB - Highly optimized to be 2-3x faster than the "Big 3."
    "Do not enclose numeric values in quotes -- that is very non-standard and will only work on MySQL." - MattR

  5. #5
    Digital Warrior Renegade's Avatar
    Join Date
    Nov 2000
    Location
    Portland, OR
    Posts
    480
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Its called a hash. Basically, it takes a string, however long that string is, and converts it into a UNIQUE 32 charactor string. No matter how long the input string is, the output is always the same length.(32)

    So whats so good about it? Well, its practically irreversable!! MD5 has its downsides though. For instance, if you MD5 a users password and store it in a DB, you will not be able to write a "email me my password..i forgot" function
    --There's my 1.5 cents, now where is my change!?!?

  6. #6
    What? Maelstrom's Avatar
    Join Date
    Oct 2001
    Location
    Whistler BC originally from Guelph Ontario
    Posts
    2,175
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I don't know how unbelievable that is. I can see the workaround. Microsoft while trying to make a user friendly environment 'has' to remove some of the security options in order to do so.

    It sucks but usability and true security don't go hand in hand. ( I can think of a few examples of that)
    Maelstrom Personal - Apparition Visions
    Development - PhP || Mysql || Zend || Devshed
    Unix - FreeBSD || FreeBsdForums || Man Pages
    They made me a sitepoint Mentor - Feel free to PM me or Email me and I will see if I can help.

  7. #7
    Making a better wheel silver trophy DR_LaRRY_PEpPeR's Avatar
    Join Date
    Jul 2001
    Location
    Missouri
    Posts
    3,428
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally posted by Renegade
    MD5 has its downsides though. For instance, if you MD5 a users password and store it in a DB, you will not be able to write a "email me my password..i forgot" function
    sure you can! just generate a new password.

    and since it's only 32 characters long (and only 16 possible characters each) it can't, as far as i know, be unique. something will generate the same hash. example: something (letters and numbers) that's, say, 40 characters long, will have more combinations than md5()'s hash. so, some of those 40 char combinations have to have the same md5() hash, no?

  8. #8
    SitePoint Evangelist thewitt's Avatar
    Join Date
    Apr 2001
    Posts
    468
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally posted by DR_LaRRY_PEpPeR
    [clip]...so, some of those 40 char combinations have to have the same md5() hash, no?
    No.

    This is totally off topic though. The topic of this thread is that Microsoft has a security hole in IE that will let any site steal your cookies. These don't need to plain text usernames and passwords in order for you to be violated here.

    Cookies stolen from your computer and installed on my computer will let me be you on many websites. Have you registered on a site that let's you back in with a cookie without logging in? Will you ever again?

    -t

  9. #9
    SitePoint Wizard dominique's Avatar
    Join Date
    Dec 2000
    Location
    orbis terrarum
    Posts
    1,523
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally posted by thewitt
    Have you registered on a site that let's you back in with a cookie without logging in? Will you ever again?
    If it's your bank, no, you won't ever again. If it's anywhere else, sure you will. It's been in the news so much - cookies are safe, cookies aren't safe, cookies are safe, cookies aren't safe, cookies are safe, cookies aren't safe - that most people just don't care anymore. It's seen as a hazard of life, just like driving a car.

  10. #10
    will code HTML for food Michel V's Avatar
    Join Date
    Sep 2000
    Location
    Corsica
    Posts
    552
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    "It's seen as a hazard of life, just like driving a car."

    Except that MicroSoft boasted, emphatized, on IE6's GREAT security settings.
    I'm a happy user of the non-standard, insecure, virii-ridden, open-source Mozilla browser. Woah, I'm afraid, there's no P3P icon in the status bar !


    ... someone should start a thread about MicroSoft and people's resigned fatalism about their practices.

  11. #11
    What? Maelstrom's Avatar
    Join Date
    Oct 2001
    Location
    Whistler BC originally from Guelph Ontario
    Posts
    2,175
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    ... someone should start a thread about MicroSoft and people's resigned fatalism about their practices. [/B]
    I think you would need more than a thread. Conspiracy theory forum more like it.
    Maelstrom Personal - Apparition Visions
    Development - PhP || Mysql || Zend || Devshed
    Unix - FreeBSD || FreeBsdForums || Man Pages
    They made me a sitepoint Mentor - Feel free to PM me or Email me and I will see if I can help.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •