Cart
[Home] [By Thread] [By Date] [Recent Entries]
Joshua Allen of Microsoft wrote: > Your privacy argument is fairly bogus Thank you for your polite and civil comment... My message stated a fact. It is a fact that "One of the original motivations for doing cookies was to remove 'state information' from the URL." Whether or not you think this was a bogus concern is irrelevant to the truth of the statement. I participated in the discussions I mentioned back in 1994 and know what was discussed. In any case, it is *not* a "bogus" argument. The truth is that there are no absolutely secure systems. The goal of security design is to raise the bar to the point where it becomes difficult to compromise a system. We do not have reasonable technology to make systems completely impenetrable. When state information is in URL's, it gets recorded in log files as referrer data and is easily accessible by people with low skill levels. While it is possible to intercept TCP/IP sessions and extract cookie information, it is much more difficult to do so than simply reading a log file. Thus, while a cookie based system is not impenetrable, it is likely to compromised by fewer people than an URL based system. The degree of difference in the security of the two methods is certainly of subject of debate -- however, it is not useful to debate whether a difference exists. Your argument is bogus. bob wyman
|
