OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Jean-François Asselin (jfasselinmicrologic.ca)
Date: Wed Jan 23 2002 - 12:55:33 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    It is unnecessary to change the global setting. You can choose to allow
    all cookies from a specific web site or domain, thus enabling the user
    to authorize cookies from that secure web site, and still keep the
    default settings to Medium High or higher. (just as you can set IE to
    always reject cookies from particular web sites).

    > -----Original Message-----
    > From: drossITWSouthland.com [mailto:drossITWSouthland.com]
    > Sent: January 23, 2002 12:22 PM
    > To: focus-mssecurityfocus.com
    > Subject: IE6 Privacy and Secure Web Site
    >
    >
    > Internet Explorer 6 security settings: cookies and secure web sites.
    >
    > Internet Explorer 6 has the ability to set the level of
    > security (Privacy) for the cookies a web site places in the
    > internet files folder. The default setting is set to medium.
    >
    > Example:
    > User goes to a web site to access secure data. The user is
    > prompted for logon and password. The Logon proceeds fine but
    > when the user attempts to use the features of the secure web
    > site they are prompted to enable cookies in their browser.
    > Cookies are enabled by default in the browser
    > (IE6/Privacy) set to medium. To enable the features of the
    > secure web site the privacy setting must be set to low. The
    > secure web site then places two cookies in the internet file
    > folder. The first cookie contains the logon information for
    > the user and remains (Persistent) in the internet file folder
    > after the user has logged off the site. The second cookie
    > contains the web IP of the user and disappears (Session)
    > after the user has logged off. The data stored within the
    > first cookie is not encrypted, the logon is displayed as
    > clear text and the password as ???. The logon is set by the
    > secure web site and is a value which should never be used as
    > a logon and the password is limited in set and size.
    >
    > This does not seem to be safe and secure.
    > With about nine or is it eleven unresolved vulnerabilities
    > currently in ie6 the following setting have been made to the browser.
    >
    > ie6 Advanced Settings
    > Under Security Check: Do not save encrypted pages to disk
    > and Empty Temporary Internet Files folder when browser is closed
    >
    > Have the user manually: Delete Cookies...Delete Files...and
    > reset the Privacy setting to medium (prefer medium high)
    > after logging off secure web site.
    >
    > Recommendations please, is this a problem with ie6, the
    > secure web site and the use of cookies or both.
    >
    > Daniel Ross
    > System Support Analyst
    > ITW Southland
    > drossitwsouthland.com
    > (757) 213-2445
    >
    >