Gossamer Forum
Home : Gossamer Threads Inc. : Discussion :

Cookies are Hell! Hackers are also Hell! >Firewall

Quote Reply
Cookies are Hell! Hackers are also Hell! >Firewall
Hello Alex!

Is there any other method that you can use on the forum without cookies?

I am using a firewall of Symantec and this gives ay lot of headaches with your website. How many thousand cookie questions have you designed? Thats unfair to force people to use cookies and collect information against the will of the surfers.

For instance to surf on your website I had to deactivate my firewall and get into trouble always. If I want to login and post in to forum I am forced to deactivate my firewall. I cannot afford it. There have been attacks by the hackers earlier on many client stations and people are surfing on computers of others without knowledge of the owner. One realises only when one has installed a strong firewall which is constantly fighting against such incoming blocks of communications.

I am always forced to de-activate my firewall if I want to post! Why? There has to be other ways. Knowing this problems it is an unfair practice to use extensively Cookies.

Quote Reply
Re: Cookies are Hell! Hackers are also Hell! >Firewall In reply to
If the cookies prevent you from posting, then I'm sure it could be looked in to.

However, cookies are here for our lazy convenience. It's not designed to track you, but makes your life easier. For example, with them turned on, the forum lets you know how many new posts have be submitted since the last time you visited. They also log you in automatically, so replying to a post is a piece of cake.

For cgi scripts, cookies are not used to store any critical information like credit card info. Probably the most secrative thing would be storing a forum username and password. But this is not critical data.

BTW, you can keep your firewall up and disable cookies if you want to.

Quote Reply
Re: Cookies are Hell! Hackers are also Hell! >Firewall In reply to
Hi!

We use cookies on our site to see what a visitor does. This is purely for our interest to see how people use our site and what we can do to make it better and easier to navigate. You should still be able to navigate the rest of the site without cookies.

The forum does require cookies in order to authenticate who you are. There are really only three ways to handle this:

1. Pass a session tag through the URL/form.
2. Pass a session tag through a cookie (what we do)
3. Use server side authentication (.htaccess) to authenticate a user.
4. Re-enter your username/password every time - this is not ubb, the script generates a lot of the options based on who you are (i.e. moderators have different options then users, etc). This is not really usable without sacrificing a lot of features.

Option 3 is not very usable, and option 1 is cumbersome and opens up other security holes (for instance, you click on a link and your session is logged on a remote server -- allowing other people to use your profile). Given this, cookies is really the best option.

If you have any other questions, please let me know.

Cheers,

Alex

--
Gossamer Threads Inc.
Quote Reply
Re: Cookies are Hell! Hackers are also Hell! >Firewall In reply to
Hello Alex!

I understand all the reasons.

However I beleive what would I choose, if I was offered an option, regardless of what is thought and listed below:

I would not mind to enter my name and the password "At the time" of entering the post. That would be the only time when users were required earlier to enter the passwords. Not before. In this case, that would be the only time it checks the authenticity. The remaining things can be programmed and stored in the database of the users giving codes and I fail to beleive that it is difficult to code it for a God Father like you in Perl/MySQL.

Here, all the options are going through cookies which, for understandable reasons, are the shortest way to hang-up the Forum. Everytime, I got in here, I felt insecure and De-activation of my Firewall was and is a MUST.

Cookies and the options can be an extra option and not a main thing to work with. Yahoo does use cookies but only for a further use and convinience. But for that particular entry it is not and cannot be a MUST. I have rarely seen a website that is only driven by cookies.

If I have to choose between de-activation of my firewall and posting a message to someone in need I would choose not to post. Is this clever? Is this in larger interest of your website?

Further, out of the topic above and already mentioned before in my posts, I am always mad when I click in a routine on the button below the posting message box. It is Check spelling box exactly below the write text. It is better to have it Continue there and have check spelling as an option at the bottom. It has always created confusion without exceptions.

Quote Reply
Re: Cookies are Hell! Hackers are also Hell! >Firewall In reply to
Every time you follow a link there is enough reason to get scared of what you can encounter on hackers!
I never could understood why networks with plenty of pc's are willing to take the great risk of being intercepted and hacked. Is it that difficult or expensive to get a standalone, plug in the internet and do what you want to do. When you need to connect to the network just plug it in then. Never surf while connected with your network, even with a firewall it is a little bit more dangerous, but it still is!!!!
And he's right about the spelchecking button...

Quote Reply
Re: Cookies are Hell! Hackers are also Hell! >Firewall In reply to
Hello!

Yes, I am of the same opinion. Moreover, I am doing the same and most people who knows things on Hackers may tell you the same.

I use a PC, standalone for the internet. Ofcourse internet is not the only use but more. However there may be hundreds of millions who may face this using a standalone without a firewall. I know a friend who had a strange problem. Almost everyweek a hacker would eat only Software.log! This is a true story. I have seen it and also helped him install a Firewall on his standalone system. Couple of times the suspicion was a virus but later Netbus detective (www.suft.to/detective >>> Anti-Hacker shareware detecting Netbus hacking program or something similar ONLY) told the truth.

What REALLY bugged me this time also was that I again had to disable the Firewall this time.

I can ofcourse give a full control to the Firewall (Norton personal Firewall ver2.0 for win 98/NT/2000, and excellent one and very cheap) specifically and only to GT website and it will get full rights and not trouble me again. But thats not the only point. I have also dis-abled Cookies entirely in the browser. So only for the GT website I have to enable and do many things further if I wanna read(x) or search or post. Ofcourse I am not a frequent visitor to GT however it is just a conceptual issue. I have known Alex who have been addressing such issues <> Solutions since years coming out with "Not less than Excellent Solutions for most difficult situation!!!" and I like it and therefore I wanted to tell him. (Recently, I learned that he wants to paint Links SQL with JAVA, the language for and of the world of Fanatics !H!A! )

God damn cookies and Cakes.

Quote Reply
Re: Cookies are Hell! Hackers are also Hell! >Firewall In reply to
Security is a funny thing.

You should never grant access to "users" on the "servers" of any sort. They should log on from remote machines and use net connections and user permissions only. This goes back to before the Internet, with only database and remote application or file servers.

The simplest security for a network is just setting up gateway routers on the user connections that allow outgoing, but not incoming traffic, and on the servers that allow incoming but not outgoing traffic. You can share the same pipes, just different switches.

I tried to use "firewall" software on my gateway machines, with some limited success, and a lot of problems. A gateway router, solved most of the problems.

Turn off any services you do not use. If you have a static IP, allow those services only for that IP -- such as FTP or telnet.

Then, when setting up a firewall or proxy server, go with standard software, and standard hardware, and don't try to go cheap. Go with something that is easy to set up, is monitored by a wide range of people where hacks are fixed on a daily basis, and where you can set up your network to use it without a problem.

I dare say no one here is running a mission critical, financial or health related site, where transactions are taking place that need to be 100% secure in all ways. (If you were, you'd be running oracle, not mYsql, you wouldn't be discussing it here, etc).

We all like our data, and our privacy, and want it secure, but at some point you need to balance it out.

Certain sites are more prone to hacking -- music, adult, and sites that have pissed off people in some way (membership sites, chat rooms, etc).

Plug the holes, look at hardware firewalls, turn off services you don't use, separate users and servers, and limit passwords.

Using non-routable IP's for users, back end machines, and other stuff is a good thing as well. Only make the Internet machines visible to the Internet, everything else has to go through the proxy.

And, the bottom line, nothing will deter a determined hacker. Remember, they wrote the software. Make it hard for the casual hacker or trespasser, and don't do anything to promote or make it easier for them. Keep good back ups.

http://www.postcards.com
FAQ: http://www.postcards.com/FAQ/LinkSQL/

Quote Reply
Re: Cookies are Hell! Hackers are also Hell! >Firewall In reply to
Hello Robert!

I understand and also! agree all what you are talking about.

However, the discussion on the firewall came about only because it was bugging me to activate and deactivate. What I have questioned is the conceptual issue of using the Cookie Technology which troubled me "Because I am using a firewall". I however may not be using a firewall. The discussion on the principle issue would still remain the same. And Alex did directly and correctly trigger on it.

However you are touching on a very interesting topic that interest me and perhaphs others.

What kind of firewall installation did you use? On UNIX?










Ach, Ach, Ach, Ach, the firewall did not allow the post to be submitted as it required password from the stupid GT Cookies rather than from me personally.

Quote Reply
Re: Cookies are Hell! Hackers are also Hell! >Firewall In reply to
I don't claim to know a huge amount about firewalls or security in general, but I've never heard of a firewall not allowing cookies. Furthermore, I have a very low opinion of Symantec products...

If you haven't already, try ZoneAlarm from http://www.zonelabs.com/ -- free to try out and very effective.

Dan

Quote Reply
Re: Cookies are Hell! Hackers are also Hell! >Firewall In reply to
While I prefer linux for this sort of things, I have heard very good things about Black Ice: http://www.networkice.com/...ackice_defender.html

Cheers,

Alex

--
Gossamer Threads Inc.
Quote Reply
Re: Cookies are Hell! Hackers are also Hell! >Firewall In reply to
I don't agree that cookies are a major security risk. I wouldn't recommend keeping a computer live to the internet without a firewall or some protection, however disabling cookies (in my opinion) isn't required. Why do you feel the need to disable cookies?

Cookies are very useful in providing "states" to an inherently stateless system.

Cheers,

Alex

--
Gossamer Threads Inc.
Quote Reply
Re: Cookies are Hell! Hackers are also Hell! >Firewall In reply to
Hello Alex!

In my Netscape Browser, I know that its not your favorite browser, the Preference option says:

1-Accept all cookies
2-Accept only Cookies and Cakes that get sent back to the originating server.
3-Disable.

What does this mean? You also know that there is a good chance that some of the Cookies are converted into Cakes that does not get back to the server it came back, to my knowledge. So those sites are collecting information on the surfers what they do and where they go. Those ccokies originate from one server and get sent back to anathor and you do not know wher and what? Where is the privacy? Is this fair to sniff on people who are not even aware of it?

After surfing for a while staying behind the firewall one realises how much muddy is internet. People are collecting lots and lots of information on you of all kinds without even knowing you. I hate this way.

Some months ago, someone in this forum said it may be possible to steal passwords from cookies that are not encrypted. Could this be true? Ofcourse if the programming is done that needs to store password into cookies implies by itself that the password may not so important. However I do not know all this.

To surf without a firewall is extremely dangerous.

If cookies are enabled the firewall constantly ask to either configure the website permission to allow it or block it. It wants to regulate everyform of communication, incomming or outgoing. Symantec Firewall 2.0 for 2000 is GREAT!!!

If I configure firewall to permit GT website for all communication, then the Cookies option needs to be enabled. That also means that it will have a consequence to all other surfing. But maybe I should look into carefully how to solve.

Sometings more the complications difficult are the options and most difficult is the solution. A password to put up a post was very simple.

For those interested to know some more webaddresses:

http://www.icsa.net/html/communities/firewalls/certification/vendors/index.shtml#ProductTable


and some more to end this thread:

AppGate AppGate www.appgate.com Intruder Alert; Raptor Firewall
Axent Technologies www.axent.com/axent/ products Firewall-1; Host Inspection Module
Check Point Software Technologies www.checkpoint.com/ products/firewall1/index.html
PIX Firewall Cisco Systems www.cisco.com/warp/ public/cc/pd/fw/sqfw500
GetAccess EnCommercewww.encommerce.com Secure Shell (SSH)
F-Secure www.f-secure.com/ products/ssh
TCPWrappers Freeware (Wietse Venema) ftp://ftp.porcupine.org/pub/security/index.html
Ft. Knox Policy Router Internet Devices www.internetdevices.com
Kane Security Monitor Intrusion.com www.intrusion.com/products/monitor.shtml
Web Access Control/ Authentication iPlanet www.iplanet.com
NetScreen-10, -100 NetScreen www.netscreen.com/pub/index2.html
Gauntlet Firewall Network Associates www.pgp.com/products/ gauntlet/default.asp
Black Ice Defender Network Ice www.networkice.com/ html/blackice_ defender.html
PortSentry Psionic Systems www.psionic.com/ abacus/portsentry
SecurID RSA Security www.rsasecurity.com/ products/securid/index. html
SonicWALL SonicWall www.sonicwall.com
Norton Personal Firewall Symantec www.symantec.com/ region/can/eng/product/ nis/npf
Personal/SOHO Firewall TinySoftware www.tinysoftware.com/ products/html
Firebox WatchGuard www.watchguard.com/ products/fiimss.asp
ZoneAlarm ZoneLab www.zonelabs.com/zonealarm.htm
Quote Reply
Re: Cookies are Hell! Hackers are also Hell! >Firewall In reply to
Hello Alex!

Further, searching for the term Cookies on news com following, out of many interesting ones, I give the URL why cookies are terrible.

http://news.cnet.com/news/0-1005-200-1857707.html?tag=st.ne.1002.srchres.ni


http://news.cnet.com/news/0-1007-200-2247960.html?tag=st.ne.1002.srchres.ni

A widely used, yet virtually undetectable, means of tracking people's Internet surfing habits is joining its better-known cousin, the cookie, as the subject of several lawsuits and a privacy initiative by the government.

Web bugs can "talk" to existing cookies on a computer if they are both from the same Web site or advertising company, such as DoubleClick, which uses bugs and dominates the online advertising market.

That means, for example, that if a person visited Johnson & Johnson's
YourBaby Web site, which uses DoubleClick Web bugs, the bug
would read the visitor's DoubleClick cookie ID number, which shows
the past online behavior for that computer. The information would then
go back to DoubleClick.
Quote Reply
Re: Cookies are Hell! Hackers are also Hell! >Firewall In reply to
In Reply To:
2-Accept only Cookies and Cakes that get sent back to the originating server.
You can safely turn this on and not send cookies to doubleclick or other ad banner programs, and everything will still work on the forums.

Cheers,

Alex

--
Gossamer Threads Inc.
Quote Reply
Re: Cookies are Hell! Hackers are also Hell! >Firewall In reply to
Hi Alex,
(re:2. Pass a session tag through a cookie )

I've been reading this thread with great interest and i wondered if you could expand a little bit on this issue of Cookies.

You've touched clearly on the PROS and Con's of their use and usefulness, however for some people (tech ignoramus) like me the bridge between understanding the need of a secure ( or so!!) system and the implementation of it seems a nightmare.

Having said that and at this stage, whatever is good for Alex is certainly secure enough for me; a newly born Web user!

You've recommended the second choice as being the less burdensome for the use of cookies; would you take a minute and lead me thru the process of putting that method into effect onto my system.

I very much appreciate your collaboration.

I'm fond of DBman and expect to put it into great use.I acquired it last week and already using the Forum at great lenght to get more familiar with the featured offered by DBman. Great site of yours.Congratulations!!

cheers
macagy

Quote Reply
Re: Cookies are Hell! Hackers are also Hell! >Firewall In reply to
In Reply To:
You've recommended the second choice as being the less burdensome for the use of cookies; would you take a minute and lead me thru the process of putting that method into effect onto my system.
Implementing sessions is not a trivial things, and usually requires it to be built in (things like PHP, Cold Fusion, ASP handle this automatically for you), or takes some programming to do.

It can be as simple as:

- On successful login, create a unique session id, save that to a file, and send the session id back in a cookie.
- On every request, check to make sure that the cookie passed in, is a valid session (i.e. file exists).
- On logout, delete the file.
- Periodically, remove files older then n hours.

This is just one of many ways to approach it though. Sessions could be stored in an SQL database, in a flat file, in memory, etc.

Hope this helps,

Alex

--
Gossamer Threads Inc.
Quote Reply
Re: Cookies are Hell! Hackers are also Hell! >Firewall In reply to
I belive the cgi.pm book has a discussion on this, as well as the "other titles" links on Amazon for people who bought that book.

I hope to have the books area on the FAQ site built up shortly (I rewrote a version of LinkSQL to just do books). And hope to have a good reference there. I have purchased 1000's of dollars in books over the years, some only for a few pages of merit, others for continued reference. But, since I work alone, at night, and usually have problems that either are painfully obvious to most, or are so obscure the only way around them is a complete work around, a $50 reference book that answers a question when I need it has paid for itself.

I have close to 20 books I use on a regular basis -- just for answering this sort of question -- security, cookies, SQL syntax, module parameters, etc. (For instance, most people barely scratch the surface of what cgi.pm can do.)

The other great reference is CPAN/perl.org itself. By looking at what modules people wrote and the differences between the various modules you can get an idea of how things work, and which stuff you need -- and more importantly -- things you might not have thought of.

Cookies solve some problems. They open the doors to others. In order to use them you need good planning, good module design, and some idea of what is really going on between your server and your browser, and your program/server/browser.


http://www.postcards.com
FAQ: http://www.postcards.com/FAQ/LinkSQL/

Quote Reply
Re: Cookies are Hell! Hackers are also Hell! >Firewall In reply to
Hi Alex,

thank you very much for your prompt reply.
at this stage i certainly cannot do it on my own i'll look for some documentation to use the proper coding and configure the steps you've mentionned.

again thanks for your help.

cheers
macagy







Quote Reply
Re: Cookies are Hell! Hackers are also Hell! >Firewall In reply to
rajani, I don't know whether the cookie problem you are having is related however, since the new forum has been in place - my computer's "history" folder saves the forum address as http://gossamer-threads.com/perl/forum [<< notice no trailing slash]

When I access the forum using that url, I access as being not logged in - I need to add the trailing slash and then the cookie properly recognizes the userid stored in the cookie.

Perhaps your problem is something similar?


Quote Reply
Re: Cookies are Hell! Hackers are also Hell! >Firewall In reply to
Hello Karen!

No that was not the problem but cookies itself.

In my browser the cookies option is de-activated. A bit safer way is to activate the option, as Alex pointed out and many experienced surfers would know this, is to turn on the option "Accept cookies that goes back to the originating servers". However, it does open the security holes though.