Re: LYNX-DEV Cookies

[Larry W. Virden, x2487]

>               hosts in that domain) can request your cookie and the site's
>               administrators can sort of track your access and progress
>               through the site.

But of course, they can also track your access and progress thru the site
via the site's logs as well.

>               The main advantage to the site is for gathering marketing
>               statistics.  They can track which versions of a web page
>               lead to increased traffic to linked pages and they can 
>               get some idea how many new and repeat visits they're getting.
>               (Like most marketing efforts at statistics there are major
>               flaws with the model -- but the results are valid enough
>               for marketdroids).

Certainly this is an advantage.  However, there are many others.  For instance
it permits a site to retain a user's preferences, their password, 
etc. so that each time one returns to a site, the information from the
past visit can be reused.  This is an 'ease of use' benefit to the user.

Since visits to web pages can be traced via logs, what cookies add to the
mix is to allow a site that has the time and experience to analyze which
users visit which types of pages.


> 
>               There are several disadvantages -- including significant
>               privacy concerns.  There are several tools available

This remark continues to be tossed out unqualified, added to the Fear
Uncertainty and Doubt in the community.  Let's get serious for a minute.
The 'privacy' concerns are related to what sites within a domain can
find out from what a user has provided in the current and prior visits.
What kind of information?  Only whatever the site has stored into a cookie.
And a site can only store into a cookie information that the user has
fed into the site - either directly (into forms) or link selections
(if the site is so inclined).  In most cases, it is only the former that
a site stores into cookies - otherwise, there would be too much data
to be stored into the cookie (which are limited in size).  Yes, there
is a limited privacy issue - but in general, nothing more than one
has at other sites.  The only access that a different site at a different
domain would have to the cookies is the same that that site might have to
any other data file on your system.  Cookies are not, at least intentionally,
accessible between sites.  Now, someone _may_ find bugs in browsers which
allow access to this data.  Likewise, folk find bugs that allow access
to info via ActiveX, Java, Frames, plain browsing in text mode via Lynx.
In the case of 'bugs', one fixes the bugs.  But in general, the cookies
are not intended to be some sneaky way for companies to get into your
file system - which is what most non-computer users think when they hear
'privacy concerns'.


>               About the only advantage to some users is that some
>               sites *might* use cookies to help you skip parts of the
>               site that you've already seen or *might* allow you to 
>               avoid filling in forms that you've already filled out.

Yes - in most cases, intentional use of the cookies are for these 'might'
cases.  However, some web browsers are configured, accidentally it seems
to generate session cookies even though no use of the cookies is
obvious.

>               Personally I think cookies are a poorly chosen way to 
>               do this -- client-side certificates (a feature of 
>               SSL v. 3.x) is a much cleaner method (it allows the user
>               to get an maintain cryptographically strong "certificates"
>               which can be presented to specific servers on demand --
>               this exchange of certificates involves cryptographic
>               authentication in both directions -- so your browswer 
>               knows it isn't authenticating to some bogus imposter
>               of a server -- and the server knows that your certificate
>               isn't forged.

Of course, with the current climate in the US Congress (as well as
currently implemented in certain other countries) leaning towards making
any use of encryption a federal offense, it is not wise to be building
one's company around a dependance on the use of encryption.

-- 
Larry W. Virden                 INET: address@hidden
<URL:http://www.teraform.com/%7Elvirden/> <*> O- "We are all Kosh."
Unless explicitly stated to the contrary, nothing in this posting should 
be construed as representing my employer's opinions.
;
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;