Web Informant #137, 8 January 1999:
Cookie Coda

http://www.strom.com/awards/137.html

In my last Web Informant, I complained about the process of PIN proliferation and suggested that cookies would be a good substitute. I realize now, after many emails later, that I was wrong. Here is why, from John Patrick, VP of Internet Technology for IBM. Thanks John for letting me send your email around to my subscribers:

David, I'm having trouble swallowing your enthusiasm for cookies. As you know large numbers of people are learning that encrypted browser session technology (SSL) works quite well, and the vast majority of people are quite comfortable typing in their credit cards when paying for goods over the Internet.

However, many people do not think about the following issues when they are surfing:

Without going into lots of detail, these questions bring up five key issues in security:

The PIN problem just deals with one issue, the lack of authentication. I see three alternatives:

First is to find a better way to manage your login/password information. What happens if you share your password: now you have made it easy for someone else to be you. So, let's assume you keep your password to yourself. Since web sites have different rules for passwords and since your preferred ID, say dstrom, may already be taken, you end up with lots of different IDs and passwords.

So you devise an ID so unique, like d&str#@m, that nobody else will have it. You also devise a password of just the right length and style that most any web site would accept it. On the surface this universal login seems to solve the problem until you realize that if one of your web merchants turns out to be a scofflaw he or she now has access to all of your web sites where you have registered!

So now you get organized, and create a small database of all your IDs and passwords. Where to put it? On a piece of paper? Where to put that? Maybe you purchase or download some software to track all this information. Now you have become a database manager, and have to worry about backup and security of your new database!

But there is a big flaw, no matter how you organize your passwords. Whatever your ID and password are, when you send them they are almost always sent "in the clear." This means that an unscrupulous person might be able to "sniff" your ID and password from the Internet. They wouldn't need to even know who you are, and now they have a key to some web sites.

Let's move on to the second alternative, which is to use cookies as you suggest. I agree it seems appealing on the surface and it has worked well in the short term. I don't think it has legs though, as we want to use more and more devices to connect to the Internet such as PDAs, phones, kiosks and so forth. Now you've left a trail of cookies on public PCs all over the place! Do you really want your authentication spread so carelessly? Cookies really don't work on shared machines either: say the computer in your den that is used by four family members. Whose cookie is stored on this PC?

The long term answer is to have a digital ID using public key infrastructures. Yes, there are issues to be resolved and it is early in the game but the promise is great and one we should all be pushing for. Your digital ID can be stored on your personal computer or in a smartcard or in a Java ring or on a something you wear around your neck. Wherever you keep it, the digital ID is a very empowering thing. Your password goes no further than you own PC. Instead you will use your password to initiate an encrypted exchange of digital data between your PC and the other party.

A digital ID can also handle the other four security issues mentioned above besides authentication. Last summer, we announced with Equifax an initiative to simplify for businesses issuing and tracking digital IDs.

None of these alternatives are perfect. However, digital IDs have great promise, and I think you'll see more and more sites beginning to use them to handle authentication issues, along with the other security issues.


Thanks for sharing John. I think you are right, although the promise of digital IDs remains far too complex for the average web surfer. For those of you who want to explore some of these password management products, searching www.shareware.com for "password" uncovers numerous products such as Password Manager and Password Keeper. My favorite so far is the free Password Pro. It is a Windows program and can be used to contain the actual URLs along with the password for the web pages. A Macintosh $25 shareware alternative is Web Confidential. And Quicken99 will store passwords for various online banking accounts.

An alternative to these password collectors is to use an experimental site from Lucent. Called the Lucent Personalized Web Assistant, it computes usernames, passwords, and e-mail addresses on the user's behalf for sites that require registration. Think of it as a password proxy server, which is basically how it operates. Unlike the collectors, there is no software to download to your hard disk, just a small change in your browser configuration to connect to the proxy.

If you are still interested in cookies, one way to take better control over which sites you allow to send them to you is called Cookie Pal.

Finally, there is Compuserve's solution called Remote Passphrase Authentication (RPA). It currently works with NT/IIS and Solaris Netscape web servers.

David Strom
david@strom.com
+1 (516) 944-3407
back issues
entire contents copyright 1999 by David Strom, Inc.
Web Informant is ® registered trademark with the U.S. Patent and Trademark Office