You had two questions.
#1
Quote:
|
Even with the 'never accept cookies' setting , we are using some willy-nilly ?
|
If cookies are not stored on disk, you establish your identity to start your session each time. But you still have temporary cookies -- in particular, a session ID, that allows the web application to know that it is YOU it is talking to. Here, for example, is an excerpt from tcpdump(8) from this current session as I clicked the "Preview Post" button on the vbb editor just now. You can see there is a lot of personal information sent in the clear.
Code:
POST /newreply.php?do=postreply&t=7374 HTTP/1.1
Host: www.daemonforums.org
User-Agent: Mozilla/5.0 (X11; OpenBSD i386; rv:13.0) Gecko/20100101 Firefox/13.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://www.daemonforums.org/newreply.php?do=postreply&t=7374
Cookie: bblastvisit=<ten digits>; bblastactivity=0; bbuserid=<xx>;
bbpassword=<some hex>; bbsessionhash=<some more hex>
Content-Type: application/x-www-form-urlencoded
Content-Length: 856
#2
Quote:
|
those certificates : are they really trustworthy
|
Yes.. and No. The purpose of a certificate is to validate that the website is that of the certificate holder and no one else. Certificate Authorities exist to provide a Chain of Trust -- and as we have seen, some CAs have abused or broken their trust.
Less commonly, certificates are installed in browsers to validate the user's identity in similar fashion.
Browser makers keep lists of CAs who
they trust. And as we have seen they revoke certifications when trust fails. However, certificates are currently the most common way to establish identification of a public facing web server.
We won't solve this problem here, and of course it is outside the scope of discussion I'd started.