[WEB SECURITY] Closing web sites due to legislation

MustLive mustlive at websecurity.com.ua
Wed May 23 16:55:14 EDT 2012

Hello participants of Mailing List.

Since 2008 I've wrote large series of articles about closing web sites due
to legislation. There were a lot of cases (from that time) in Ukraine
concerning multiple laws, where our law enforcements closed (temporarily or
permanently) web sites. And for a long time I was planning to write some
articles (at least summary articles) to the list on this topic. For example,
recently I've wrote article about closing sites by tax administration and
soon I'd write new articles on this topic (including closing sites due to
Euro 2012). But at first I'm presenting another article for you.

This article concerns law in European Union, so it can be more interesting
then laws in Ukraine (but those cases still will be interesting for you,
because similar laws can exist in other countries). In this article I'm
talking about such law as "EU Cookie Law"
Since May 2011 this law introduce such changes to online privacy laws in the
EU, that visitors of web sites must be asked for their consent for the use
of cookies. One year have been given (at least in UK) to web sites to
changes their behavior according to new law and since 26th of May 2012 this
law will be working in full force (in UK in this case).

Which means that web sites which not correspond to new legislation can be
fined (up to 500000 Euro). As stated in Internet, this law affects any web
site targeting an EU audience. I.e. not only sites in EU countries (for
local audience), but all sites made for EU audience. There is not closings
of web sites, just fines, but if fine will be large enough for the owner of
particular site, then he can close the site, so this law is suitable for my
series of articles about closing web sites due to legislation.

What does it mean for web sites.

They must change the common way of working with cookies (how it was since
invention of HTTP cookies), i.e. "silent way", and become using "loud way" -
to ask all users and visitors before setting cookies.

What is correct situation.

I've seen some EU sites, including ICO's site, which ask before setting
cookies, but small number of sites. Most of EU sites which I've visited for
last year didn't do it, so they were not compliant with EU Cookie Law.

The deadline - 26th of May 2012 - will come soon, so let's look how much
popular sites in EU are compliant with new law:

http://www.google.fr - doesn't compliant (silently set two cookies)

http://www.google.de - doesn't compliant (silently set two cookies)

http://fr.yahoo.com (redirected from yahoo.fr) - doesn't compliant (silently
set seven cookies)

http://www.bing.com/?cc=fr (redirected from bing.fr) - doesn't compliant
(silently set eleven cookies)

http://ec.europa.eu - at main page it doesn't set cookies, but after I've
visited next page it silently set one cookie.

So ICO should first start fining EU government sites ;-) and only then come
to web sites of Internet companies. Government sites should show themselves
as a good example to other sites concerning observance of the law. Will be
any fines concerning this law we will see (I'm not aware of any case for
now, but we'll see after 26th of May 2012). But there is another aspect.

Security aspect of this law.

There is a connection between EU Cookie Law and security of web sites (this
is main reason for writing this article). If web site will be hacked and
cookies will be set for visitors silently (automatically), then this site
can be fined - even if by default this site are compliant to EU law (asks
before setting cookies).

So vulnerabilities at any web site can be used to expose it to fines in EU
due to this law. It can be as serious vulnerabilities, which leaded to full
compromise of this site, or Cross-Site Scripting (as persistent XSS, as even
reflected XSS) or HTTP Response Splitting vulnerabilities. Because it's
possible to set cookies via XSS and HTTPRS vulnerabilities - which makes
these sites to not correspond to new law. So those web sites with IBM Domino
with multiple XSS and HTTPRS vulnerabilities, which I've announced last
week, are falling to the risk of fines (besides all other risks). So this
law is a good reason for web sites to improve their security.

Best wishes & regards,
Administrator of Websecurity web site

More information about the websecurity mailing list