From ced8755604641c25869df164af07c199d6818dea Mon Sep 17 00:00:00 2001 From: Joe Wreschnig Date: Thu, 11 Sep 2014 16:16:33 +0200 Subject: [PATCH] Include more information on how CSRF cookies work. --- privacy.html | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/privacy.html b/privacy.html index 5771ab6..5ce78ab 100644 --- a/privacy.html +++ b/privacy.html @@ -50,28 +50,30 @@ We don't use cookies or anything like cookies to track you.

- We use extremely short-lived cookies to prevent - request forgery. These don't contain any identifying - information and they self-destruct after a few seconds. + We use cookies to prevent request forgery. These don't contain + any identifying information. These double-submit cookies, + are random cookies that reset each time you visit the page. + This prevents another site from tricking you into submitting + data to our site, because they can't read the random value in + the cookie.

- For long-term data we use HTML5 + For long-term data storage we use HTML5 localStorage and other similar client-side storage. This gives you - the benefits of cookies, plus your data is never sent to the + the benefits of cookies, but your data is never sent to the server, so there's nothing to secure.

Security

- We don't track any user data via this site, so we have no + We don't track any personal data via this site, so we have no special databases to secure.

- If you are concerned about your connection being intercepted - by someone else, we offer - HTTPS for our main domain. We would like to offer it - for more, but the CA racket means we can't afford it. - In the future we hope CAs are replaced by something like + Our primary site, which you are reading now, is served + exclusively via HTTPS. We would like to offer HTTPS for all + our subdomains, but the CA racket means we can't afford it. In + the future we hope CAs are replaced by something like Convergence so cheap security is available for everyone, but right now it doesn't work reliably. -- 2.30.2