Hey Jerry,
Thanks for the article. I never have understood the Ostrich mentality, stick your head in the sand and maybe no one will see me or the problem will go away.
I think ANY company that provides a product to the public, and states it's safe and secure, has the responsibility to inform it's customers of possible problems as soon as it knows of such problems. The EULA already insures that they can't be held liable for damages caused by such product problems, so why not let the customer know so they can take actions to protect themselves. I, and I'm sure most folks do on-line banking, bill paying and shopping on the web. If there's a security problem I want to know about it so I can make an informed decision as to what to do. After all it's MY money or information at risk. How anyone could see it differently is beyond me.

Which brings up another point. While I have built several sites with custom shopping carts, I make no claim as to being an expert on the subject. I use cookies to store "state" type info, but would never consider using cookies to store one's personal or financial information. Maybe I'm missing to boat here, but I've always stored this type of info in the database which has to be accessed by the user via their username and password. I store nothing in cookies that could give a malicous user a clue as to how to log into someone's account. Evidently not everyone subcribes to this practice, which surprises me.

>http://www.zdnet.com/zdnn/stories/comment/0,5859,2824251,00.html