JavaScript considered harmful
Lulu of the Lotus-Eaters
mertz at gnosis.cx
Tue Jan 8 13:49:14 EST 2002
"Steve Holden" <sholden at holdenweb.com> wrote:
|The REAL problem is with browsers that cheerfully respond with cookies to
|servers other than the source of the HTML page they are currently rendering.
|If every browser would allow this behavior to be switched off (and had it
|switched off by default) then the "1-pixel camera" trick would be a spent
|force and we could all stop having these discussions.
Actually, the 1-pixel camera problem exists even with cookies completely
disabled. It's tricky to prevent the undesired leaking of information
on browsing habits to insidious marketters like doubleclick.
I use something like this on my own site (for reasons of good, not evil
:-)). Specifically, my webhosting company doesn't collect
HTTP_USER_AGENTS in my log (I think they would if I paid them some more
money). I got curious about which browsers and OS's were visiting my
site, so I added an 1x1 CGI image to the bottom of my main pages. That
CGI collects entries like the below (this reformatted entry is me, I
don't want to give away anything about browsing habits of my visitors):
Tue Jan 8 12:55:13 2002
151.203.186.147
Mozilla/5.0 (OS/2; U; Warp 4.5; en-US; rv:0.9.5) Gecko/20011016
My 1x1 image just happens to live at the same doamin as my website, but
there is no reason it needs to.
Now suppose the following. Two semi-legitimate organizations, say
wittgenstein.org and spanking-accessories.com (hi Alex :-)) both carry
banners and/or 1-pixel cameras from evil-marketers.com. Suppose also, I
decide to visit the two semi-legitimate sites during the same connection
session.
My IP address is going to remain the same during a particular login.
And even if I get a dynamic IP address from my ISP, it will probably
remain in the same range. My particular browser ID is unusual too, and
therefore particularly indentifiable. Moreover, the time stamp for a
1-pixel camera will be within a couple seconds of that for the site it
occurs on.
Given all this, maybe I log on to the Wittgenstein site, and post an
"anonymous" thought about the Blue and Brown Books. This anonymous
thought comes from the above IP address, and the webmaster can log it if
she wants to. Now I visit the spanking-accessories site, and the
slightly shady webmaster asks the even shadier evil-marketers XML-RPC
interface "what was the most recent place 151.203.186.147 visited?"
evil-marketers mentions the wittgenstein site, and if the latter
cooperates, maybe my whole "anonymous" post is forwarded to
spanking-accessories.com. The result: I get targeted ads for
Oxford-logo wooden paddles and specially-flavord carpet fragments.
Maybe all that is a "service" to me. But a lot of information gets
spread around that I do not necessarily want shared in the ways it is.
Yours, Lulu...
More information about the Python-list
mailing list