The COOKIE MONSTER (was Re: What's a COOKIE?)
Denis Beauregard
Klaus Johannes Rusch (e872...@fbma.tuwien.ac.at) wrote:
: Marco Zambon (zamb...@unive.it) wrote:
: : The server www.....com
: : wishes to set a cookie
: : that will be sent only back to itself
: : The name and value of the cookie are:
: : Is there anyone who know what is a COOKIE?
: A cookie is a piece of information sent by the server, stored on your
: system, and returned to the server with further requests. See the Netscape
: specification at
: <URL:http://home.netscape.com/newsref/std/cookie_spec.html> or the latest
: drafts at <URL:http://www.w3.org/> for details.
Cookies can be sent by a foreign server. i.e. If you are visiting site
XXX which takes a picture on server YYY (i.e. advertising generated by
another server), then the cookie come from another server and can be used
to spy what pages you are looking.
On one hand, this could mean an advertising company may identify you (if
you are using their network of advertisements), and later control
advertisements you will see, making this advertising company very
powerful.
On another hand, this can become in a long run like if someone was
watching what TV programs you are watching. Big brother is sending you a
cookie.
There are sites that are now sending a cookie each time you download
something. Thus, you read a page with 10 .jpg, then you have to press "I
don't accept the cookie" button 11 times.
There are sites that will not let you get a page if you don't accept their
cookies. Try to get homepage from www.microsoft.com without accepting the
3 cookies.
From the day someone can control what you can see, freedom is lost.
So fight today the cookie monsters. Complaint near servers sending
cookies out of control of page owners. Delete the cookies.txt files after
each time you restart netscape or change the cookies.txt content (I
propose to post your cokies.txt to make those cookies totally useless).
Don't let big brother control what you will see.
Denis
--
### Denis Beauregard, genealogiste amateur, Internet: be...@cam.org
### Page web de genealogie: http://www.cam.org/~beaur/gen/index.html
### Genealogy Web page: http://www.cam.org/~beaur/gen/welcome.html
### Sujets: Quebec, France, Acadie, experts francophones, etc.
Brian E. Gallew
> From the day someone can control what you can see, freedom is lost.
So, as a private person, I don't have the right to require you to accept a
cookit to access my site?
Nobody is controlling what you see: you are. By CHOOSING not to accept that
cookie, you are CHOOSING not to see those pages. Welcome to America, where we
have freedom to choose (well, a little, at least). I will not argue that it is
paranoid to refuse cookies, or that Big Brother is watching, because it isn't
and he is. However, information protected by cookies is no more a violation of
your rights than is the fee charged at movie theaters.
=====================================================================
| Please do not shoot at the thermonuclear weapons! -- Deacon |
=====================================================================
| Finger ge...@andrew.cmu.edu for my public key. |
=====================================================================
Alan J. Flavell
On Fri, 10 Jan 1997, Brian E. Gallew wrote:
> Welcome to America,
Some mistake, surely. The first W in WWW may seem like it stands
for USA, but there are other thinking beings on Earth too, you know.
(I'm just whimpering after hearing a USAn refer to a Jamaican who lives
in England as an "African American").
Rodney Weaver
In article <ML-1.3.2.85290...@acis2.as.cmu.edu>,
Brian E. Gallew <ge...@CMU.EDU> wrote:
>> From the day someone can control what you can see, freedom is lost.
>
>So, as a private person, I don't have the right to require you to accept a
>cookit to access my site?
>
>Nobody is controlling what you see: you are. By CHOOSING not to accept that
>cookie, you are CHOOSING not to see those pages. Welcome to America, where we
>and he is. However, information protected by cookies is no more a violation of
>your rights than is the fee charged at movie theaters.
Actually, a closer analogy would be the movie theater requiring that
you use a "movie-access card" when you go to a movie, which contains
the street you live on (not your name or house number), as well as a
record of every movie you've seen and every snack bar item you've
purchased. You could choose not to frequent that theater if you
don't want your habits tracked, until all of the theaters require
the card (because some ad agency pays them money for the data,
which they use to target those annoying ads that are starting to
appear before the movie previews).
This is closer to the use of a cookie that lets a web site track you by
IP address (but not e-mail address unless you supply it to them), a
unique identifier assigned by them, and a record of every thing you
ever do at their site.
This is very similar to what grocery stores do now with their
"convenient" check-cashing cards, instant coupon cards, and credit card
tracking. However, I've not yet seen a grocery store that refuses to
take untrackable cash.
-Rodney
suz...@infonet.infousa.com
On 9 Jan 1997 11:14:09 -0500, be...@CAM.ORG (Denis Beauregard) wrote:
>
>Cookies can be sent by a foreign server. i.e. If you are visiting site
>XXX which takes a picture on server YYY (i.e. advertising generated by
>another server), then the cookie come from another server and can be used
>to spy what pages you are looking.
>
>On one hand, this could mean an advertising company may identify you (if
>you are using their network of advertisements), and later control
>advertisements you will see, making this advertising company very
>powerful.
>
>On another hand, this can become in a long run like if someone was
>watching what TV programs you are watching. Big brother is sending you a
>cookie.
>
>There are sites that are now sending a cookie each time you download
>something. Thus, you read a page with 10 .jpg, then you have to press "I
>don't accept the cookie" button 11 times.
>
>There are sites that will not let you get a page if you don't accept their
>cookies. Try to get homepage from www.microsoft.com without accepting the
>3 cookies.
>
>
>
>From the day someone can control what you can see, freedom is lost.
>
>So fight today the cookie monsters. Complaint near servers sending
>cookies out of control of page owners. Delete the cookies.txt files after
>each time you restart netscape or change the cookies.txt content (I
>propose to post your cokies.txt to make those cookies totally useless).
>Don't let big brother control what you will see.
>
>Denis
>
>--
>### Denis Beauregard, genealogiste amateur, Internet: be...@cam.org
>### Page web de genealogie: http://www.cam.org/~beaur/gen/index.html
>### Genealogy Web page: http://www.cam.org/~beaur/gen/welcome.html
>### Sujets: Quebec, France, Acadie, experts francophones, etc.
I have to take a bit of exception to your statement here. Cookies are
not a plot to take over the world and track your every move for Big
Brother.
Basically, only the site that sent you a cookie can read their cookie.
Site A can not access cookies sent to your browser by Site B.
Cookies can be used to identify you as an autorized user to a site, by
storing your username and password in a cookie. This eliminates the
need for you to enter it each time you visit the site.
Perhaps the most common use for a cookie is for Internet shopping. The
"shopping cart" that you store your selections in is nothing more than
a cookie containing the items you selected to purchase. To see a
benign, and very useful, example of cookies in action go to
http://www2.infousa.com/webtique/ and try it out.
The only danger I can see from a cookie is a server that would store
your credit card information in a cookie. The remote possibility
exists that the card information could be captured as the cookie is
transmitted to the server from your browser with each server access.
Smart Web designers would not do that, however.
Advertising companies can track what you like via a cookie, and then
e-mail you ads for their products, but they cannot control ALL the
advertising that you will EVER see, anymore than mailing a response
card back would block all other future advertising you receive in the
mail.
BTW, you can turn off the message that alerts you to a cookie being
sent, if it annoys you. It is also a bit stupid for a site to insist
that you accept a cookie, if it not necessary for the functioning of
the site. Obviously, if you refuse cookies on a shopping site, you
won't get very far but in the username/password scenario, it would
just force you to have to log in each and every time.
==================================================================
infoNet - Your World-Wide marketing Connection
Web design,hosting and site promotion. Internet marketing help.
If you don't have an Internet Marketing Plan, we can develop it.
For more information,E-mail in...@infousa.com with INFO in Subject.
http;//www.infousa.com
==================================================================
Klaus Johannes Rusch
Denis Beauregard wrote:
> So fight today the cookie monsters.
There are very powerful applications of cookies, such as shopping baskets.
If you decide not to buy immediately but wait a few more days, your
shopping basket still has all the products you picked when you return.
Basically, a cookie can only store information you entered on a form, or
information about what you did while visiting a web site. Personally, I
would consider Referer information a more significant privacy issue than
cookies.
Klaus Johannes Rusch
--
e872...@student.tuwien.ac.at, Klaus...@atmedia.net
http://www.atmedia.net/KlausRusch/
Denis Beauregard
e872...@fbma.tuwien.ac.at (Klaus Johannes Rusch) wrote:
>Basically, a cookie can only store information you entered on a form, or
>information about what you did while visiting a web site. Personally, I
>would consider Referer information a more significant privacy issue than
>cookies.
What is "referer information" ? Do you mean something like user
profile one could get from dejanews (i.e. all messages I sent in the
last few months) ?
Denis
Alexandre Rafalovitch
In article <E3yH5...@ireq.hydro.qc.ca>, be...@cam.org (Denis Beauregard)
wrote:
Nope. Though that one is also frightening.
Referer is the URL of the page which had the link you clicked on to get to
this site. 'This' is the site, whose page you are currently getting.
Referer is not passed if:
1) you entered URL by hand.
2) you called it from bookmarks (vs online file)
Easy (if long :-{ ) example:
Let's say you are have your own private collection of bookmarks at
<http://www.foo.bla/hidden/bookmarks.html>.
Now, you did not link to directory 'hidden' anywhere else, so the only way
to get to it is by you typing the URL directly. Therefore, this is a quite
secure document (especially if 'hidden' is less obvious name).
Now, since the document is secure, you decide to put on it a link to paid
service which uses userId in GET requests. (eg
http://foo.com/cgi-bin/display.cgi?id=98786544345&command=profile>).
Another link you have is for the nice underground mag
<http://underdog.foo/index.html> which you visit frequently.
Here comes 'referer'. Every time you visit the mag site by following the
link from your 'private' bookmarks list, an http header 'Referer:
http://www.foo.bla/hidden/bookmarks.html' is sent. Usually, Referer field
is not logged, but it easily can be.
One day, the owner of mag site, looks through his logs and see this funny
referer. Out of curiousity, he/she follows the link and ,presto, he/she
found your _hidden_ bookmark file. Following from there to your paid
service is just a matter of time.
Same applies to your intranet sites. Even if it can't be accessed, the
information could be valuable. So, don't put references to your competitors
website in your companie's private html files. (eg.
http://internal/to_eliminate.html )
In the HTTP spec, it was mentioned that referer is not a very secure
feature and should be configurable. I think only one browser allows you to
turn it off. (Opera?).
I hope the security implications of that are evident.
Hope it helps,
Alex.
Tor Iver Wilhelmsen
be...@cam.org (Denis Beauregard) writes:
>
>What is "referer information" ? Do you mean something like user
>profile one could get from dejanews (i.e. all messages I sent in the
>last few months) ?
Referer is a header field sent from the browser to the server, telling it
what page the link it followed was on.
This discussion is moot anyway: If you don't like cookies, use a browser
that doesn't have the "feature", such as Opera or Lynx.
- Tor Iver
--
"Growing conspiracy | tor...@pvv.org
Myself is after me | http://www.pvv.org/%7Etoriver
Frayed ends of sanity |
Hear them calling, hear them calling me." - Metallica
Eli the Bearded
Tor Iver Wilhelmsen <tor...@pvv.ntnu.no> wrote:
>This discussion is moot anyway: If you don't like cookies, use a browser
>that doesn't have the "feature", such as Opera or Lynx.
There is some very alpha work right now for adding cookie support
to Lynx. I am reasonably sure when it makes it to release it will
be a user configurable thing. The current version allows you to
look at the cookies stored, on the to-do list is and edit/delete
option.
Elijah
------
how many other free source browsers are there in active development, anyway?
Eli the Bearded
Alexandre Rafalovitch <al...@access.com.au> wrote:
>be...@cam.org (Denis Beauregard) wrote:
>>What is "referer information" ? Do you mean something like user
>>profile one could get from dejanews (i.e. all messages I sent in the
>>last few months) ?
I fail to see how Dejanews is "frightening". I am well aware of the
implications of Dejanews's archive service on privacy, but nothing
they do is inheritantly unique to them. There is no reason I can't
keep tape backups of the full newsfeed that comes into my site and
kiboize that. I see Dejanews as useful in that it doesn't hide the
ability to do these things from people.
I think we can expect commercial background check services to become
common as computers and networks become more a part of everyday life.
The existance of Dejanews allows people to see for themselves the
type of data such services can obtain. (Any decent background check
service will do it's own archiving of usenet, probably paying
particular attention to people trying to hide with "X-no-archive: yes"
and crude anonymization.)
Call me paranoid if you will, it is a job hazard of being a programmer.
[description of Referer header]
>In the HTTP spec, it was mentioned that referer is not a very secure
>feature and should be configurable. I think only one browser allows you to
>turn it off. (Opera?).
Lynx, from at least version 2.5 on, does. (Didn't someone here call it
"stone age" the other day?) I personanlly recommend applying a binary
editor to all other browsers and removing the capibility. I have done
so with my copy of Nutscrape. (Yeah yeah, now five people will tell me
I just violated the terms of use. I don't belive it is legal for anyone
to tell me whta I may or may not do to my copy of any software. Do
/with/, maybe, do /to/, no.)
Elijah
------
hint: printf doesn't break if there are more arguments than %'s
Alexandre Rafalovitch
In article <5bgf9f$n...@alpha.NetUSA.Net>, Eli the Bearded
<usene...@qz.little-neck.ny.us> wrote:
>Alexandre Rafalovitch <al...@access.com.au> wrote:
>>be...@cam.org (Denis Beauregard) wrote:
>>>What is "referer information" ? Do you mean something like user
>>>profile one could get from dejanews (i.e. all messages I sent in the
>>>last few months) ?
>>Nope. Though that one is also frightening.
>
>I fail to see how Dejanews is "frightening". I am well aware of the
>implications of Dejanews's archive service on privacy, but nothing
>they do is inheritantly unique to them. There is no reason I can't
>keep tape backups of the full newsfeed that comes into my site and
>kiboize that. I see Dejanews as useful in that it doesn't hide the
>ability to do these things from people.
>
Well, I actually agree with your point more than my statement might lead
you to think. Actually I agree that for a person who knows what is going
on, it is not frightening but just have some implications he/she has to
keep in mind. For beginners though, it might be frightening. Also, even
though Dejanews is not a unique service it is one of the very visible once.
There were couple of articles in RISK newsgroup that show the risks of
Dejanews, People Finders, etc. The main idea was that they provide greater
and easier decimination of the information that would be harder to find
otherwise. (as in braking 'security through obscurity' rule that some
people still actively use)
>I think we can expect commercial background check services to become
>common as computers and networks become more a part of everyday life.
>The existance of Dejanews allows people to see for themselves the
>type of data such services can obtain. (Any decent background check
>service will do it's own archiving of usenet, probably paying
>particular attention to people trying to hide with "X-no-archive: yes"
>and crude anonymization.)
>
True, but how many beginners and not-so-beginners know/remember about
X-no-archive: yes and know how to set it up on their newsreaders? (and how
many of them know how their emails gets to People finder pages?)
>Call me paranoid if you will, it is a job hazard of being a programmer.
>
Agree. :-} Also, being a programmer increases you knowledge. More knowldege
increase your paranoia, more paranoia makes you learn more, more knowledge
makes you a better programmer......
>[description of Referer header]
>>In the HTTP spec, it was mentioned that referer is not a very secure
>>feature and should be configurable. I think only one browser allows you to
>>turn it off. (Opera?).
>
>Lynx, from at least version 2.5 on, does. (Didn't someone here call it
>"stone age" the other day?)
Should have guessed. And who _dared_ to call lynx the 'stone age'. They
probably are using Netscape newsreader as well. :-}
> I personanlly recommend applying a binary
>editor to all other browsers and removing the capibility. I have done
>so with my copy of Nutscrape. (Yeah yeah, now five people will tell me
>I just violated the terms of use. I don't belive it is legal for anyone
>to tell me whta I may or may not do to my copy of any software. Do
>/with/, maybe, do /to/, no.)
>
Did you just change the Referer field or you managed to get Netscape not to
send it at all? Just curious.
Regards,
Alex.
Marcus Edward Hennecke
In article <5bhgp6$1...@alpha.NetUSA.Net>,
X Mosaic supposedly is still in development:
http://hagbard.ncsa.uiuc.edu/hyperion/
it doesn't seem all that active, though.
--
Marcus E. Hennecke
mar...@leland.stanford.edu http://www.crc.ricoh.com/~marcush/
For FAQs first check ftp://rtfm.mit.edu/pub/usenet/<name.of.newsgroup>
J.M. Ivler
: > So fight today the cookie monsters.
: Basically, a cookie can only store information you entered on a form, or
: information about what you did while visiting a web site. Personally, I
: would consider Referer information a more significant privacy issue than
: cookies.
Incorrect.
You travel. You have a nationwide ISP. You come to my site, I put a cookie
on you. You play a game of chance or a lottery draw and I capture your
personal information and associate it to your cookie. Every time you come
to my site I get your pop. I know when you are on the road and where you
are. :-) Tell me when you feel violated.
and that is just one example...
jmi
http://www.wwinfo.com/cookie/