Re: SSL weakness affecting links from pa
As the person who invented (and mispelt) the referer link I don't agree with the arguments made against it. The purpose of the referer link is to allow servers to collate pages of backlinks. This would make the Web browsable in both directions. I could never understand why Netscape supported the facility in the browser without also supporting the capture functionality in the server. Its a simple matter to add support but they seem uninterested. Of course there should be a toggle to allow users to turn off the referer field. I tried to get a recomendation to do this put into the spec. People then started shouting at me saying that it was impossible to enforce and so the recomendation shouldn't be there. Quite what the relevance of 'encforcement' is I don't know. Then they started jamming stupid ideas like cookies into the spec, ideas that showed all of five minutes thought.
Which was my original point. I'd even be willing to *pay* for a cert, but not more than about $15. I just find it odd that I can get SSL server software for cheaper than I can get a license to operate said software. Hey Verisign, why don't you offer a Class 1 server certificate?
The manner in which SSL is designed means that it requires a degree of trust in the certificate. Allowing the browser to automatically accept a class 1 cert would be somewhat foolhardy. Because someone put that damn key on the bottom of the browser some people expect there to be security. Instead they get encryption which ain'tquite the same thing. There is nothing to stop you using a non standard cert with SSL however. I use Apache with a cert I wrote myself. Phill
"Phillip M. Hallam-Baker" <hallam@ai.mit.edu> writes:
As the person who invented (and mispelt) the referer link I don't (binary nonsense snipped)
$1 to Sinn Fein - thank you. --- Dr.Dimitri Vulis KOTM Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps
At 05:05 PM 4/18/97 -0400, Phillip M. Hallam-Baker wrote:
As the person who invented (and mispelt) the referer link I don't agree with the arguments made against it. The purpose of the referer link is to allow servers to collate pages of backlinks. This would make the Web browsable in both directions. ... Then they started jamming stupid ideas like cookies into the spec, ideas that showed all of five minutes thought.
One major problem with these features is that the security implications become far more complex when you start combining them. For instance, autoloading images without referer are safe - but images + referer gives enough information to run doubleclick. Cookies without referer are pretty safe - but cookies+referer make cookies far less safe, and doubleclick more effective. Then you start putting HTML capability in news readers, and anybody who reads an article with an IMG in it creates a record for spammers (or Arbitron) to use. Rich Graves said that if you don't like the feature, take it up with the folks who wrote the spec - but the RFCs say that Referer needs to be handled carefully, and should be optional...
Of course there should be a toggle to allow users to turn off the referer field. I tried to get a recomendation to do this put into the spec. People then started shouting at me saying that it was impossible to enforce and so the recomendation shouldn't be there.
Perhaps too much commercial advertising capability already depended on it? # Thanks; Bill # Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com # You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp # (If this is a mailing list, please Cc: me on replies. Thanks.)
I'm suprosed no one has suggested paying people for advertising. If the Netscape folks would integrate digicash into Communicator, then I could program my browser to only send referer to sites that paid for the information, and rent cookie space. Want your cookie to live till 1999? Thats 24 months, at 50 cents per month...do you want to pay? These tools would allow users to set a value on their privacy, and get the money from advertisers. I know nothing encourages me to buy a product like getting cold hard cash from the maker. Adam Bill Stewart wrote: | >Of course there should be a toggle to allow users to turn off the | >referer field. I tried to get a recomendation to do this put into the | >spec. People then started shouting at me saying that it was impossible | >to enforce and so the recomendation shouldn't be there. | | Perhaps too much commercial advertising capability already depended on it? -- "It is seldom that liberty of any kind is lost all at once." -Hume
If the Netscape folks would integrate digicash into Communicator, then I could program my browser to only send referer to sites that paid for the information, and rent cookie space. Want your cookie to live till 1999? Thats 24 months, at 50 cents per month...do you want to pay?
That would only work until someone abuses it. People could create web robots to run around selling referers and several gigabytes of worthless cookie space. Worthless, because nobody cares about the web browsing habits of J. Random Robot, and they certainly don't want to blow $50 e-bucks on the bot's repeated visits.
Steve wrote: | > If the Netscape folks would integrate digicash into Communicator, | > then I could program my browser to only send referer to sites that | > paid for the information, and rent cookie space. Want your cookie to | > live till 1999? Thats 24 months, at 50 cents per month...do you want | > to pay? | That would only work until someone abuses it. People could create web | robots to run around selling referers and several gigabytes of | worthless cookie space. Worthless, because nobody cares about the web | browsing habits of J. Random Robot, and they certainly don't want to | blow $50 e-bucks on the bot's repeated visits. Thats true, but can they avoid it? I'm considering writing a database pollution bot, which runs around, claiming to be Mozilla or IE, and randomly following a link once per minute. Why? Database pollution. If there are a few thousand of these randomly collecing links and creating arbitrary (or perhaps biased) viewing habbits in the databases of the advertisers, then their individual data becomes worth less. They'll need to actively solicit peoples permission to collect data before doing so, to avoid people polluting their databases. Similarly, putting a randomly generated email address in those sign up fields produces pollution in the data used by spammers, which costs them (and no one else) money. If you run your own site, you can even bit bucket the email, trading their bandwidth for yours, and making them think they're delivering more junk email than they are. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume
Adam Shostack writes:
Thats true, but can they avoid it? I'm considering writing a database pollution bot, which runs around, claiming to be Mozilla or IE, and randomly following a link once per minute. Why? Database pollution. If there are a few thousand of these randomly collecing links and creating arbitrary (or perhaps biased) viewing habbits in the databases of the advertisers, then their individual data becomes worth less. They'll need to actively solicit peoples permission to collect data before doing so, to avoid people polluting their databases.
That's an interesting thought. As it happens last week I added a way in Cookie Jar to allow sending HTTP User-agent to some sites... the reason is that I ran into a couple that absolutely have to know what type of browser you are using, and if given no User-agent deliver either meaningless HTML or nothing at all. Well Fargo and wIrEd.cOm are the ones I found. So I added a rule to pass the User-agent line to sites like that. However I edit out the part that informs the server what OS etc you are running. The User-agent is usually something of the form User-Agent: Mozilla/3.0Gold (X11; U; Linux 6.6.6 i386) and it's the part in the parens that I really object to, the part that says what browser you have seems to be what the sites in question need to deliver useable HTML. I briefly had it send: User-Agent: Mozilla/3.0Gold (why; they; fuck do you care) but now it sends nothing at all in the parens. In order to maximally fuck up stats, what should be put into the windowing system/OS fields? It has to be something that exists and is fairly common, so that its not able to be thrown out by the stats-gathers. I could use "(X11; MVS; IBM MVS some version number)" but that'd be easy to throw out, even though ports of X to MVS really did exist. Maybe I'll just make every copy of Cookie Jar look like it's running on Linux. BTW, Wells Fargo's on-line banking sucks dead gerbils through a dirty garden hose. The interface is poor, it checks that you're using SSL not by actually trying it, but by checking the User-agent field to see if you're using a browser that supports SSL, and then when I try to transfer money between accounts, it refuses with no explanation. A fine example of how NOT to do things. -- Eric Murray ericm@lne.com Privacy through technology! Network security and encryption consulting. PGP keyid:E03F65E5
Eric Murray wrote: | User-Agent: Mozilla/3.0Gold (X11; U; Linux 6.6.6 i386) | In order to maximally fuck up stats, what should be put into | the windowing system/OS fields? It has to be something that | exists and is fairly common, so that its not able to be thrown out | by the stats-gathers. I could use "(X11; MVS; IBM MVS some version number)" | but that'd be easy to throw out, even though ports of X to MVS really did | exist. | | Maybe I'll just make every copy of Cookie Jar look like | it's running on Linux. I think you should rotate through a list, in case they're keeping track of it in conjunction with your other information. Thus, have the same cookies comeing from different user agents, say rotate between Rhapsody on PowerPC and Linux on an Alpha. Alternately, have it come from Internet Exploder on various UNIX boxes. (Unless thats now generally available.) Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume
Eric Murray <ericm@lne.com> writes:
Maybe I'll just make every copy of Cookie Jar look like it's running on Linux.
On an i386. Fight bloatware, influence markets, win friends! Jer (No PGP sig `cuase I'm running an unencrypted connection) (Yeah, I store my private key on a multi-user machine, so sue me.) "standing on top of the world/ never knew how you never could/ never knew why you never could live/ innocent life that everyone did" -Wormhole
At 03:32 PM 4/20/97 -0500, Adam Shostack wrote:
Thats true, but can they avoid it? I'm considering writing a database pollution bot, which runs around, claiming to be Mozilla or IE, and randomly following a link once per minute. Why? Database pollution. If there are a few thousand of these randomly collecing links and creating arbitrary (or perhaps biased) viewing habbits in the databases of the advertisers, then their individual data becomes worth less. They'll need to actively solicit peoples permission to collect data before doing so, to avoid people polluting their databases.
Similarly, putting a randomly generated email address in those sign up fields produces pollution in the data used by spammers, which costs them (and no one else) money. If you run your own site, you can even bit bucket the email, trading their bandwidth for yours, and making them think they're delivering more junk email than they are.
You are forgetting to separate the marketers from the businesses being marketed here. While they're occasionally one and the same (see Cantor & Siegel), in today's world, the marketing is being handled by a third party (doubleclick). These marketers get paid by hit-count ratings: if they deliver the message to 1,000 browsers, they get some amount, say $15.00. If they deliver it to 100,000 browsers, they get $1500.00. They're not paid by the number of respondents, referred sales, or even valid e-mail addresses snarfed. So, you'd only be artifically inflating the cost of the marketers to the advertisers. Here, your hope is that the advertisers notice a diminishing ROI for marketing costs, but that's a big hope. The numbers for a small site might look something like this: January - 20,000 hits, 50 sales February - 22,000 hits, 60 sales March - 25,000 hits, 70 sales April - 50,000 hits, 90 sales <-- pollutionbot strikes 20,000 times So, you've watered it down a bit. To make the pollutionbot truly effective, you'd have to hit a site by at least 10x the general population strikes: May - 440,000 hits, 100 respondents <- pollutionbot strikes 400,000 times In the meantime, they're billing the business: Month Hits Sales Billing Cost/sale Pollutionbot hits/inflation January - 20,000 50 $300 $6.00 0 $0 February - 22,000 60 $330 $5.50 0 $0 March - 25,000 70 $375 $5.36 0 $0 April - 50,000 90 $750 $8.33 20,000 $300 May - 440,000 100 $6600 $66.00 400,000 $6000 Hopefully, the advertisers will pull out at this point. It's easy to see that something "bad" is happening, and that they're not getting the bang for the buck that they need. However, with some megasites (where they reportedly get 2,000,000+ hits per day) subscribing to doubleclick.com, it's doubtful you could make a noticable dent unless you started your attack from a T3 connected backbone site. And even then, are you sure you want to spend your resources this way? The marketers will also try to keep this sham up by saying to the businesses, "It's the Internet, who the hell knows? Keep going another month, it'll get better. In the meantime, just pay your bills." Even if you were successful at flooding doubleclick, many of their advertisers are Big: IBM, Micro$oft, HP, etc. They don't even care about direct responses, they're just after name recognition. Ultimately, it'll reduce the ability of Mom & Pop (or Cantor & Siegel) to advertise on the same playing field as Micro$oft. Doubleclick won't go broke; neither will Micro$oft. The only good hope you may have is of breaking a "mom & pop" version of doubleclick, and keeping the world less polluted. But, doubleclick will still be around and be able to move in and fill the void. What have you gained then? John -- J. Deters "Don't think of Windows programs as spaghetti code. Think of them as 'Long sticky pasta objects in OLE sauce'." +--------------------------------------------------------------------+ | NET: mailto:jad@dsddhc.com (work) mailto:jad@pclink.com (home) | | PSTN: 1 612 375 3116 (work) 1 612 894 8507 (home) | | ICBM: 44^58'36"N by 93^16'27"W Elev. ~=290m (work) | | For my public key, send mail with the exact subject line of: | | Subject: get pgp key | +--------------------------------------------------------------------+
At 09:34 19/04/97 -0500, Adam Shostack wrote:
I'm suprosed no one has suggested paying people for advertising.
This is one of the more novel ideas that Digital have come up with for Millicent. In return for allowing the advertiser to download their advert to you, you get credited with an amount of scrip which is redeemable at their site. An interesting concept... Rachel Rachel Willmer <rachel@intertrader.com> Intertrader Ltd <http://www.intertrader.com> 4 John's Place Tel: +44 131 555 8450 Edinburgh EH6 7EL Fax: +44 131 555 8451 Authors of "Digital Money Online" (TM) <http://www.intertrader.com/library/DigitalMoneyOnline/>
Rachel Willmer wrote: | At 09:34 19/04/97 -0500, Adam Shostack wrote: | > I'm suprosed no one has suggested paying people for | >advertising. | | This is one of the more novel ideas that Digital have come up with for | Millicent. | | In return for allowing the advertiser to download their advert to you, you | get credited with an amount of scrip which is redeemable at their site. At their site? Feh. Thats a coupon, not money. I was cash. Cold, hard cash that I can spend on nifty toys. Otherwise, what good do all those Microsoft cookies do me? I accept your cookie, I get paid for it. If I don't buy your product, then, heck, get yourself better advertising, or a better product. Adam -- "Cash value 1/20th of a cent."
participants (9)
-
Adam Shostack -
Bill Stewart -
dlv@bwalk.dm.com -
Eric Murray -
Jeremiah A Blatz -
John Deters -
Phillip M. Hallam-Baker -
Rachel Willmer -
Steve