Big Brother Netscape
Summary: Netscape's "what's related" is a backdoor for Netscape to monitor your surfing. --forwarded text---------------------------------------------------------
From "Flemming S. Johansen" <fsj@terma.com> on BUGTRAQ@netspace.org
Starting with version 4.06, the Netscape browser has a new "What's Related?" button next to the Location: field. After having tried it in the new 4.5, I am more than a little worried by the functionality behind it. Briefly, the user clicks on this button, and is presented with a list of sites which are hopefully related to the page currently on display, plus some ads for Netscape. As far as I have been able to deduce (helped by a packet sniffer), this works by opening a HTTP connection to www-rl.netscape.com and making a query modelled on this template: GET /wtgn?CurrentURL/ HTTP/1.0, where CurrentUrl is the URL of the page currently displayed. The server responds with a list of URLs it believe to be related. There are four modes for this function, settable through preferences->navigator->smart browsing: - "Always" The browser always downloads the list of 'related' URLS, beginning while the page in question is loading. - "Never" The browser starts downloading the list of 'related' URLS when the user clicks on the 'What's related?' button. - "After first use" Automatically fetches the URL list for a page if the user has ever clicked the button for that page. - Completely disabled. The default setting is "Always". So, the unsuspecting user who upgrades to the latest Netscape will automatically and unknowingly begin sending out a detailed log of pages viewed. Netscapes privacy statement notwithstanding, I don't like the fact that anyone is able to compile a list of every single web page I visit. I don't like the fact that someone with a sniffer anywhere on the path from here to netscape.com is able to do so either. And the company I work for is not too thrilled about the name of every single document on our internal, not-for-public-viewing web server leaking out on the Net, once our users begin installing this release on their PCs. I would like to control this "feature" globally for my LAN, but as far as I can see, there are only two ways of doing it: Fascist control of Netscape preferences settings on every PC on my LAN, or block www-rl.netscape.com in the firewall. -- ---------------------------------------------------------------------- Flemming S. Johansen fsj@terma.com
Pallas Anonymous Remailer <athena@cyberpass.net> writes:
Netscape's "what's related" is a backdoor for Netscape to monitor your surfing.
The original poster didn't even quite understand the magnitude of the problem, which I believe is quite severe. PRIVACY has been covering some of the issues related to this, especially in issue 07.17. A much more detailed description of what's going on and how to manage the problem is in our paper "`What's Related?' Everything But Your Privacy", online at <http://www.interhack.net/pubs/whatsrelated/>. Abstract: Netscape Communications Corporation's release of Communicator 4.06 contains a new feature, ``Smart Browsing'', controlled by a new icon labeled What's Related , a front-end to a service that will recommend sites that are related to the document the user is currently viewing. The implementation of this feature raises a number of potentially serious privacy concerns, which we have examined here. Specifically, URLs that are visited while a user browses the web are reported back to a server at Netscape. The logs of this data, when used in conjunction with cookies, could be used to build extensive dossiers of individual web users, even including their names, addresses, and telephone numbers in some cases. Keywords: Privacy, world-wide web (WWW), Netscape, Alexa, smart browsing, what's related. -- Matt Curtin cmcurtin@interhack.net http://www.interhack.net/people/cmcurtin/
participants (2)
-
Matt Curtin -
Pallas Anonymous Remailer