[2317] in WWW Security List Archive
RE: COMMENT: Cookie dough (fwd)
daemon@ATHENA.MIT.EDU (Hamilton, Ed @ OTT)
Thu Jul 4 18:45:25 1996
From: "Hamilton, Ed @ OTT" <EHAMILT@esc.lmco.com>
To: "'Scott Wyant (Cookie Stuff)" <scott_wyant@loop.com>,
www-security <www-security@ns2.rutgers.edu>
Date: Thu, 04 Jul 96 16:33:00 EDT
Errors-To: owner-www-security@ns2.rutgers.edu
Very interesting. Not only that, but I also found a new file called
COOKIE.JAR in my C:\WINDOWS Directory. It only has information from
Netscape at the moment, but for how long?
Does anyone have some interesting information about this file as well?
--- Ed.
----------
From: owner-www-security
To: www-security
Subject: COMMENT: Cookie dough (fwd)
Date: Wednesday, July 03, 1996 2:32PM
There has been a flurry of activity of late in the ADV-HTML list in
response to this post, which I thought was worth forwarding to the
www-security list. Any comments/further details/debunking/etc.?
Forwarded message:
| Date: Wed, 26 Jun 1996 19:42:00 -0700
| From: Scott Wyant <scott_wyant@loop.com>
| Subject: COMMENT: Cookie dough
| To: Multiple recipients of list ADV-HTML <ADV-HTML@UA1VM.UA.EDU>
|
| (I originally posted this to a library science listserve, and was asked to
| post it here. I hope it is of some interest to ADV-HTML readers)
|
| This list has seen discussion about the little "cookie" that a Netscape
| server hands to your browser. Have you wondered how someone might use it
to
| make some money?
|
| Here's how.
| (This will take a while, but I think it's worth it.)
|
| Using Find File, look for a file called cookie.txt (or MagicCookie if you
| have a Mac machine). Using a text editor, open the file and take a look.
| If you've been doing any browsing, the odds are about 80/20 that you'll
find
| a cookie in there from someone called "doubleclick.net."
|
| If you're like me, you never went to a site called "doubleclick." So how
did
| they give you a cookie? After all, the idea of the cookie, according to
the
| specs published by Netscape, is to make a more efficient connection
between
| the server the delivers the cookie and the client machine which receives
it.
| But we have never connected to "doubleclick."
|
| Close MagicCookie, connect to the Internet, and jump to
<www.doubleclick.net>
| Read all about how they are going to make money giving us cookies we
don't
| know about, collecting data on all World Wide Web users, and delivering
| targeted REAL TIME marketing based on our cookies and our profiles.
|
| Pay special attention to the information at:
| <www.doubleclick.net/advertising/howads.htm>
|
| You'll see that the folks at "doubleclick" make the point that this entire
| transaction (between their server and your machine) is "transparent to the
| user." In plain English, that means you'll never know what hit you.
|
| So what's happening is, subscribers to the doubleclick service put a
"cookie
| request" on their home page FOR THE DOUBLECLICK COOKIE. When you hit such
a
| site, it requests the cookie and take a look to see who you are, and any
| other information in your cookie file. It then sends a request to
| "doubleclick" with your ID, requesting all available marketing information
| about you. (They're very coy about where this information comes from, but
it
| seems clear that at least some of it comes from your record of hitting
| "doubleclick" enabled sites.) You then receive specially targetted
marketing
| banners from the site. In other words, if Helmut Newton and I log on to
| the same site at the exact same time, I'll see ads for wetsuits and
| basketballs, and Helmut will see ads for cameras.
|
| If you log in to a "doubleclick" enabled site, and it sends a request for
| your "doubleclick" cookie, and you don't have one, why each and every one
of
| those sites will hand you a "doubleclick" cookie.
|
| Neat, huh? And you can bet they're going to be rolling in the cookie
dough.
| Me, I edit my cookie file each and every time I go to a new site.
(Despite
| the dire warning at the top of the file, you can edit it with no adverse
| consequences.)
|
| Oh, and one other thing. If you edit your cookie file BEFORE you connect
to
| "doubleclick," and then jump around at the site, you'll notice that they
| DON'T hand you a cookie. I probed the site pretty carefully, checking the
| MagiCookie file, and nothing happened.
|
| Until I closed Netscape. The LAST thing the 'doubleclick" site did
was....
| You guesed it. They handed me a cookie. So much for making the
| client-server negotiation more efficient. (In fairness, that cookie may
| have been in memory until I closed Netscape -- I can't tell for sure.)
| Scott Wyant
| Spinoza Ltd.
Note that recent versions of Netscape have an option to "show an alert
before accepting a cookie" which can be turned on in the Network
Preferences/Protocols menu.
-- Prentiss Riddle ("aprendiz de todo, maestro de nada") riddle@rice.edu
-- RiceInfo Administrator, Rice University / http://is.rice.edu/~riddle
-- Home office: 2002-A Guadalupe St. #285, Austin, TX 78705 / 512-323-0708
