[2342] in WWW Security List Archive
RE: COMMENT: Cookie dough (fwd)
daemon@ATHENA.MIT.EDU (John Lehmann (SSASyd))
Sun Jul 7 23:11:59 1996
From: "John Lehmann (SSASyd)" <LEHMANNJ@saatchi.com.au>
To: "'www-security'" <www-security@ns2.rutgers.edu>
Date: Mon, 08 Jul 96 11:10:00 S
Errors-To: owner-www-security@ns2.rutgers.edu
Ah cookies. Wish I'd known about the last year.
> Very interesting. Not only that, but I also found a new file called
> COOKIE.JAR in my C:\WINDOWS Directory. It only has information from
> Netscape at the moment, but for how long?
>
>
> Does anyone have some interesting information about this file as well?
Cookies are kinda benign. They serve mainly as a way of identifying the
physical machine being used. From the evil collector of information's
point
of view, they cannot be trusted to really identify the person reading the
web
page.
>
> | If you're like me, you never went to a site called "doubleclick." So
how did
> | they give you a cookie?
Double-click places banner ads on many sites. The banner ad at the top
of the page on that search engine may actually be an image from the
archives at doubleclick.net
And when you click on it, you go to the connected site via DoubleClick (I
think - do they use HTTP Status Code: Found 302 to redirect the browser?)
You can get the cookie on either of these occasions. Even though you
didn't go there, your browser did, and that's the same thing.
>
> | Close MagicCookie, connect to the Internet, and jump to
<www.doubleclick.net>
> | Read all about how they are going to make money giving us cookies we
don't
> | know about, collecting data on all World Wide Web users, and
delivering
> | targeted REAL TIME marketing based on our cookies and our profiles.
Woohoo. Maybe I'll do that here to Australians :)
> |It then sends a request to
> | "doubleclick" with your ID, requesting all available marketing
information
> | about you. (They're very coy about where this information comes
from, but it
> | seems clear that at least some of it comes from your record of
hitting
> | "doubleclick" enabled sites.)
That is entirely possible
> You then receive specially targetted marketing
> | banners from the site. In other words, if Helmut Newton and I log on
to
> | the same site at the exact same time, I'll see ads for wetsuits and
> | basketballs, and Helmut will see ads for cameras.
I wish it was this good, but most of their targeting doesn't seem to have
quite such a fine grain. They offer ad campaigns based on the top level
domain (eg..mil, .net, .org, .edu etc...) of the browser... that seems to
be where the 'user-modeling' stops.
Other than that, targeting seems to be based on the site/page that the ad
is in, as with current print and tv media buying.
> | Until I closed Netscape. The LAST thing the 'doubleclick" site did
was....
> | You guesed it. They handed me a cookie. So much for making the
> | client-server negotiation more efficient. (In fairness, that cookie
may
> | have been in memory until I closed Netscape -- I can't tell for
sure.)
> | Scott Wyant
> | Spinoza Ltd.
It was :)
On the other hand, the cookie-passing transaction is pretty small.
(An average cookie looks something like this:
Set-cookie: user=12345
which is approx. 25 bytes)
On the other hand, sites that use cookies a lot may be slow, like all
sites based
on cgi.
--
John J. Lehmann aka lehmannj@saatchi.com.au
Saatchi & Saatchi Australia, New Media
/* note: find a disclaimer to insert here */
/* "I've never met a mailer as broken as m$exchange" */
/* Is that any good? */
