[2444] in WWW Security List Archive
Re: cookies and privacy
daemon@ATHENA.MIT.EDU (Dave Kristol)
Wed Jul 17 21:11:46 1996
Date: Tue, 16 Jul 96 12:58:57 EDT
From: dmk@allegra.att.com (Dave Kristol)
To: jacob@whiteshell.com
Cc: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Jacob Rose <jacob@whiteshell.com> wrote:
> Why not limit Netscape such that it will only send cookies to the user's
> "apparent site" - the one in the URL? That way, inline imagery that is
> "off-site" won't be able to trigger cookies, and the user will know who
> is receiving them; it wouldn't prevent people from collecting personal
> data about users, but it would definitely make it hard to correlate.
That is the way that cookies work: cookies can only be sent to the
server in the URL (to a first approximation). However, services like
DoubleClick have conspired with other sites so those sites put an image
URL on their page that points to DoubleClick. DoubleClick creates the
cookie and gets it back each time you visit them for another image,
independent of where you got the page that had the link to
DoubleClick.
Let me illustrate.
1) You go to http://a.com.
2) The page you get back has in it <IMG SRC="http://b.com">.
3) Your browser makes a request to b.com for the image.
4) You get back, along with the image, a Set-Cookie header.
5) You go to http://c.com.
6) The page that comes back has another <IMG SRC="http://b.com"> in it.
7) Your browser requests the image from b.com and sends along the
cookie you got in (4).
8) You get back the image, along with a new Set-Cookie header.
By looking at the Referer: header in your requests (3, 7), b.com can
figure out where you've been. The cookie you receive in the Set-Cookie
header (4, 8) can "help" your browser to remember that information.
Because the image fetches are largely invisible, the cookie Internet
Draft made a point of saying that user agents should inform users when
a session gets initiated, as in the above example.
Perhaps you want your browser vendor to give you an option that says,
"Never allow a session to begin, except for requests I initiate." If
that's the case, beat on your vendor.
Dave Kristol
