[8302] in bugtraq
Re: Netscape "What's Related"
daemon@ATHENA.MIT.EDU (Doug Monroe)
Mon Oct 26 17:34:35 1998
Date: Sat, 24 Oct 1998 10:58:27 -0400
Reply-To: Doug Monroe <monwel@INTERHACK.NET>
From: Doug Monroe <monwel@INTERHACK.NET>
To: BUGTRAQ@NETSPACE.ORG
"Flemming S. Johansen" <fsj@terma.com> wrote:
>Starting with version 4.06, the Netscape browser has a new "What's
>Related?" button next to the Location: field. After having tried it
>in the new 4.5, I am more than a little worried by the functionality
>behind it.
...snip...
>Netscapes privacy statement notwithstanding, I don't like the fact that
>anyone is able to compile a list of every single web page I visit. I
>don't like the fact that someone with a sniffer anywhere on the path
>from here to netscape.com is able to do so either. And the company I
>work for is not too thrilled about the name of every single document on
>our internal, not-for-public-viewing web server leaking out on the Net,
>once our users begin installing this release on their PCs.
>
>I would like to control this "feature" globally for my LAN, but as far
>as I can see, there are only two ways of doing it: Fascist control of
>Netscape preferences settings on every PC on my LAN, or block
>www-rl.netscape.com in the firewall.
>
>--
> ----------------------------------------------------------------------
> Flemming S. Johansen
> fsj@terma.com
Particularly concerning is the fact that a cookie is passed with each of
these www-rl requests. We've been digging into this topic for quite a while
now. You might be interested in our paper on this topic:
http://www.interhack.net/pubs/whatsrelated/
and additional commentary at:
http://www.vortex.com/privacy/priv.07.17
You'd also be wise to be watchful of usage of the "Alexa Internet"
(www.alexa.com) tool within your "internal, not-for-public-viewing"
environment.
Doug Monroe
