COMMENT: Cookie dough (fwd)

• To: www-security@ns2.rutgers.edu
• Subject: COMMENT: Cookie dough (fwd)
• From: Prentiss Riddle <riddle@is.rice.edu>
• Date: Wed, 3 Jul 1996 14:32:38 -0500 (CDT)

There has been a flurry of activity of late in the ADV-HTML list in
response to this post, which I thought was worth forwarding to the
www-security list.  Any comments/further details/debunking/etc.?

Forwarded message:
| Date:         Wed, 26 Jun 1996 19:42:00 -0700
| From: Scott Wyant <scott_wyant@loop.com>
| Subject:      COMMENT: Cookie dough
| To: Multiple recipients of list ADV-HTML <ADV-HTML@UA1VM.UA.EDU>
| 
| (I originally posted this to a library science listserve, and was asked to
| post it here.  I hope it is of some interest to ADV-HTML readers)
| 
| This list has seen discussion about the little "cookie" that a Netscape
| server hands to your browser.  Have you wondered how someone might use it to
| make some money?
| 
| Here's how.
| (This will take a while, but I think it's worth it.)
| 
| Using Find File, look for a file called cookie.txt (or MagicCookie if you
| have a Mac machine).  Using a text editor, open the file and take a look.
|  If you've been doing any browsing, the odds are about 80/20 that you'll find
| a cookie in there from someone called "doubleclick.net."
| 
| If you're like me, you never went to a site called "doubleclick."  So how did
| they give you a cookie?  After all, the idea of the cookie, according to the
| specs published by Netscape, is to make a more efficient connection between
| the server the delivers the cookie and the client machine which receives it.
| But we have never connected to "doubleclick."
| 
| Close MagicCookie, connect to the Internet, and jump to <www.doubleclick.net>
|  Read all about how they are going to make money giving us cookies we don't
| know about, collecting data on all World Wide Web users, and delivering
| targeted REAL TIME marketing based on our cookies and our profiles.
| 
| Pay special attention to the information at:
| <www.doubleclick.net/advertising/howads.htm>
| 
| You'll see that the folks at "doubleclick" make the point that this entire
| transaction (between their server and your machine) is "transparent to the
| user."  In plain English, that means you'll never know what hit you.
| 
| So what's happening is, subscribers to the doubleclick service put a "cookie
| request" on their home page FOR THE DOUBLECLICK COOKIE.  When you hit such a
| site, it requests the cookie and take a look to see who you are, and any
| other information in your cookie file.  It then sends a request to
| "doubleclick" with your ID, requesting all available marketing information
| about you.  (They're very coy about where this information comes from, but it
| seems clear that at least some of it comes from your record of hitting
| "doubleclick" enabled sites.)  You then receive specially targetted marketing
| banners from the site.  In other words, if Helmut Newton and I log on to
| the same site at the exact same time, I'll see ads for wetsuits and
| basketballs, and Helmut will see ads for cameras.
| 
| If you log in to a "doubleclick" enabled site, and it sends a request for
| your "doubleclick" cookie, and you don't have one, why each and every one of
| those sites will hand you a "doubleclick" cookie.
| 
| Neat, huh?  And you can bet they're going to be rolling in the cookie dough.
| Me, I edit my cookie file each and every time I go to a new site.  (Despite
| the dire warning at the top of the file, you can edit it with no adverse
| consequences.)
| 
| Oh, and one other thing.  If you edit your cookie file BEFORE you connect to
| "doubleclick," and then jump around at the site, you'll notice that they
| DON'T hand you a cookie.  I probed the site pretty carefully, checking the
| MagiCookie file, and nothing happened.
| 
| Until I closed Netscape.  The LAST thing the 'doubleclick" site did was....
| You guesed it.  They handed me a cookie.  So much for making the
| client-server negotiation more efficient.  (In fairness, that cookie may
| have been in memory until I closed Netscape -- I can't tell for sure.)
| Scott Wyant
| Spinoza Ltd.

Note that recent versions of Netscape have an option to "show an alert
before accepting a cookie" which can be turned on in the Network
Preferences/Protocols menu.

-- Prentiss Riddle ("aprendiz de todo, maestro de nada") riddle@rice.edu
-- RiceInfo Administrator, Rice University / http://is.rice.edu/~riddle
-- Home office: 2002-A Guadalupe St. #285, Austin, TX 78705 / 512-323-0708

• Previous: Win NT ENV var
• Next: Re: Microsoft IIS vv. 1.x, 2.0b New Security Bugs Alert.
• Index(es):
  • Index
  • Thread