Originally Posted by tarka (Post 34614028)

Confirmed, when clicking the opt in link I do see a similar cookie for a.webwise.net (i'm with BT). Interestingly, the opt out link just goes to the home page. To confirm that the opt out link wasn't doing anything at all I tried leaving the cookie in place then clicking the opt out link but after being sent to the home page the cookie remained, presumably leaving me opted in.

I also tried visiting a.webwise.net/services/ and got a 404.

Originally Posted by phormwatch (Post 34614152)

Originally Posted by Bonglet (Post 34614165)

They cant auto renew anything without your signature.

Originally Posted by pseudonym (Post 34614178)

The ISP check is carried out from the home page :- http://www.webwise.com/index.php

If you look on the left hand side it should say:-

"The Webwise feature
is not available
at this time."


The opt-in and opt-out are on separate pages


OPT-IN = http://www.webwise.com/privacy/opt/in.html

OPT-OUT = http://www.webwise.com/privacy/opt/out.html

Bypassing the homepage and using either these links works for me (I'm not with one of the Phorm Three)

The opt-out link deletes the UID cookie and creates the opt-out cookie "OPTED_OUT=YES".



I believe they "fixed" the opt-in/opt-out script to check referrer a few months after I mentioned the remote opt-in issue over on ISPReview - So directly accessing the actual opt-in url http://a.webwise.net/services/OO?op=in without spoofing referrer will give an error - I guess people who block referer wouldn't want to opt-out anyway. :dunce:

Originally Posted by Florence (Post 34614181)

Possibly the same http://www.linkedin.com/in/snimmons

more from the PR guys

---------- Post added at 22:34 ---------- Previous post was at 22:32 ----------


I signed once for BB wich was fitted 20th July 2000 once 12 months are up they auto renew but monthly or mine was unless T&C have changed to extend it to 12 months again as some of BT's do.

Originally Posted by SelfProtection (Post 34614183)

So if BT actually test Phorm again & they still use these Web links, could any Web Server redirect the client & either log them out of BT Webwise or actually log then in when they are logged out!

Originally Posted by pseudonym (Post 34614195)

Not now Phorm have changed it to check referrer - unless someone finds a browser/ add-on flaw that allows them to spoof the browser's referrer - it used to be possible to spoof referrer using Flash, but that was fixed in recent versions.

Having read R.Clayton's analysis, I've an idea or two about other potential issues, but we won't know unless or until Phorm goes live so I'm in no hurry to find out if I'm right. And given all the delays, they've had plently of time to review their code and fix any other oversights.

Originally Posted by lucevans (Post 34613993)

Sorry my post last night may have been a bit confusing: I actually went out of my way to see if I could get the webwise website to place a Phorm cookie on my system via my Virgin Media cable connection as follows:

I had to navigate through pages of badly-linked stuff on the site, but eventually got to the following page:

http://www.webwise.com/privacy/opt/in.html

where I clicked on the link called "Switch ON Webwise".

This dropped a cookie on my system called uid with the path /services and an expiry date of 4th August 2009.

The content of this particular cookie (which I have since deleted) was ZrUyKoAJTTeD6iXeivlOpA|| which I believe adheres to the format outlined in Richard Clayton's paper (Quote:"Phorm told us that the UID which is allocated to the user is a 16 byte value chosen at random. That is to say it is just a number. It is not, for example, an encryption of some data that might later be decrypted. The actual value sent on the wire will be base-64 encoded, so it will be seen by humans as a 22 character string.")

The website that my browser (Safari) attributed to this cookie was a.webwise.net

All this was done over a Virgin Media cable connection via cpc1-pete8-0-0-custxxx.pete.cable.ntl.com

I hope this clarifies things for those who were worried.

Originally Posted by davews (Post 34614148)

Do you mean you are proposing changes to the already existing page on BT Total Broadband - on the URL you mentioned. That article has been there for a long time and has gone through quite a few changes, although not much in the Phorm/Webwise days. Surprisingly it is not even linked from the Phorm WP page, guess I can soon sort that out.

I have done a lot of editing on Wikipedia over the past couple of years. The normal rule applies - be bold and put in your changes and see what happens. But always to remember to follow Wikipedia policies and you will soon get put in your place if you start stating strong points of view or claims not backed up by authoritative references. I suspect a simple paragraph stating they have recently been involved in Phorm/Webwise and a link to the Phorm article will be enough, anything more will probably get stamped on. I know, I have been through all that, you soon find your place there...

Originally Posted by pseudonym (Post 34614178)

The opt-in and opt-out are on separate pages

OPT-IN = http://www.webwise.com/privacy/opt/in.html

OPT-OUT = http://www.webwise.com/privacy/opt/out.html

Bypassing the homepage and using either these links works for me (I'm not with one of the Phorm Three)

Originally Posted by phormwatch (Post 34614152)

Originally Posted by Tharrick (Post 34614166)

That's what I thought - surely if I haven't signed anything they can't claim that it's valid?

Originally Posted by madslug (Post 34614231)

It must be my browser spoofing that messes up something in the scripts (the actual browser is not on the accepted list)