Quote:
Originally Posted by pseudonym
I think a bigger problem is websites will be able to read your webwise tracking cookie by embedding some https content on their page. Phorm can't strip the cookie from encrypted streams, so the website will get to see your unique user id. If the website doesn't want to pay for a certificate to read your UID, it should also work if they use a port other than 80.
|
Much has been suggested about the https:// cookie. But in fact this will only work for those sites where all the code on that site is secure, ie an
https://site (and which Phorm is unable to profile even if it tries). Just having a single https:// image will mean that site has mixed secure and unsecure content and most browsers will flag this up with a weak security popup error which will alert the user to something not quite right going on. So it is broadly unviable.
I believe the Phorm servers are set up just to strip the cookies which accompany a [GET] request. But any site can easily read all the cookies on a visitor's computer using simple javascript document.cookie. It is not clear whether Phorm attempts to strip cookies obtained in this way, my gut feeling is that they probably don't.