Thread: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]
View Single Post
Old 12-05-2008, 18:26   #6386
Cumulus
Inactive
 
Join Date: Apr 2008
Posts: 4
Cumulus is an unknown quantity at this point
Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]
Quote:
Originally Posted by oblonsky View Post
Exactly. Phorm cannot know if the user has logged on.

---------- Post added at 06:54 ---------- Previous post was at 06:45 ----------




They haven't explained how it will work because it cannot work. Phorm have indicated that they will password authentication, which can be taken to mean Basic Authentication (RFCs 1945 & 2616) and Digest (RFCs 2069 & 2617).

But so many websites now use bespoke cookie-based authentication mechanisms that it will be a challenge to say the least to work out and ignore each of these.

---------- Post added at 07:00 ---------- Previous post was at 06:54 ----------
Yes, I agree with the fact they are bespoke makes it very difficult to identify authenticated sessions. Webmasters can currently can use any method that *they* regard as appropriate for their security/privacy requirements as there is no commonly-accepted standard.

And we shouldn't forget other methods webmasters use to protect content such as difficult-to-guess urls (yeuchh!), IP address deny/allow etc. Deep packet inspection techniques ride roughshod over either of these attempts by webmasters to ensure the security of their data, and Webwise/OIX opt-out solutions using robots.txt are clearly inappropriate for either of these, even if opt-out was acceptable in the first place.

Quote:
Originally Posted by oblonsky View Post
It is believed that JavaScript can get around intercept laws e.g. Googlemail (even though gmail servers are based abroad so not covered by UK intercept laws). The script reads the page after it has been "opened" by the user therefore is not intercept but a consent for someone to come to your house and watch you opening your mail.

HOWEVER because the JavaScript was most likely injected at the ISP level then there would then still be some level of intercept involved to achieve that.
Yes you are correct, there must have been some interception to add the Javascript. Incidentally, the Javascript injection in the PageSense system was relatively minor and consisted of not much more than a tag pointing to the rest of the Javascript used for page scanning etc. The bulk of the Javascript was then downloaded from a webserver, typically from one or both of the sysip.net domains (ntp. and/or dns. - I can't remember right now).
Cumulus is offline