Quote:
Originally Posted by rryles
It might be possible to get something along these line to work, but it isn't easy. A hash on it's own is no protection against forgery. They'd have to use cryptographic signatures. I'd like to see them try and make it IP locked without storing, processing or even possibly coming into possesion of any IP addresses.
|
You're correct, they would need the IP. Here's a (rough untested example) of a much simpler version that does leak the ID (if you know how to decode it) but still renders it useless for fuzzing unless you can somehow do an IP takeover.
Code:
<?php
function xor($a, $b){
$crypted = '';
foreach ($i = 0, $j = strlen($uid) - 1; $i < $j; $i++){
$crypted .= $a[$i] ^ $b[$i];
}
return $crypted;
}
// Set UID
$value = xor($uid, hash('sha1', $_SERVER['REMOTE_ADDR']));
set_cookie('webwise', $value);
// Get UID
$uid = xor($_COOKIE['webwise'], hash('sha1', $_SERVER['REMOTE_ADDR']));
Quote:
|
If the cookie is locked to your ip then a brute force attack will allow phorm to derive your ip from the cookie. (with IPv4 addresses this brute force attack is fairly trivial)
|
I'd think it'd be easier to match the webwise id to OIX ad server request log files.
---------- Post added at 13:46 ---------- Previous post was at 13:43 ----------
Quote:
Originally Posted by Peter N
Surely all of this cookie relates stuff is irrelevant if you opt-out as you will only get the regular cookies with no added data.
|
If servers can retrieve the Phorm UID, they can get a good idea of your profile by seeing what ads are served. That's a huge privacy risk for everyone who opts-in, not every company is as upstanding and honest (sic) as Phorm.