Thread: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]
View Single Post
Old 12-07-2008, 20:25   #11642
pseudonym
Inactive
 
Join Date: Apr 2008
Posts: 76
pseudonym is on a distinguished roadpseudonym is on a distinguished road
Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]
Quote:
Originally Posted by Dephormation View Post
Just looking at the text of Richard Claytons analysis... it is very confusing.

It talks about a 'webwise' labelled cookie for the UID. Does that mean the cookie is named webwise, or the name is chosen by Webwise?

And when it talks about the method used to copy the 'OPTED_OUT' value, it says "If the user has set a cookie within the webwise.net domain indicating that they do not wish to be tracked, then this preference setting will be copied (by the method already outlined) into the cookies created for all other domains. That is, the cookie for these domains will have a generic "OPTED OUT" value and there will be no UID".

Is that name "OPTED_OUT" and value "YES" per the webwise domain??
My interpretation was that the name will either be, or contain "webwise" and the value will be a base64 encode uid number if you are opted in or the value "OPTED_OUT".

eg

webwise=SYGGfXWiQMuawIuR0qMJxw||

or

webwise=OPTED_OUT

I wasn't 100% sure the name would be "webwise" and that phorm wouldn't change it, so I coded my extension to detect the phorged cookie and its name using a regular expression that looks for a phorm UID in the set-cookie after the redirect from webwise.net occurs, so even if it is not "webwise" it should still work.

Quote:

This whole thing is such a technical shambles. See para 33 - if you opt out, your UID is sprayed across every site you ever visited. Your visits to those sites would still be profiled, even though you thought you'd opted out, while the copied UID cookies persisted.



We must stop this cack every being launched. It is cack. Utter utter utter cack.
Indeed, none the less the Phorm PR team reckoned they'd convince Tim it's-mine-you-can't-have-it Burners-Lee it was a good thing once they'd explained it to him - I'd love to hear what he would have said in response!

Another problem with it, having a phorged cookie sent when you visit sites using HTTPS is going to break some sites with no obvious cause to the end-user.

BT might even need to find another site for online AGM voting as www.sharevote.co.uk sent me to an error page when I tried sending it a fake webwise cookie.
pseudonym is offline