Re: Internet Explorer SuperCookies bypass P3P and cookie controls

From: Barry Dorrans (barryd@BANN.CO.UK)
Date: 01/15/02


Date:         Tue, 15 Jan 2002 16:05:38 -0000
From: Barry Dorrans <barryd@BANN.CO.UK>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM


> One solution to this problem is for Microsoft to remove
> the ClientID property from the WMP ActiveX control. For
> compatibility with existing JavaScript code, Microsoft may
> have to keep the property around, but always have it return a
> GUID of all zeros for all users.
>
> An even better idea might be to remove the WMP player
> ID number altogether and have WMP instead use the standard
> cookie mechanism of Internet Explorer.

This would break the Windows Media DRM, the player ID is used to
uniquely lock a license against a particular computer. Regardless of how
you feel about DRM in general, this unique identifier is necessary for
some of us.

Before anyone suggests that the ID should only be reported from within
the license acquisition popup that media player (or any DRM compatible
player - WinAmp would do the same), that would still break predelivery
code, where you deliver the license without a user having to play a
file.

Regards,

Barry

============================================================================
Delivery co-sponsored by VeriSign - The Internet Trust Company
============================================================================
FREE E-COMMERCE SECURITY INFRASTRUCTURE GUIDE
When building an e-commerce site, you want to start with a strong, secure
foundation. Learn how with VeriSign's FREE White Paper, "Building an
E-Commerce Trust Infrastructure." See how you can authenticate your site to
customers, use 128-Bit SSL encryption to secure your web servers, and accept
secure payments online. Click here:
http://www.verisign.com/cgi-bin/go.cgi?a=n116965650045000
============================================================================