Re: Internet Explorer SuperCookies bypass P3P and cookie controls

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 01/15/02


Date:         Tue, 15 Jan 2002 12:13:55 -0500
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Richard,

I too have tested your demo page and found that it doesn't work as
advertised.

I'm running W2K Pro SP2, with IE 6.0.2600.0000 + Q313675, and Windows
Media Player 7.01.00.3055.

If I go with a default installation, I retrieve the actual GUID for WMP.

If I change the setting for "Allow Internet sites to uniquely identify
your player" to disabled, I get a different GUID every time I close the
window on your demo page and re-open it (e.g. kill the session cookie).
If I simply sit there and refresh the page, I get the same GUID over and
over again (although the GUID given is not the actual GUID for WMP as
listed in the registry).

Ergo, when I don't allow unique identification, it appears that MS is
offering a dynamically generated random GUID.

This would appear to be in conflict with what you state is the behavior
(although you didn't mention if this problem affected W2K installations,
or what version of WMP you were testing with).

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

======================================
Delivery co-sponsored by VeriSign - The Internet Trust Company
======================================
FREE E-COMMERCE SECURITY INFRASTRUCTURE GUIDE
When building an e-commerce site, you want to start with a strong, secure
foundation. Learn how with VeriSign's FREE White Paper, "Building an
E-Commerce Trust Infrastructure." See how you can authenticate your site to
customers, use 128-Bit SSL encryption to secure your web servers, and accept
secure payments online. Click here:
http://www.verisign.com/cgi-bin/go.cgi?a=n116965650045000
======================================