Re: Web bug

From: rj3 Jean-Francois RODRIGUEZ (j-rodr01@bat710.univ-lyon1.fr)
Date: 03/03/03

  • Next message: Philip Ching (605.734.71): "Re: Web bug"
    From: rj3 Jean-Francois RODRIGUEZ <j-rodr01@bat710.univ-lyon1.fr>
    Date: Mon, 3 Mar 2003 10:02:07 +0100 (CET)
    To: <security-discuss@linuxsecurity.com>
    
    

    Well, about the cookies, for what I know :

    The cookies are pieces of text, written by the server on the client
    machine, if the browser accept them. For instance, Nescape, on Linux,
    write them here :~/.netscape/cookies
    where they appear as lines of this text file.

    Then, normally, only the server who has written a cookie can read it ( or
    modify it ) when you connect again to the same server.
    Now, what happens when you download an image that you call Web Bug (I
    didn't know this name, and I find it nice ;) :- your browser meet a href to this image,
    - then, it must ask for a connection to the third party server where the
    image is on,- whith this connection, this server can ask to your browser if it accept
    a cookie to be written on your disk,- if your browser accepts, the cookie is written (first read and then
    written, if it already exists) on your machine.
    And the hint used to gather some information such as your browsing habits
    is that a server, as DoubleClick for instance, put href to Web Bugs on
    different web sites (paying their owners, of course !). So, when you visit
    these sites, it is always the same web server (doubleclick.com) that reads
    and writes the same cookie (it reads and writes on the same line beginning
    with 'www.doubleclick.com' on netscape/linux) ; and the data written when
    you are visiting a web site can contain the IP of the page you are
    visiting...
    As a cookie can be identified by its server/owner, this server can link
    all the data brought by this cookie to one person.It doesn't matter if they don't have your name and address, what they want
    is consuming habits of persons, in order to make categories of web
    consumers...
    Well, quite a long explanation, but this is what I have understood about
    cookies and the "bad usage" of these tools !
    If anything is wrong, please correct me.

    Bye
    Jean-François

    >
    > Hi Jean-Francois,
    >
    > Thanks for your explanation.
    >
    >
    > On Fri, 28 Feb 2003, rj3 Jean-Francois RODRIGUEZ wrote:
    >
    >> >
    >> > Hi All,
    >> >
    >> > Can some body explain the following:
    >> >
    >> > 1) Can a Web Bug (i.e., display of an image file from a third
    >> > party web site) be a security problem?
    >>
    >> I don't know about it.
    >>
    >> > 2) Does it cause a cookie to be sent from the browser to that
    >> > third party web site?
    >>
    >> About that, yes, it is used by advertisers to get cookies when you
    >> visit a website where they have put (paying $$) such an image.
    >> When your browser download this image, it must make a connection to
    >> the advertiser's website where this image comes from, and so they can
    >> ask to your browser to accept a cookie.By this way, this third party
    >> web site can
    >
    > By "accept a cookie" you mean "return (or send) a cookie"?
    >
    > I thought the browser already got the cookie (some where and some how>.
    >
    >
    >
    >> put and read cookies that your
    >> browser have accepted visiting different web sites, because they all
    >> come from the same advertiser's web site (and so they can gather
    >> different information about you : what kind of sites you are usual to
    >> visit, so what are your interests...).
    >
    > 1) So, by returning a cookie (because of connection via the web bug)
    > this third party will know that I had visited a particular site?
    >
    > 2) What if I had visited multiple sites? Can this one cookie tell
    > this third party web site what sites I had visited?
    >
    > Or do I (i.e., my browser) send more than one cookies?
    >
    > Any way, very interesting!
    >
    >
    >> I must have learned all that here : www.searchlores.org
    >
    > I'll visit this site.
    >
    > Thank you!
    >
    > Philip
    >
    >
    >> Regards
    >>
    >> Jean-François
    >>
    >>
    >> ------------------------------------------------------------------------
    >> To unsubscribe email security-discuss-request@linuxsecurity.com
    >> with "unsubscribe" in the subject of the message.
    >>
    >>
    >
    > ------------------------------------------------------------------------
    > To unsubscribe email security-discuss-request@linuxsecurity.com
    > with "unsubscribe" in the subject of the message.

    ------------------------------------------------------------------------
         To unsubscribe email security-discuss-request@linuxsecurity.com
             with "unsubscribe" in the subject of the message.