Well, about the cookies, for what I know :
The cookies are pieces of text, written by the server on the client
machine, if the browser accept them. For instance, Nescape, on Linux,
write them here :~/.netscape/cookies
where they appear as lines of this text file.
Then, normally, only the server who has written a cookie can read it ( or
modify it ) when you connect again to the same server.
Now, what happens when you download an image that you call Web Bug (I
didn't know this name, and I find it nice ;) :- your browser meet a href to this image,
- then, it must ask for a connection to the third party server where the
image is on,- whith this connection, this server can ask to your browser if it accept
a cookie to be written on your disk,- if your browser accepts, the cookie is written (first read and then
written, if it already exists) on your machine.
And the hint used to gather some information such as your browsing habits
is that a server, as DoubleClick for instance, put href to Web Bugs on
different web sites (paying their owners, of course !). So, when you visit
these sites, it is always the same web server (doubleclick.com) that reads
and writes the same cookie (it reads and writes on the same line beginning
with 'www.doubleclick.com' on netscape/linux) ; and the data written when
you are visiting a web site can contain the IP of the page you are
visiting...
As a cookie can be identified by its server/owner, this server can link
all the data brought by this cookie to one person.It doesn't matter if they don't have your name and address, what they want
is consuming habits of persons, in order to make categories of web
consumers...
Well, quite a long explanation, but this is what I have understood about
cookies and the "bad usage" of these tools !
If anything is wrong, please correct me.
Bye
Jean-François
>
> Hi Jean-Francois,
>
> Thanks for your explanation.
>
>
> On Fri, 28 Feb 2003, rj3 Jean-Francois RODRIGUEZ wrote:
>
>> >
>> > Hi All,
>> >
>> > Can some body explain the following:
>> >
>> > 1) Can a Web Bug (i.e., display of an image file from a third
>> > party web site) be a security problem?
>>
>> I don't know about it.
>>
>> > 2) Does it cause a cookie to be sent from the browser to that
>> > third party web site?
>>
>> About that, yes, it is used by advertisers to get cookies when you
>> visit a website where they have put (paying $$) such an image.
>> When your browser download this image, it must make a connection to
>> the advertiser's website where this image comes from, and so they can
>> ask to your browser to accept a cookie.By this way, this third party
>> web site can
>
> By "accept a cookie" you mean "return (or send) a cookie"?
>
> I thought the browser already got the cookie (some where and some how>.
>
>
>
>> put and read cookies that your
>> browser have accepted visiting different web sites, because they all
>> come from the same advertiser's web site (and so they can gather
>> different information about you : what kind of sites you are usual to
>> visit, so what are your interests...).
>
> 1) So, by returning a cookie (because of connection via the web bug)
> this third party will know that I had visited a particular site?
>
> 2) What if I had visited multiple sites? Can this one cookie tell
> this third party web site what sites I had visited?
>
> Or do I (i.e., my browser) send more than one cookies?
>
> Any way, very interesting!
>
>
>> I must have learned all that here : www.searchlores.org
>
> I'll visit this site.
>
> Thank you!
>
> Philip
>
>
>> Regards
>>
>> Jean-François
>>
>>
>> ------------------------------------------------------------------------
>> To unsubscribe email security-discuss-request@linuxsecurity.com
>> with "unsubscribe" in the subject of the message.
>>
>>
>
> ------------------------------------------------------------------------
> To unsubscribe email security-discuss-request@linuxsecurity.com
> with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
To unsubscribe email security-discuss-request@linuxsecurity.com
with "unsubscribe" in the subject of the message.
