Full Disclosure
James Firth
ukcrypto at chiark.greenend.org.uk
Mon, 28 Apr 2008 08:07:41 +0100 (BST)
Joel Harriwon wrote:
> On Thu, Apr 24, 2008 at 2:49 PM, Ian Batten <igb@batten.eu.org> wrote:
>> Yes, the web server that captured the pairs has been a bad boy morally,
>> although it's hard to see what they've done wrong legally: they took a
>> cookie that's legitimately in their domain and published the contents,
>> contents that they're assured aren't personally identifiable.
>
> I don't agree. If I've correctly understood Richard's explanation of
> how the Phorm system works, the webwise cookie in the web server's
> domain is clearly distinguishable from other cookies genuinely placed
> by the web server in its own domain (i.e. it is tagged as being
> associated with webwise). So, in your example, the web server is
> deliberately accessing a cookie that it 'knows' has been placed there
> by a third party
Apart from the fact that ALL cookies belonging to the domain being
accessed are automatically sent to the website with the GET request. Some
[poorly written] sites use loops to read all cookie values in their
domain, and would perhaps be thrown by additional cookies, and hence
publish an error "** Exception** Found cookie name webwise with value
37508921750".