Phorm and consent

[Ian Batten]

>
>> One thing I'm concerned about is that we operate several low- 
>> security portals where we pass passwords in non-hhtps connections,  
>> with the source IP number thrown into the mix.  ie you have an  
>> account which is a username, a password, and a source IP number you  
>> need to come from.
>
> Do ISP caches know to ignore page accesses like that? I suppose they  
> must, or this would have been a well known problem.

Most caches pass through anything with a ? in the URL.

>
>
>> It's legacy ware, from back in the days when https was a resource  
>> pig. Presumably Phorm are planning to capture passwords and fetch  
>> the URLs from our origin servers?
>
> Maybe you should read the technical descriptions Richard Clayton  
> keeps alluding to? I haven't got the spare time this week I'm afraid.

Each description I've seen is different.  At the moment the whole  
thing smacks of a marketing exercise which has no technology behind  
it.  I'd be interested to know if the likes of 80/20 have seen source  
or just slideware, because the question of if (for example) the Phorm  
analysis of the returned webpage is done in-line, synchronously with a  
second copy or asynchronously with a second copy is opaque.  The  
statement that blocking webwise cookies acts as an opt-out is new,  
because last week it was clear you had to maintain an opt-out cookie.   
And so on: I think they're making it up as they go along, so Simon's  
imprimatur is of what he saw one week, which isn't what's being  
deployed the next.

ian