Phorm and Computer Misuse Act
Ian Batten
ukcrypto at chiark.greenend.org.uk
Fri, 21 Mar 2008 20:56:07 +0000
>
> Because the browser needs to "believe", at the time the transaction
> finally
> goes to the target web server, that it is back on the target domain,
> otherwise any attempt by the target web server to set regular
> cookies in the
> course of the transaction would fail under the rules defined in
> RFC2965.
>
> The Phorm servers, by imitating the target domain can place a cookie
> as the
> target domain to provide linkage during the "final" part of the
> transaction
> when the HTTP GET request finally goes all the way to the target
> server.
But surely this is illegal? A proxy will pass you back byte-for-byte
what the original site would have served, modulo a few control
headers. A cache will do the same, but has slightly more risk of
getting it wrong. In both cases, the authors and operators of the
proxy/cache strive for byte-for-byte equivalence, and ``the page was
different'' or ``the cookie behaviour was different'' would be bugs,
pure and simple.
The intent here is to deceive, and to bypass mechanisms put in place
to provide security. It's the moral equivalent of that grande dame of
every undergraduate of the early 1980s, the login simulator. The
proxy you're forced to is explicitly trying to look like the origin
server, while behaving completely differently. And this not done
without the consent of the site.
Suppose I have a website called ``we-do-not-track-your-
behaviour.com'', trademarked, and Phorm's proxy sits in front of it
and tracks your behaviour. How is this not ``passing off'' in
trademark terms?
ian