50194 - Content of page "Understanding Privacy"

Status: VERIFIED FIXED

(Core :: Networking: Cookies, defect, P3)

Description

[Ben Bucksch (:BenB)]

The page is mostly well written. The following problems should be corrected:

1. The first paragraph under "Requesting a page" is wrong
<quote>
Beyond that [OS + Browser version, Internet Address and Referrer], the site is
unable to obtain any other information about you with out your knowledge -- it
does not know your e-mail address and certainly does not know your name.
</quote>
Apart from leaving out cookies (which are explained later), this does not take

1.1. FTP login
See Preferences|Advanced|Send email address as FTP password.
bad.com could just include an image link to a ftp server and, together with the
current IP address, get knowleldge of the email address, not? Email-address ->
real name often isn't hard (even without guessing).

1.2. Javascript
JavaScript unfortunately gives a whole lot of information to the scripts on the
page, which then can transfer this info in URLs (that load images or so) back to
the site. (BTW: Steve Morse, does the cookie code also block cookies accessed by
scripts?) For which info JS reveals, please refer to a clientside-JS reference.

into account. Please explain them at least shortly.

2. Possibly change "Who referred you" to "Referrer"

3. The paragraphs with the example for session-ids (search for "x1.com") should
be rewritten.

4. "so you probably used the same password for each site"
Don't assume the user did the wrong thing; it might make him/her think, this
were normal and OK. (No matter what you say after that.) Better substitute
"propably" with "might have", this sounds more scary.

5. Include (well-selected) links for further information.

Comment 1

[Ben Bucksch (:BenB)]

Please reassign to author of the page.

Comment 2

[Stephen P. Morse]

You already assigned it to the author of the page so there's no need for me to 
reassign it.  However I'm adding verah to the cc: list.

Comment 3

[Stephen P. Morse]

*** Bug 50192 has been marked as a duplicate of this bug. ***

Comment 4

[Stephen P. Morse]

1.1 and 1.2 are excellent examples that I didn't think of.  I will definitely 
modify the document to include a description of them.

Yes, the cookie code blocks/accepts javascript cookies the same way it 
blocks/accepts cookies in the http header.

Can you be more specific on item 3.  What was wrong with that section and how 
should it be rewritten?

item 4: good point.  I'll change that

item 5: what links would you recomment?

Comment 5

[Ben Bucksch (:BenB)]

> Can you be more specific on item 3.  What was wrong with that section and how
> should it be rewritten?

3.1. It was very confuse (from my POV), although I understand the problem, I
couldn't follow you.

3.2. Why different hostnames?

3.3. The tracking works cross-session, if the user bookmarks a "deep" page.

I would just explain session-ids. 'As soon as you request a page from sun.com,
the server generates an id for you and includes it in all links in the page it
sends back to you. If you click on such a link, the id will be sent inside the
url, and the site can identify you. And so on.'

> what links would you recomment?

I would have to search somewhat, I can do that.

(E.g. eff.org?)


Some more, minor suggestions:
6. For foreign cookies, you could mentioned the keywords "webbug" and "ad". (the
latter might conflict with the interests of your employer. I guess, "webbug" is
scary enough :) .)

7. As long as bug 28327 is open, webbugs work even in HTML mail and are
especially bad, because the sender has the email address. But this is a
temporary problem (not sure, if N6 will ship with that) and hard to explain.

Comment 6

[Daniel Veditz [:dveditz]]

These textual changes are worth doing in beta3 and don't introduce risk. They 
are lower priority than other nsbeta3+ bugs, though -- we could live without it 
if necessary.

Comment 7

[Stephen P. Morse]

Fixed.

Comment 8

[Tom Everingham]

verified:
WinNT 2000090708
Mac 2000090708
Linux 2000090704