The dangers of HTTPS

I've encountered a website that sets a shameful record in customer tracking and passing details to third parties - Shavers.co.uk, whose order confirmation page included web bugs and/or Javascript links to no fewer than 11 third parties. In some cases, extra details like item descriptions were included and I note those below, where visible. This is in clear breach of their Privacy Policy whose last section "Disclosures" provides almost comical reassurance that this won't happen.

Aside from passing what should be private data onto these sites, 6 of the links were unencrypted which means that any details included would be viewable to anyone with access to my network connection (which would include my ISP if I hadn't been using Tor). With certain ISPs now selling user browsing habits to advertisers, providing shopping data in the clear creates a greater privacy risk.

I have noted the groups, links and (where obvious) the details submitted. Caveat emptor or perhaps caveat shaver!

Google Ad Services - http://www.googleadservices.com/ - Order value
Sayu Ltd - http://www.sayutracking.co.uk/ - Order value
Yahoo Overture - http://convctr.overture.com/
Shopzilla - https://www.shopzilla.com - Order ID and value
Google Analytics - http://www.google-analytics.com/ - Item description and total value, shop address
eDirectory.co.uk - https://www.product-sense.co.uk/ - Order value
Shopping.com - https://stat.DealTime.com/ - Order ID and value
Microsoft AdCentre - http://0.r.msn.com/ and http://180571.r.msn.com/
Pricegrabber - https://www.pricegrabber.com/ - Item description, quantity and price
Sitebrand - http://mailer.sitebrand.com/ - Item description, price and quantity
PriceRunner - https://www.emjcd.com/ - Order reference and value

 

Shameful indeed

 

I agree. However, with Firefox I'm not too concerned with these 3 countermeasures:

• Adblock Plus (particularly with the ABP Tracking Filter)
• Noscript (which disables Javascript links and flash cookies to 3rd party sites even if JS is allowed for the site you're watching)
• Accept cookies only for specific trusted sites with one of the available cookie managers (I use Cookie Safe) and disable 3rd party cookies .

 

CS Lite is the successor to Cookie Safe
I feel sorry for users of those ISPs and e-commerce sites who don't implement countermeasures.

 

Yes, I know. But I still prefer the latter because it has more options. And the developer recently said in his forum that he's planning a new version in the foreseeable future.

 

A new version of CS Lite or a revamped version of Cookie Safe?

 

As a matter of fact he mentioned both here.

 

Thanks Thomas

 

Everybody wants to know your shopping habits so that they can refer you to another company who will also want your business. What they do on the Net looks the same as when you go to any store, dealer, contractor, or salesman and then they try to recommend you to another company for some related product. Why is it that I have a mortgage with one bank and I get all of these offers to refinance from other companies?

 

------------------

I do not understand what is supposed to happen? I went to the site but did not see anything. where in my comodo firewall would I look?

 

Paranoid2000 Just wondering have you tried admuncher lately because it filters out all web bugs and filters out some of or all the list of urls you have posted above. and admuncher has a hugh list of filtering rules.

Whats peoples thoughts about admuncher V Proxomitron ??

 

Please review the first post in this thread - this thread is about web bugs in encrypted (https) pages and AdMuncher can't filter these. So it wouldn't have been any use here.

The only software that will work are Firefox plugins (with Firefox only of course) and Proxomitron with with the SSLeay/OpenSSL files added. However if anyone knows of other programs that can filter https content please chime in!

 

WebCleaner

Code:

remove unwanted HTML (adverts, flash, etc.) 
popup blocker 
disable animated GIFs 
filter images by size, remove banner adverts 
compress documents on-the-fly (with gzip) 
reduce images to low-bandwidth JPEGs 
remove/add/modify arbitrary HTTP headers 
configurable over web interface 
usage of SquidGuard blacklists 
antivirus filter module 
detection and correction of known HTML security flaws 
Basic, Digest and (untested) NTLM proxy authentication support 
per-host access control 
HTTP/1.1 support (persistent connections, pipelining) 
[B]HTTPS support (both forwarding and filtering)[/B] 

HTH

 

Nice catch! Open source and appears to allow custom filters too. The only downsides seem to be that HTTPS support is still under developement and the installation is a little more complex (needs Python).

 

All i can assure you is that installation works following those steps. It's a bit of a hassle (and you end up with a few packages installed) but WebCleaner is very good.

I just hope you can share your findings on it, as i don't have 1/100 of your expertise. Please test it!

 

Seconded. I've had WebCleaner in my bookmarks for more than 2 years but I've seen little mention of it in security forums. If only I had the knowledge to test and fine-tune it.

 

Thanks for the info