The dangers of HTTPS

Discussion in 'privacy general' started by Paranoid2000, May 6, 2004.

Thread Status:
Not open for further replies.
  1. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    I've encountered a website that sets a shameful record in customer tracking and passing details to third parties - Shavers.co.uk, whose order confirmation page included web bugs and/or Javascript links to no fewer than 11 third parties. In some cases, extra details like item descriptions were included and I note those below, where visible. This is in clear breach of their Privacy Policy whose last section "Disclosures" provides almost comical reassurance that this won't happen.

    Aside from passing what should be private data onto these sites, 6 of the links were unencrypted which means that any details included would be viewable to anyone with access to my network connection (which would include my ISP if I hadn't been using Tor). With certain ISPs now selling user browsing habits to advertisers, providing shopping data in the clear creates a greater privacy risk.

    I have noted the groups, links and (where obvious) the details submitted. Caveat emptor or perhaps caveat shaver!

    Google Ad Services - http://www.googleadservices.com/ - Order value
    Sayu Ltd - http://www.sayutracking.co.uk/ - Order value
    Yahoo Overture - http://convctr.overture.com/
    Shopzilla - https://www.shopzilla.com - Order ID and value
    Google Analytics - http://www.google-analytics.com/ - Item description and total value, shop address
    eDirectory.co.uk - https://www.product-sense.co.uk/ - Order value
    Shopping.com - https://stat.DealTime.com/ - Order ID and value
    Microsoft AdCentre - http://0.r.msn.com/ and http://180571.r.msn.com/
    Pricegrabber - https://www.pricegrabber.com/ - Item description, quantity and price
    Sitebrand - http://mailer.sitebrand.com/ - Item description, price and quantity
    PriceRunner - https://www.emjcd.com/ - Order reference and value
     
    Last edited: Feb 28, 2008
  2. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Shameful indeed :thumbd:
     
  3. tlu

    tlu Guest

    I agree. However, with Firefox I'm not too concerned with these 3 countermeasures:
    • Adblock Plus (particularly with the ABP Tracking Filter)
    • Noscript (which disables Javascript links and flash cookies to 3rd party sites even if JS is allowed for the site you're watching)
    • Accept cookies only for specific trusted sites with one of the available cookie managers (I use Cookie Safe) and disable 3rd party cookies .
     
  4. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    CS Lite is the successor to Cookie Safe :)
    I feel sorry for users of those ISPs and e-commerce sites who don't implement countermeasures.
     
  5. tlu

    tlu Guest

    Yes, I know.:) But I still prefer the latter because it has more options. And the developer recently said in his forum that he's planning a new version in the foreseeable future.
     
  6. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    A new version of CS Lite or a revamped version of Cookie Safe?
     
  7. tlu

    tlu Guest

    As a matter of fact he mentioned both here. :)
     
  8. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Thanks Thomas :)
     
  9. ccsito

    ccsito Registered Member

    Joined:
    Jul 27, 2006
    Posts:
    1,579
    Location:
    Nation's Capital
    Everybody wants to know your shopping habits so that they can refer you to another company who will also want your business. What they do on the Net looks the same as when you go to any store, dealer, contractor, or salesman and then they try to recommend you to another company for some related product. Why is it that I have a mortgage with one bank and I get all of these offers to refinance from other companies? :mad:
     
  10. david banner

    david banner Registered Member

    Joined:
    Nov 24, 2007
    Posts:
    661
    ------------------

    I do not understand what is supposed to happen? I went to the site but did not see anything. where in my comodo firewall would I look?
     
  11. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,154
    Paranoid2000 Just wondering have you tried admuncher lately because it filters out all web bugs and filters out some of or all the list of urls you have posted above. and admuncher has a hugh list of filtering rules.

    Whats peoples thoughts about admuncher V Proxomitron ??
     
  12. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Please review the first post in this thread - this thread is about web bugs in encrypted (https) pages and AdMuncher can't filter these. So it wouldn't have been any use here.

    The only software that will work are Firefox plugins (with Firefox only of course) and Proxomitron with with the SSLeay/OpenSSL files added. However if anyone knows of other programs that can filter https content please chime in!
     
  13. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    WebCleaner :)
    Code:
    remove unwanted HTML (adverts, flash, etc.) 
    popup blocker 
    disable animated GIFs 
    filter images by size, remove banner adverts 
    compress documents on-the-fly (with gzip) 
    reduce images to low-bandwidth JPEGs 
    remove/add/modify arbitrary HTTP headers 
    configurable over web interface 
    usage of SquidGuard blacklists 
    antivirus filter module 
    detection and correction of known HTML security flaws 
    Basic, Digest and (untested) NTLM proxy authentication support 
    per-host access control 
    HTTP/1.1 support (persistent connections, pipelining) 
    [B]HTTPS support (both forwarding and filtering)[/B] 
    
    HTH
     
    Last edited: Mar 1, 2008
  14. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Nice catch! Open source and appears to allow custom filters too. The only downsides seem to be that HTTPS support is still under developement and the installation is a little more complex (needs Python).
     
  15. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    All i can assure you is that installation works following those steps. It's a bit of a hassle (and you end up with a few packages installed) but WebCleaner is very good.

    I just hope you can share your findings on it, as i don't have 1/100 of your expertise. Please test it! :)
     
  16. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Seconded. I've had WebCleaner in my bookmarks for more than 2 years but I've seen little mention of it in security forums. If only I had the knowledge to test and fine-tune it.
     
  17. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,357
    Location:
    Oz
    Thanks for the info
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.